Releases: demisto/content
Releases · demisto/content
Demisto Content Release 20.4.0 (47887)
Demisto Content Release Notes for version 20.4.0 (47887)
Published on 14 April 2020
Breaking Changes
Deleted several deprecated playbooks. See the Playbooks section for full details. This is only applicable to Cortex XSOAR 5.5.
Integrations
9 New Integrations
- Sixgill DarkFeed™ Threat Intelligence
Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the Demisto platform. - MongoDB
Use the MongoDB integration to search and query entries in your MongoDB. - MongoDB Log
Writes log data to a MongoDB collection. - MongoDB Key Value Store
Manipulates key/value pairs according to an incident utilizing the MongoDB collection. - Okta v2
Integration with Okta's cloud-based identity management service. - Cisco ASA
Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects. - Cisco Firepower
Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. - Azure Sentinel
Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. - SafeBreach v2
SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses.
18 Improved Integrations
- Sixgill Deep Insights
- Updated the README.
- Updated the integration Docker image.
- Added support to use proxies.
- Updated tests.
- Updated the integration logo.
- Removed the get-indicators command.
- Removed playbooks that used the get-indicators command.
- Expanse
- Added support for pulling behavior data to create new incidents.
- Added support for the expanse-get-behavior command.
- Added support for the expanse-get-certificate command.
- Exabeam
Fixed connection error without proxy. - SlashNext Phishing Incident Response
Added the slashnext-api-quota command, which gets information about user's API quota. - Microsoft Teams
- Set the listener host to 0.0.0.0 in order to handle IPv6.
- Fixed an issue where the email address of the message sender was not handled properly.
- Slack v2
Reduced the maximum number of threads used by the integration. - MISP v2
Fixed the integration filter parameter, Influence on the Entry context returned. - Fidelis Elevate Network
Fixed an issue with partial results parsing. - Have I Been Pwned? v2
Added the pwned-username command, which enables searching usernames. - Prisma Cloud (RedLock)
- Improved logging for fetch_incidents.
- Improved error handling.
- SplunkPy
Added the splunk-job-status command, which checks the status of a job. - AWS - EC2
Added the following commands.- aws-ec2-delete-subnets
- aws-ec2-describe-internet-gateway
- aws-ec2-detach-internet-gateway
- aws-ec2-delete-internet-gateway
- aws-ec2-create-traffic-mirror-session
- aws-ec2-delete-vpc
- Fixed an issue where the email address of the message sender was not handled properly.
- IBM X-Force Exchange v2
Fixed an issue in the file command. - TAXII Server
Updated the reference to the traffic light protocol indicator field to use the new cliname. - AlienVault USM Anywhere
Fixed an issue where fetching incidents created duplicate incidents. - VulnDB
Improved exception parsing when the API quota is exceeded. - ExtraHop Reveal(x) v2
Updated the names of alert rule commands to clarify that these commands only manage alert rules, they do not fetch alert events. - Palo Alto Networks Cortex XDR - Investigation and Response
- Fixed the issue where the xdr-isolate-endpoint command failed in the following situations:
- The endpoint was disconnected.
- The isolation was still pending.
- The isolation cancellation was still pending.
- Fixed the issue where the xdr-unisolate-endpoint failed in the following situations:
- The endpoint was disconnected.
- The isolation was still pending.
- The isolation cancellation was still pending.
- Fixed the issue where the xdr-isolate-endpoint command failed in the following situations:
- Palo Alto Networks BPA
Updated the integration name to Palo Alto Networks BPA.
Feeds (From Cortex XSOAR 5.5 only)
Added the Tags parameter to the following feeds:
- Azure Feed
- Bambenek Consulting Feed
- Blocklist_de Feed
- Cloudflare Feed
- DShield Feed
- Fastly Feed
- Feodo Tracker Hashes Feed
- Feodo Tracker IP Blocklist Feed
- HTTPFeedApiModule
- JSON Feed
- Malware Domain List Active IPs Feed
- Plain Text Feed
- Spamhaus Feed
Improved Feed
- Tor Exit Addresses Feed
Added default mapping of indicator fields.
Scripts
New Script
- HTMLtoMD
Converts the passed HTML to Markdown.
