Demisto Content Release Notes for version 20.4.0 (47887)

Published on 14 April 2020

Breaking Changes

Deleted several deprecated playbooks. See the Playbooks section for full details. This is only applicable to Cortex XSOAR 5.5.

Integrations

9 New Integrations

  • Sixgill DarkFeed™ Threat Intelligence
    Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the Demisto platform.
  • MongoDB
    Use the MongoDB integration to search and query entries in your MongoDB.
  • MongoDB Log
    Writes log data to a MongoDB collection.
  • MongoDB Key Value Store
    Manipulates key/value pairs according to an incident utilizing the MongoDB collection.
  • Okta v2
    Integration with Okta's cloud-based identity management service.
  • Cisco ASA
    Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects.
  • Cisco Firepower
    Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
  • Azure Sentinel
    Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.
  • SafeBreach v2
    SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses.

18 Improved Integrations

  • Sixgill Deep Insights
    • Updated the README.
    • Updated the integration Docker image.
    • Added support to use proxies.
    • Updated tests.
    • Updated the integration logo.
    • Removed the get-indicators command.
    • Removed playbooks that used the get-indicators command.
  • Expanse
    • Added support for pulling behavior data to create new incidents.
    • Added support for the expanse-get-behavior command.
    • Added support for the expanse-get-certificate command.
  • Exabeam
    Fixed connection error without proxy.
  • SlashNext Phishing Incident Response
    Added the slashnext-api-quota command, which gets information about user's API quota.
  • Microsoft Teams
    • Set the listener host to 0.0.0.0 in order to handle IPv6.
    • Fixed an issue where the email address of the message sender was not handled properly.
  • Slack v2
    Reduced the maximum number of threads used by the integration.
  • MISP v2
    Fixed the integration filter parameter, Influence on the Entry context returned.
  • Fidelis Elevate Network
    Fixed an issue with partial results parsing.
  • Have I Been Pwned? v2
    Added the pwned-username command, which enables searching usernames.
  • Prisma Cloud (RedLock)
    • Improved logging for fetch_incidents.
    • Improved error handling.
  • SplunkPy
    Added the splunk-job-status command, which checks the status of a job.
  • AWS - EC2
    Added the following commands.
    • aws-ec2-delete-subnets
    • aws-ec2-describe-internet-gateway
    • aws-ec2-detach-internet-gateway
    • aws-ec2-delete-internet-gateway
    • aws-ec2-create-traffic-mirror-session
    • aws-ec2-delete-vpc
    • Fixed an issue where the email address of the message sender was not handled properly.
  • IBM X-Force Exchange v2
    Fixed an issue in the file command.
  • TAXII Server
    Updated the reference to the traffic light protocol indicator field to use the new cliname.
  • AlienVault USM Anywhere
    Fixed an issue where fetching incidents created duplicate incidents.
  • VulnDB
    Improved exception parsing when the API quota is exceeded.
  • ExtraHop Reveal(x) v2
    Updated the names of alert rule commands to clarify that these commands only manage alert rules, they do not fetch alert events.
  • Palo Alto Networks Cortex XDR - Investigation and Response
    • Fixed the issue where the xdr-isolate-endpoint command failed in the following situations:
      • The endpoint was disconnected.
      • The isolation was still pending.
      • The isolation cancellation was still pending.
    • Fixed the issue where the xdr-unisolate-endpoint failed in the following situations:
      • The endpoint was disconnected.
      • The isolation was still pending.
      • The isolation cancellation was still pending.
  • Palo Alto Networks BPA
    Updated the integration name to Palo Alto Networks BPA.

Feeds (From Cortex XSOAR 5.5 only)

Added the Tags parameter to the following feeds:

  • Azure Feed
  • Bambenek Consulting Feed
  • Blocklist_de Feed
  • Cloudflare Feed
  • DShield Feed
  • Fastly Feed
  • Feodo Tracker Hashes Feed
  • Feodo Tracker IP Blocklist Feed
  • HTTPFeedApiModule
  • JSON Feed
  • Malware Domain List Active IPs Feed
  • Plain Text Feed
  • Spamhaus Feed

Improved Feed

  • Tor Exit Addresses Feed
    Added default mapping of indicator fields.

Scripts

New Script

  • HTMLtoMD
    Converts the passed HTML to Markdown.

5 Improved Scripts

  • ParseEmailFiles
    Improved handling of attachments.
  • DockerHardeningCheck
    Added the memory_check argument to specify how to test memory limitations.
  • FormattedDateToEpoch
    Fixed an issue where time conversion didn't support timezone.
  • SlackAsk
    The script will now send a message using the Slack V2 integration only.
  • GetLicenseID
    Fixed an issue where the script wasn't returning results.

Playbooks

5 New Playbooks

  • SafeBreach Rerun Insights
    Reruns a SafeBreach insight based on ID, and waits for the playbook to completes. Returns the updated insight object after post rerun.
  • SafeBreach Insights Feed Playbook
    Triggers automated remediation for all SafeBreach generated indicators generated by insights. Then it reruns related insights and tags remaining indicators as not remediated ("NotRemediated" tag).
  • DBot Create Phishing Classifier V2 From File
    Creates a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content.
  • Get Mails By Folder Paths
    Gets emails from specific folders and pre-processes them using EWS.
  • Slack - General Failed Logins v2.1
    Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.

8 Improved Playbooks

  • QRadar Indicator Hunting V2
    Improved the AQL query.
  • Splunk Indicator Hunting
    Fixed transformer and task input.
  • TIM - Process Indicators Against Business Partners IP List
    Removed hard-coded list name from inputs.
  • TIM - Process Indicators Against Organizations External IP List
    Removed default list names.
  • TIM - Run Enrichment For Hash Indicators
    Fixed input name.
  • TIM - Process Indicators - Fully Automated
    Added conditional tasks to check for result scores.
  • Panorama Query Logs Added timeout to generic polling.
  • PAN-OS Commit Configuration
    Improved the error message when a commit or push fails.

Deprecated Playbook

  • Get Mails By Folder Pathes
    Use the Get Mails By Folder Paths playbook instead.

Deleted Playbooks (For Cortex XSOAR 5.5 only)

The following deprecated playbooks have been deleted.

  • QRadar Add Url Indicators
    Use the TIM - QRadar Add Url Indicators playbook instead.
  • QRadar Add IP Indicators
    Use the TIM - QRadar Add IP Indicators playbook instead.
  • QRadar Add Hash Indicators
    Use the TIM - QRadar Add Bad Hash Indicators playbook instead.
  • QRadar Add Domain Indicators
    Use the TIM - QRadar Add Domain Indicators playbook instead.
  • Process Url Indicators
    Use the TIM - Add Url Indicators to SIEM playbook instead.
  • Process IP Indicators
    Use the TIM - Add IP Indicators To SIEM playbook instead.
  • Process Hash Indicators
    Use the TIM - Add Bad Hash Indicators To SIEM playbook instead.
  • Process Domain Indicators
    Use the TIM - Add Domain Indicators To SIEM playbook instead.
  • ArcSight Add Domain Indicators
    Use the TIM - ArcSight Add Domain Indicators playbook instead.
  • ArcSight Add Hash Indicators
    Use the TIM - ArcSight Add Bad Hash Indicators playbook instead.
  • ArcSight Add IP Indicators
    Use the TIM - ArcSight Add IP Indicators playbook instead.

Layouts

New Layouts

  • GCP Compute Engine Misconfiguration - Summary

Improved Layout

  • Indicator Feed - New/Edit Added the New/Edit Form layout for the Indicator Feed incident type.

Assets