Demisto Content Release Notes for version 20.4.1 (50375)

Published on 28 April 2020

Integrations

7 New Integrations

  • Microsoft Intune Feed (Available from Cortex XSOAR 5.5)
    Use the Microsoft Intune Feed integration to get indicators from the feed.
  • Palo Alto Networks Prisma Access Egress IP feed (Available from Cortex XSOAR 5.5)
    Dynamically retrieve and whitelist IPs that Prisma Access uses to egress traffic to the internet and SaaS apps.
  • Smokescreen IllusionBLACK
    Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time.
  • ServiceNow v2
    Use the ServiceNow integration to help streamline security-related service management and IT operations.
  • Palo Alto Networks Prisma Access
    Integrate with Prisma Access to monitor the status of the Service, alert, and take actions.
  • Microsoft Management Activity API (O365 Azure Events)
    The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content, and fetch new content as incidents.
  • Google Cloud Functions
    Google Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers.

33 Improved Integrations

  • IBM Resilient Systems
    • Fixed an issue where resilient.co3 warnings were not disabled.
    • Fixed an issue where the rs-get-incident command failed on key error.
  • Anomali ThreatStream v2
    Added support for emojis in file names, when uploading a file to the sandbox.
  • EWS v2
    Fixed an issue where the fetch-incidents command caused a timeout from EWS.
  • Whois
    • Fixed an issue where duplicate fields were created by the domain and whois command outputs.
    • Added support for the Domain.Whois.QueryValue context output in the whois command.
    • You can now query Whois with subdomains.
    • Fixed an issue where Whois fails when too many requests are sent.
    • Fixed an issue where Whois was overwritten with the DBostScore of other vendors.
  • Microsoft Graph User
    Added support to authenticate using a self-deployed Azure application.
  • CVE Search v2
    Added support to input multiple CVE IDs in the cve command.
  • Export Indicators Service
    Removed the default initial value for the Listen Port parameter.
  • urlscan.io
    Fixed an issue where a "download" error message constantly appeared.
  • AWS Feed
    Added support for service field mapping.
  • Expanse
    Fixed an issue where incident polling did not behave as expected in some situations.
  • Tor Exit Addresses Feed
    Fixed an issue where the integration did not fetch indicators.
  • Palo Alto Networks WildFire v2
    Fixed an issue where the wildfire-upload command failed uploading some files.
  • Fastly Feed
    Fixed an issue where the integration did not fetch indicators.
  • Palo Alto Networks PAN-OS EDL Service
    Removed the default initial value for the Listen Port parameter.
  • ArcSight ESM v2
    Added the as-delete-entries command, which allows the user to delete entries using the resourceId argument.
  • Generic SQL
    • Fixed an issue where MySQL default tables where not available for querying.
    • Added support for stack trace and the query error message.
    • Added support to Oracle connection.
    • Added support for limit and skip command arguments in context output.
  • Palo Alto Networks PAN-OS EDL Management
    Removed http/https from the *list_items argument in the *pan-os-edl-update** command due to the 3rd-party limitation of not being able to parse with http/https*.
  • Securonix
    • Added the action_parameters argument to the securonix-perform-action-on-incident command.
    • Improved the name of the fetched incidents to reflect the incident reason.
    • Fixed an issue where the Incidents to fetch parameter was not taken into account when fetching incidents.
  • AbuseIPDB
    Fixed an issue where the API quota limit error was not handled properly.
  • Palo Alto Networks PAN-OS
    • panorama-commit-status command: Added warnings as a list of strings to Entry Context, which will allow the user to know if aany warnings triggered even if the commit succeeded.
    • *panorama-push-status command: Added warnings as a list of strings to Entry Context, which will allow the user to know if any warnings triggered even if the push succeeded.
  • GitHub
    Added support for GitHub bots.
  • PolySwarm
    Added the file argument to the file command.
  • Palo Alto Networks Cortex XDR - Investigation and Response
    Fixed an issue where the xdr-get-endpoints command failed when returning all the endpoints if no filters were specified.
  • abuse.ch SSL Blacklist Feed
    Fixed an issue where indicators were associated with the creationdate field instead of the firstseenbysource field.
  • Palo Alto Networks AutoFocus v2
    • Fixed an issue where the file command only accepted a lower-case hash.
    • Added the artifact argument to the autofocus-search-samples command, which by default is set to "true", and retrieves the artifacts of the sample.
  • HelloWorld
    • Added 2 commands:
      • domain
      • helloworld-update-alert-status
    • Improved documentation and comments.
  • TAXII Server
    Removed the default initial value for the Listen Port parameter.
  • TruSTAR
    • Added 3 commands:
      • trustar-get-phishing-submissions
      • trustar-get-phishing-indicators
      • trustar-set-triage-status
    • Deprecated the following commands due to changes in the TruSTAR service:
      • file
      • url
      • ip
      • domain
  • Microsoft Graph Security
    • Fixed an issue where filters were not properly implemented in the msg-search-alerts command. (Note: Existing msg-search-alerts command results might change the next time the command is executed).
    • Added support to authenticate using a self-deployed Azure application.
  • TAXII Feed Fixed an issue where the test module did not work as expected.
  • Google BigQuery Fixed an issue where date objects were not handled correctly.
  • Mimecast v2 Fixed an issue where the time calculation for the first fetch was incorrect.
  • Microsoft Graph Calendar Added support to authenticate using a self-deployed Azure application.