5 Improved Scripts
- ParseEmailFiles
Improved handling of attachments. - DockerHardeningCheck
Added the memory_check argument to specify how to test memory limitations. - FormattedDateToEpoch
Fixed an issue where time conversion didn't support timezone. - SlackAsk
The script will now send a message using the Slack V2 integration only. - GetLicenseID
Fixed an issue where the script wasn't returning results.
Playbooks
5 New Playbooks
- SafeBreach Rerun Insights
Reruns a SafeBreach insight based on ID, and waits for the playbook to completes. Returns the updated insight object after post rerun. - SafeBreach Insights Feed Playbook
Triggers automated remediation for all SafeBreach generated indicators generated by insights. Then it reruns related insights and tags remaining indicators as not remediated ("NotRemediated" tag). - DBot Create Phishing Classifier V2 From File
Creates a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content. - Get Mails By Folder Paths
Gets emails from specific folders and pre-processes them using EWS. - Slack - General Failed Logins v2.1
Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.
8 Improved Playbooks
- QRadar Indicator Hunting V2
Improved the AQL query. - Splunk Indicator Hunting
Fixed transformer and task input. - TIM - Process Indicators Against Business Partners IP List
Removed hard-coded list name from inputs. - TIM - Process Indicators Against Organizations External IP List
Removed default list names. - TIM - Run Enrichment For Hash Indicators
Fixed input name. - TIM - Process Indicators - Fully Automated
Added conditional tasks to check for result scores. - Panorama Query Logs
Added timeout to generic polling. - PAN-OS Commit Configuration
Improved the error message when a commit or push fails.
Deprecated Playbook
- Get Mails By Folder Pathes
Use the Get Mails By Folder Paths playbook instead.
Deleted Playbooks (For Cortex XSOAR 5.5 only)
The following deprecated playbooks have been deleted.
- QRadar Add Url Indicators
Use the TIM - QRadar Add Url Indicators playbook instead. - QRadar Add IP Indicators
Use the TIM - QRadar Add IP Indicators playbook instead. - QRadar Add Hash Indicators
Use the TIM - QRadar Add Bad Hash Indicators playbook instead. - QRadar Add Domain Indicators
Use the TIM - QRadar Add Domain Indicators playbook instead. - Process Url Indicators
Use the TIM - Add Url Indicators to SIEM playbook instead. - Process IP Indicators
Use the TIM - Add IP Indicators To SIEM playbook instead. - Process Hash Indicators
Use the TIM - Add Bad Hash Indicators To SIEM playbook instead. - Process Domain Indicators
Use the TIM - Add Domain Indicators To SIEM playbook instead. - ArcSight Add Domain Indicators
Use the TIM - ArcSight Add Domain Indicators playbook instead. - ArcSight Add Hash Indicators
Use the TIM - ArcSight Add Bad Hash Indicators playbook instead. - ArcSight Add IP Indicators
Use the TIM - ArcSight Add IP Indicators playbook instead.
Layouts
New Layouts
- GCP Compute Engine Misconfiguration - Summary
Improved Layout
- Indicator Feed - New/Edit
Added the New/Edit Form layout for the Indicator Feed incident type.
Demisto Content Release version 20.3.4 (45989)
Demisto Content Release Notes for version 20.3.4 (45989)
Published on 30 March 2020
Integrations
7 New Integrations
- Cymulate
Multi-Vector Cyber Attack, Breach and Attack Simulation. - Silverfort
Use the Silverfort integration to get and update Silverfort risk severity. - Generic SQL
Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle. - Microsoft Defender Advanced Threat Protection
Use the Microsoft Defender Advanced Threat Protection (ATP) for preventative protection, post-breach detection, automated investigation, and response. - Cortex Data Lake
Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. - Fidelis EDR
Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac, and Linux operating systems for faster threat remediation. - Tanium Threat Response
Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
15 Improved Integrations
- Symantec Managed Security Services
Fixed an issue where fetch-incidents failed on data containing special characters. - AWS - EC2
- Improved handling of error messages.
- Updated the result returned when the command is an empty list.
- illuminate
Fixed an issue where indicators with no benign data showed as malicious. - Microsoft Teams
Added the microsoft-teams-ring-user command. - Active Directory Query v2
Fixed the User Account Control translation value. - Slack v2
Fixed a bug where messages were not sent to a channel if it was the dedicated channel for notifications. - SplunkPy
- Added the Replace with Underscore in Incident Fields parameter key, which replaces problematic characters (e.g., ".") with underscores ("_") in context keys.
- Added the First fetch timestamp parameter, which indicates the date and time from which incidents should be fetched.
- Fixed an issue where the splunk-search command presented the table headers in alphabetical order instead of the query order.
- Expanse
- Shortened the period of time that tokens are considered valid, to avoid authorization errors.
- Fixed an issue related to the ip command where an error is generated if the API returns a partial response.
- Added friendly values for various empty fields returned by the domain command.
- Palo Alto Networks AutoFocus v2
- Fixed an issue where get_search_results mistakenly returns "no results".
- Added the SessionStart context output to the following commands.
- autofocus-search-samples
- autofocus-search-Sessions
- autofocus-top-tags-search
- Microsoft Graph Mail
- Fixed an issue where the listing emails were not comparing the mail ID.
- Added 4 commands. These commands require additional permissions. See the Detailed Description for more information.
- msgraph-mail-create-draft
- msgraph-mail-send-draft
- msgraph-mail-reply-ro
- send-mail
- Added the ability to fetch mails as incidents.
- Rasterize
Increased the default value for rasterize image width to 1024px. - Okta
Fixed a typo in the DisplayName context path in the okta-search command. - Lockpath KeyLight v2
Fixed the Fetch incidents raw data to match the data and format of the kl-get-records data command. - Fidelis Elevate Network
Added the following commands.- fidelis-get-alert-session-data - Gets the session data of an alert.
- fidelis-get-alert-decoding-path - Gets the decoding data of an alert.
- fidelis-add-alert-comment - Adds a comment to an alert.
- fidelis-get-alert-execution-forensics - Gets the execution forensic data of an alert.
- fidelis-update-alert-status - Assigns a status to an alert (False Positive, Not Interesting, Interesting and Actionable).
- fidelis-close-alert - Closes an alert.
- fidelis-assign-user-to-alert - Assigns a user to an alert.
- fidelis-get-alert-forensic-text - Gets the forensic text of an alert.
- fidelis-alert-execution-forensics-submission - Submit an alert with an executable file for execution forensics.
- fidelis-manage-alert-label - Adds, removes, or changes an alert label.
- Tanium v2
- Added support for question text with parameters instead of using the parameters argument in the tn-ask-question command.
- Fixed an issue where the tn-get-question-result command returned a list in a single-column result.
Deprecated Integrations
- Palo Alto Networks Cortex
Deprecated. Use the Cortex Data Lake integration instead. - Windows Defender Advanced Threat Protection
Deprecated. Use the Microsoft Defender Advanced Threat Protection integration instead.
Scripts
2 New Scripts
- ReplaceMatchGroup
Returns a string with all matches of a regex pattern groups replaced by a replacement. - Base64Decode
Decodes an input in Base64 format.
4 Improved Scripts
- ExtractFQDNFromUrlAndEmail
Fixed an issue with the ATP link regex. - ExtractDomainFromUrlAndEmail
Fixed an issue with the ATP link regex. - UnEscapeURLs
- Fixed an issue with unescaped 'https' URLs.
- Fixed an issue with the ATP link regex.
- FindSimilarIncidents
Deprecated the following arguments, use the similarIncidentFields command instead.- similarCustomFields
- similarIncidentKeys
Playbooks
11 New Playbooks
- Tanium Threat Response - Create Connection
Creates a connection to a remote destination from Tanium. - Cortex XDR - Isolate Endpoint
Accepts an XDR endpoint ID and isolates it using the Palo Alto Networks Cortex XDR - Investigation and Response integration. - Dedup - Generic v2
Identifies duplicate incidents using one of the supported methods. - Brute Force Investigation - Generic - SANS
Investigates a "Brute Force" incident by gathering user and IP information and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation.
Disclaimer: This playbook does not ensure compliance with SANS regulations. - Brute Force Investigation - Generic
Investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation. - Prisma Cloud Remediation - GCP Compute Engine Misconfiguration
Remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps. - Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration
Remediates Prisma Cloud GCP Compute Engine VM Instance alerts. - Silverfort Update Risk for Domain Admins Incidents
Gets an incident related to an account. If it is a domain admin, updates Silverfort risk. - Microsoft Defender Advanced Threat Protection Get Machine Action Status
This playbook uses generic polling to get machine action information. - Tanium Threat Response - Request File Download
Requests file download from Tanium. - Silverfort Disable High Risk Account
This playbook gets the user's risk from Silverfort DB. If the risk is medium or higher, the user will be blocked and an alert will be sent.