Scripts

12 New Scripts

  • ServiceNowCreateIncident
    This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and easily work with the records.
  • ServiceNowUpdateIncident
    This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and easily work with the records.
  • ServiceNowQueryIncident
    This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and easily work with the records.
  • GetUsersOnCall
    Retrieves users that are currently on-call.
  • LowerCidrNumAddresses
    Checks if the number of available addresses in IPv4 CIDR is lower than the given number.
  • IPNetwork
    Queries and returns details on CIDR for: Broadcast_address, CIDR, First_address, Last address, Max prefix len, Num addresses, Private and IP Version.
  • GetNumberOfUsersOnCall
    Retrieves the number of users that are currently on-call.
  • GetOnCallHoursPerUser
    Retrieves the number of on-call hours per user.
  • GetRolesPerShift
    Retrieves roles per shift.
  • LookupCSV
    Parses a CSV file and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
  • CompareLists
    Compares two lists and adds the differences to context.
  • GreaterCidrNumAddresses
    Checks if the number of available addresses in IPv4 or IPv6 CIDR is greater than the given number.

5 Improved Scripts

  • FindSimilarIncidents
    Fixed an issue where list values in context were not compared correctly when using the similarContextKeys argument.
  • ParseEmailFiles
    Fixed an issue with the padding of base64 headers.
  • ZipFile
    Added support for files with special characters in the name.
  • CSVFeedApiModule
    Fixed an issue where the firstseenbysource and lastseenbysource fields were not formatted correctly.
  • FetchIndicatorsFromFile
    • Fixed an issue where the default_type was not assigned properly.
    • Added support for Domain indicator type auto-detection.