8 Improved Playbooks
- Palo Alto Networks - Malware Remediation
Added the Cortex XDR - Isolate Endpoint sub-playbook. - Block URL - Generic
Added additional playbook inputs. - Detonate File - FireEye AX
Added support for file types that were previously missing. - Impossible Traveler
Fixed an issue with sending an email to the manager of the user. - Isolate Endpoint - Generic
Added the Cortex XDR - Isolate Endpoint sub-playbook. - Block Indicators - Generic v2
Added additional playbook inputs. - Employee Offboarding - Gather User Information
Improved error handling when the user's manager is not found. - Calculate Severity - Critical Assets v2
Fixed an issue that caused the playbook to fail when certain inputs were missing.
Deprecated Playbook
- Failed Login Playbook - Slack v2
Deprecated. Use the Slack - General Failed Logins v2.1 playbook instead.
Incident Fields
12 New Incident Fields
- Login Attempt Count
- userAccountControl
- Dest OS
- Successful Login
- SANS Stage
- Dest Hostname
- User Disabled Status
- Src Hostname
- sAMAccountName
- Account Groups
- Password Expiration Status
- MAC Address
Layouts
2 New Layouts
- Cymulate Immediate Threats - Summary
- Brute Force - Summary
Added a layout for the Brute Force incident type. (Available from Demisto 5.0).
Improved Layouts
- domainRep2 - Indicator Details
- Added the domain2 indicator layout.
- Added the indicator field Aggregated Reliability, which is the aggregated score of the feed.
Cortex XSOAR 5.5 Release
Integrations
2 New Integrations
- JSON Feed
Fetches indicators from a JSON feed. - Syslog Sender
Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.
6 Improved Integrations
- AutoFocus Feed
Changed the default indicator reputation to Bad. - Export Indicators Service
- Added...
Demisto Content Release Notes for version 20.3.3 (44118)
Demisto Content Release Notes for version 20.3.3 (44118)
Published on 17 March 2020
Integrations
6 New Integrations
- Google Vision AI
Use the Google Vision AI integration to perform image processing with the Google Vision API. - Amazon DynamoDB
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. - RiskSense
Use the RiskSense integration for vulnerability management and prioritization to measure and control cybersecurity risk. - Code42
Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments. - (BETA) Trend Micro Apex
Trend Micro Apex central automation to manage agents and User-Defined Suspicious Objects. - (BETA) Proofpoint Server Protection
Proofpoint email security appliance.
18 Improved Integrations
- Expanse
- Updated the Authorization header for the Events API to use the correct token.
- Added a User-Agent header to assist with diagnostics/debugging.
- Hybrid Analysis
Added URL decoding for the hybrid-analysis-quick-scan-url command. - Pentera
Fixed an issue with date parsing in the pentera-get-task-run-full-action-report command. - Qualys
Added the REF field in context mapping. - Anomali ThreatStream v2
Fixed handling of reputation commands with array input in cases where no reputation was found for a specific indicator. - FireEye HX
Fixed an issue with encoding passwords with special characters, for example: ✓. - C2sec irisk
Fixed an issue where the irisk-get-domain-issues command failed on KeyError. - Carbon Black Enterprise Response
Changed the search alerts API v1 call to the API v2 call. - AlienVault OTX v2
- Fixed an issue where the IP indicator type was incorrect.
- Fixed an issue where the URL indicator score was a string.
- VirusTotal
Fixed an issue where detections with no positive values were treated as malicious. - SplunkPy
Fixed an issue in the test command, which caused an out of memory error. - RSA NetWitness v11.1
Fixed an issue with the get-incident command when the returned sources attribute is set to "[null]". Applicable to NetWitness 11.4. - Palo Alto Networks PAN-OS
Improved handling of cases where a field value is None. - RSA NetWitness Packets and Logs
Fixed query parsing in the netwitness-query command. - BPA
Removed the PORT parameter from the configuration. This will not affect currently configured instances. - Whois
Added the domain command to enable domain enrichment. - Elasticsearch v2
Added support for API Key authentication. - RSA Archer
Fixed an issue where the following commands failed on numeric incident IDs.- archer-update-record
- archer-delete-record
- archer-upload-file
- archer-add-to-detailed-analysis
- archer-get-record
Scripts
New Script
- VerifyJSON
Verifies if the supplied JSON string is valid, and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
4 Improved Scripts
- DBotTrainTextClassifierV2
Added support for training on a boolean target field. - ReadPDFFileV2
Fixed an issue with URL extraction from PDF files. - DockerHardeningCheck
Decreased the CPU check sensitivity to accommodate loaded systems. - FindSimilarIncidents
Added support for the "\" character in incident fields.
Playbooks
3 New Playbooks
- Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration
Remediates the following Prisma Cloud AWS IAM User alerts.- Prisma Cloud policies remediated.
- AWS IAM user has two active Access Keys.
- Code42 Exfiltration Playbook
The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints. - Code42 File Search
Searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context.
4 Improved Playbooks
- PAN-OS EDL Setup v2
Fixed missing letter in device mode(l). - Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
Added the Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration sub-playbook. - Calculate Severity - Critical Assets v2
Fixed an issue that caused the Critical Assets field to be populated partially or not at all. - PAN-OS Commit Configuration
Fixed a bug where the commit failed but the playbook succeeded. Now it will fail on an unsuccessful commit or push.
Layouts
2 New Layouts
- AWS CloudTrail Misconfiguration - Summary
- Code42 Security Alert - Summary
Classification & Mapping
2 Improved Classification & Mapping
- PrismaCloud App
Added classification to the AWS CloudTrail Misconfiguration incident type. - RedLock
Added classification to the AWS CloudTrail Misconfiguration incident type.
XSOAR 5.5 Beta Release
Feeds
3 New Feeds
- AlienVault OTX TAXII Feed
Fetches indicators from AlienVault OTX using a TAXII client. - Plain Text Feed
Fetches indicators from a plain text feed. - Elasticsearch Feed
Fetches indicators stored in an Elasticsearch database.
5 Improved Feeds
- TAXII Feed
You can now use the API header and API key in the credentials fields when configuring an integration instance. - Cofense Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned. - Office 365 Feed
- Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
- Added mapping to new indicator fields.
- Proofpoint Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned. - Recorded Future RiskList Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
Integrations
2 Improved Integrations
- Export Indicators Service
- Added the offset parameter to the eis-update command.
- Added support for the following inline URL parameters.
- n - The number of indicators to fetch.
- s - The first index from which to fetch indicators.
- v - The output format for indicators.
- q - The query that defines which indicators to fetch.
- Palo Alto Networks PAN-OS EDL Service
Added integration parameter options for formatting indicator values to the expected input standards of PAN-OS.
Demisto Content Release Notes for version 20.3.2 (43553)
Demisto Content Release Notes for version 20.3.2 (43553)
Published on 11 March 2020
Integrations
New Integrations
- CVE Search v2
Searches for CVE information using circl.lu.
7 Improved Integrations
- Anomali ThreatStream v2
Fixed an issue where inactive indicators were taken into account. - Atlassian Jira v2
Fixed an issue in the jira-create-issue and jira-edit-issue commands where the due date was not set correctly. - CyberArk AIM
Improved display of integration parameters. - CVE Search
Added batch support to the cve-search command. - Rasterize
- Fixed the setting Use system proxy settings, so proxies are ignored when not enabled.
- Fixed an issue with the rasterize command in which child processes were defunct when using a proxy server.
- AbuseIPDB
- Improved parsing in the ip command.
- SplunkPy
- Fixed an issue where fetch-incidents did not work as intended.
- Fixed an issue where splunk-parse-raw command cut the last character of parsed fields.
Scripts
New Scripts
- DBotPredictOutOfTheBox
Predicts phishing incidents using the out-of-the-box pretrained model.
Playbooks
New Playbook
- Kenna - Search and Handle Asset Vulnerabilities
This playbook accepts an asset, then searches for vulnerabilities on that asset using the Kenna integration. If a vulnerability exists, it looks for relevant patches, lets the analyst deploy them and then generates an investigation summary report.
Improved Playbook
- QRadar Indicator Hunting V2
Fixed missing task links.