Playbooks

13 New Playbooks

  • Isolate Endpoint - Cybereason
    Isolates an endpoint based on the provided hostname.
  • Port Scan - Internal Source
    Remediates port scans originating within the network.
  • Port Scan - External Source
    Remediates port scans originating outside of the organization's network.
  • Port Scan - Generic
    • Investigates a port scan incident. The incident may originate from outside or within the network. The playbook.
    • Enriches the hostname and IP address of the attacking endpoint.
    • Escalates the incident in case a critical asset is involved.
    • Hunts malware associated with the alerts across the organization.
    • Blocks detected malware associated with the incident.
    • Blocks IP addresses associated with the malware, if a malicious file was involved.
    • Pivots from the attacking IP to detect and block malicious domains hosted on the IP (for an external scan).
    • Isolates the attacking endpoint (for an internal scan).
    • Allows manual blocking of ports through an email communication task.
    • If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively.
      • Splunk - "Splunk Indicator Hunting".
      • QRadar - "QRadar Indicator Hunting v2".
      • Palo Alto Networks Cortex Data Lake/Panorama/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2".
  • IP Whitelist - AWS Security Group
    Syncs a list of IP addresses to an AWS Security Group.
  • HelloWorld Scan
    Simulates a vulnerability scan using the "HelloWorld" sample integration. It's used to demonstrate how to use the GenericPolling mechanism to run jobs that take several seconds or minutes to complete. It is designed to be used as a sub-playbook, but you can also use it as a standalone playbook, by providing the ${Endpoint.Hostname} input in the Context.
  • IP Whitelist - GCP Firewall
    Sets a list of IP addresses in the GCP firewall.
  • Search Endpoints By Hash - Cybereason
    Uses Cybereason to hunt for endpoint activity by hash.
  • Smokescreen IllusionBLACK Default
    Enriches IllusionBLACK incidents with events related to the incident.
  • Palo Alto Networks Prisma Access Whitelist Egress IPs on SaaS Services
    Retrieves Prisma Access Egress IP for specific geographic zones and populates in security groups within cloud services.
  • Palo Alto Networks Prisma Access - Logout User
    Forces logout of a specific user and computer from Prisma Access.
  • Search Endpoints By Hash - Generic
    Hunts endpoints using available tools.
  • TIM - Process CIDR Indicators By Size
    Processes CIDR indicators of both IPV4 and IPV6. By specifying in the inputs the maximum number of hosts allowed per CIDR, the playbook tags any CIDR that exceeds the number as pending_review. If the maximum CIDR size is not specified in the inputs, the playbook does not run.

18 Improved Playbooks

  • TIM - ArcSight Add Domain Indicators
    Fixed the conditional task test.
  • TIM - ArcSight Add Url Indicators
    Fixed the conditional task test.
  • TIM - Indicator Auto Processing
    Added a new sub-playbook, TIM - Process CIDR Indicators By Size.
  • TIM - ArcSight Add IP Indicators
    Fixed the conditional task test and input name.
  • Cortex XDR - Isolate Endpoint
    • Added IP and Hostname inputs for the playbook.
    • Added GenericPolling for the isolation task status.
  • Indicator Pivoting - DomainTools Iris
    The playbook now verifies that the integration is enabled before continuing.
  • Dedup - Generic v2
    Fixed an issue with the Close Duplicates condition.
  • ExtraHop - Ticket Tracking
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • Phishing Investigation - Generic
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • CVE Enrichment - Generic
    Added transformers to the Retrieve CVE reputation task to support multiple CVE IDs.
  • Phishing Investigation - Generic v2
    • Added the OnCall input, which enables you to assign only users that are currently on shift.
    • Fixed an issue where the playbook was not authenticating emails.
  • Access Investigation - Generic
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • Cortex XDR - Port Scan
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • Isolate Endpoint - Generic
    Added a new sub-playbook Isolate Endpoint - Cybereason.
  • Default
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • Active Directory - Get User Manager Details
    • Fixed an issue where the playbook would fail if the user's email address or username did not exist.
    • Improved general playbook error handling.
  • Malware Investigation - Generic
    Added the OnCall input, which enables you to assign only users that are currently on shift.
  • Extract Indicators From File - Generic v2
    Updated the playbook description.

Widgets

4 New Widgets

  • On-Call Hours Per User (Available from Cortex XSOAR 5.5)
    Displays the number of on-call hours per user.
  • Number Of Users On-Call (Available from Cortex XSOAR 5.5)
    Displays the number of users that are currently on-call.
  • Roles Per Shift (Available from Cortex XSOAR 5.5)
    Roles per shift 24x7.
  • Users On-Call (Available from Cortex XSOAR 5.5)
    Details of the users that are currently on-call.

Layouts

2 New Layouts

  • IllusionBLACK - Summary (Available from Demisto 5.0)
    Displays incident information from IllusionBLACK.
  • Port Scan - Summary (Available from Demisto 5.0)
    Added a layout for Port Scan incidents.

Assets