XSOAR 5.5 Beta Release
Feeds
2 Improved Feeds in 5.5.0
- Recorded Future RiskList Feed
Fixed an issue with the integration's indicator field mapping. - TAXII Feed
Fetches indicators from a TAXII server as the indicators are published to the feed.
Incident Fields in 5.5.0
Added the Add as optional graph option to the incident field Device Name.
Demisto Content Release Notes for version 20.3.1 (42860)
Demisto Content Release Notes for version 20.3.1 (42860)
Published on 04 March 2020
Integrations
New Integrations
- CVE Search v2
Searches for CVE information using circl.lu.
7 Improved Integrations
- Anomali ThreatStream v2
Fixed an issue where inactive indicators were taken into account. - Atlassian Jira v2
Fixed an issue in the jira-create-issue and jira-edit-issue commands where the due date was not set correctly. - CyberArk AIM
Improved display of integration parameters. - CVE Search
Added batch support to the cve-search command. - Rasterize
- Fixed the setting Use system proxy settings, so proxies are ignored when not enabled.
- Fixed an issue with the rasterize command in which child processes were defunct when using a proxy server.
- AbuseIPDB
- Improved parsing in the ip command.
- SplunkPy
- Fixed an issue where fetch-incidents did not work as intended.
- Fixed an issue where splunk-parse-raw command cut the last character of parsed fields.
Scripts
New Scripts
- DBotPredictOutOfTheBox
Predicts phishing incidents using the out-of-the-box pretrained model.
Playbooks
New Playbook
- Kenna - Search and Handle Asset Vulnerabilities
This playbook accepts an asset, then searches for vulnerabilities on that asset using the Kenna integration. If a vulnerability exists, it looks for relevant patches, lets the analyst deploy them and then generates an investigation summary report.
Improved Playbook
- QRadar Indicator Hunting V2
Fixed missing task links.
XSOAR 5.5 Beta release
Feeds
2 Improved Feeds in 5.5.0
- Recorded Future RiskList Feed
Fixed an issue with the integration's indicator field mapping. - TAXII Feed
Fetches indicators from a TAXII server as the indicators are published to the feed.
Incident Fields in 5.5.0
Added the Add as optional graph option to the incident field Device Name.
Demisto Content Release Notes for version 20.2.4 (42218)
Demisto Content Release Notes for version 20.2.4 (42218)
Published on 24 February 2020
5.5 Beta Release Notes
Feeds
25 New Feeds in 5.5.0 Beta
We added several inbound and outbound feeds for threat intelligence management.
22 Inbound Feeds
- abuse.ch SSL Blacklist Feed
- DShield Feed
- Cofense Feed
- Azure Feed
- Office 365 Feed
- Blocklist_de Feed
- Recorded Future RiskList Feed
- BruteForceBlocker Feed
- AutoFocus Feed
- Cloudflare Feed
- Proofpoint Feed
- Bambenek Consulting Feed
- Tor Exit Addresses Feed
- AlienVault Reputation Feed
- Feodo Tracker IP Blocklist Feed
- Feodo Tracker Hashes Feed
- Spamhaus Feed
- AWS Feed
- Office365 Feed
- CSV Feed
- Malware Domain List Active IPs Feed
- Fastly Feed
3 Outbound Feeds
- Export Indicators Service
- Palo Alto Networks PAN-OS EDL Service
- TAXII Feed
Integrations
New Integration in 5.5 Beta
- Elasticsearch v2
- Searches for and analyzes data in real-time.
- Supports version 6 and up.
Scripts
New Script in 5.5.0 Beta
- FetchIndicatorsFromFile
Fetches indicators from a file.
Playbooks
11 New Playbooks in 5.5 Beta
- Process Domain Indicators
- Process Hash Indicators
- Process IP Indicators
- Process Url Indicators
- ArcSight Add Domain Indicators
- ArcSight Add IP Indicators
- ArcSight Add Hash Indicators
- QRadar Add Domain Indicators
- QRadar Add IP Indicators
- QRadar Add Hash Indicators
- QRadar Add Url Indicators
Dashboard
New Dashboard in 5.5.0 Beta
- Threat Intelligence Management
Widgets
4 New Widgets
- Elastic Disk Current Usage
Elastic Disk Current Usage %. - Elastic JVM Memory Current Usage
Elastic JVM Memory Current Usage %. - Elastic Memory Current Usage
Elastic Memory Current Usage %. - Elastic CPU Current Usage
Elasticsearch CPU Current Usage %.
Incident Layouts
10 New Incident Layouts in 5.5.0 Beta
- emailRep - Indicator Details
Updated the layout for the Email indicator type. - Indicator Feed - New/Edit
Added the ability to edit the layout for the Indicator Feed incident type. - unifiedFileRep - Indicator Details
Updated the layout for the File indicator type. - urlRep - Indicator Details
Updated the layout for the URL indicator type. - domainRep - Indicator Details
Updated the layout for the Domain indicator type. - hostRep - Indicator Details
Updated the layout for the Host indicator type. - cveRep - Indicator Details
Updated the layout for the CVE indicator type. - registryKey - Indicator Details
Updated the layout for the Registry Key indicator type. - ipRep - Indicator Details
Updated the layout for the IP indicator type. - accountRep - Indicator Details
Updated the layout for the Account indicator type.
Integrations
8 New Integrations
- Google Chronicle Backstory
Use the Google Chronicle Backstory integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. - Pentera
An Integration with Pentera by Pcysys. - Claroty
Use the Claroty CTD integration to manage assets and alerts. - Expanse
The Expanse App for Demisto leverages the Expander API to retrieve network exposures and create incidents in Demisto. This application also enables IP and Domain enrichment, retrieving assets and exposures information drawn from Expanse. - IBM X-Force Exchange (v2)
Use the IBM X-Force Exchange integration to receive threat intelligence about applications, IP addresses, URLs, and hashes. - CounterCraft Deception Director
Use the CounterCraft Deception Solution integration to detect advanced adversaries and to automate counterintelligence campaigns to discover targeted attacks with real-time active response. - Indeni
Indeni is turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes. - illuminate
This integration utilizes AnalystPlatform's Illuminate system to enrich Demisto indicators.
9 Improved Integrations
- MISP V2
Fixed the default value for the PREDEFINED argument in the misp-search command. - DomainTools Iris
Improved the integration description. - Micro Focus Service Manager
Improved the descriptions for several parameters and commands. - SplunkPy
Added support for comma-separated values in the splunk-parse-raw command. - Palo Alto Networks PAN-OS
- Added 2 commands.
- panorama-register-user-tag
- panorama-unregister-user-tag
- Added 2 commands.
- Zscaler
- Fixed an issue where the url command in Zscaler did not create an indicator in Demisto.
- Fixed the url and ip commands the in Zscaler output descriptions.
- Fixed an issue where the zscaler-category-add-url command failed when passing multiple URLs separated with spaces.
- Fixed an issue where the zscaler-undo-blacklist-url command always failed with the error "Given URL is not blacklisted".
- Fixed an issue where the zscaler-undo-blacklist-ip command always failed with the error "Given IP is not blacklisted".
- Fixed an issue where the zscaler-undo-whitelist-url command always failed with the error "Given host address is not whitelisted.".
- Fixed an issue where the zscaler-undo-whitelist-ip command always failed with the error "Given IP address is not whitelisted.".
- Updated command executions to always activate changes after API calls and close session. This fixes issues related to the session not being authenticated or timing out.
- McAfee DXL
Added certificate validation. - McAfee Threat Intelligence Exchange
Added certificate validation. - Qualys
Fixed an argument name in the qualys-schedule-scan-list command.
Scripts
New Script
- ExpanseParseRawIncident
Parses an Expanse incident from raw JSON to readable output.
2 Improved Scripts
- FilterByList
Added the name of the compared list to the context. - XDRSyncScript
Fixed an issue where an incident was modified in XDR but not updated in Demisto.
Playbooks
6 New Playbooks
- Claroty Manage Asset CVEs
- Claroty Incident
- Indeni Demo
- Pentera Run Scan
- Expanse Incident Playbook
Parses incident from Expanse in raw JSON to readable output. - NetSec - Palo Alto Networks DUG - Tag User
Block a user by tagging them in the Palo Alto Networks NGFW. Requires PAN-OS 9.1 or later.
3 Improved Playbooks
- NetOps - Firewall Version and Content Upgrade
Updated playbook descriptions and task names. - NetOps - Upgrade PAN-OS Firewall Device
Updated playbook descriptions and task names. - Block Account - Generic
Added the PAN-OS Dynamic User Groups commands to the playbook.
Incident Layouts
12 New Incident Layouts
- accountRep - Indicator Details
- hostRep - Indicator Details
- Expanse Appearance - Summary
- domainRep - Indicator Details
- Claroty Integrity Incident - Summary
- cveRep - Indicator Details
- unifiedFileRep - Indicator Details
- registryKey - Indicator Details
- Claroty Security Incident - Summary
- ipRep - Indicator Details
- emailRep - Indicator Details
- urlRep - Indicator Details
Demisto Content Release version 20.2.3 (41510)
Demisto Content Release Notes for version 20.2.3 (41510)
Published on 18 February 2020
Integrations
2 New Integrations
- Lastline v2
Use the Lastline v2 integration to provide the threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior. - Akamai WAF
Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features.
10 Improved Integrations
- SplunkPy
Added the app argument to the following commands.- splunk-job-create
- splunk-search
- SumoLogic
- Added the waitForSearchComplete parameter, which causes the search to wait for the query to iterate over all messages before returning results.
- Bugfix: wait for the query to complete when fetching incidents as aggregate records.
- ZeroFox
Fixed an issue where the same incident was repeatedly fetched. - McAfee Web Gateway
Fixed an issue where the integration parameters were exposed in the log. - Mail Sender (New)
Fixed an issue where in some cases attachments displayed as being empty. - Elasticsearch v2
You can now fetch incidents without specifying the Date Format parameter. - ArcSight ESM v2
Fixed an issue where the output for the as-get-entries command was not in the correct format for results with a large number of objects. - Rasterize
- Updated Chromium to version 80.
- Added support for specifying a maximum page load time. The default value is 180 seconds.
- Changed the default user agent to match the Chrome user agent.
- RSA NetWitness v11.1
- Fixed an issue with fetch-incidents where setting a Fetch Limit would drop older incidents if the number of the fetched incidents was greater than the limit.
- Added the pageNumber argument to the netwitness-get-incidents command. The argument allows the user to get incidents from a specific page and is intended to be used with the limit argument.
- Palo Alto Networks PAN-OS
- The name argument is now mandatory in the panorama-get-service command.
- Added 7 commands.
- panorama-download-latest-content-update
- panorama-content-update-download-status
- panorama-install-latest-content-update
- panorama-content-update-install-status
- panorama-check-latest-panos-software
- panorama-download-panos-version
- panorama-download-panos-status
Scripts
New Script
- YaraScan
Performs a Yara scan on the specified files.
2 Improved Scripts
- ReadPDFFileV2
- Fixed a bug where emails were labeled as URLs.
- Added Email standard output.
- DockerHardeningCheck
Updated the error entry with a detailed explanation of the failure.
Playbooks
5 New Playbooks
- NetOps - Upgrade PAN-OS Firewall Device
Network operation playbook that upgrades the firewall. The superuser is required in order to update the PAN-OS version. - NetOps - Firewall Version and Content Upgrade
Network operation playbook that updates the version and the content of the firewall. The superuser is required in order to update the PAN-OS version. - Detonate URL - Lastline v2
Detonates a URL using the Lastline sandbox integration. - Akamai WAF - Activate Network Lists
Activates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested environment. - Detonate File - Lastline v2
Detonates a file using the Lastline sandbox.
2 Improved Playbooks
- Detonate URL - Generic
Replaced the Detonate URL - Lastline sub-playbook with Detonate URL - Lastline v2. - Detonate File - Generic
Replaced the Detonate File - Lastline sub-playbook with Detonate File - Lastline v2.
Incident Fields
New Incident Field
- Target Firewall Version
Version to install on the firewall for PAN-OS, for example: 9.0.5.- panorama-install-panos-version
- panorama-install-panos-status
- panorama-device-reboot
Demisto Content Release 20.2.2 (40656)
Demisto Content Release Notes for version 20.2.2 (40656)
Published on 09 February 2020
This is a patch release for Content Release 20.2.2.
7 Improved Integrations
- Palo Alto Networks PAN-OS
- Fixed an issue in the panorama-create-rule and panorama-create-block-rule commands.
- Added the category argument to the panorama-create-rule command.
- Kenna V2
You can supply a list for the id, status, and top-priority arguments in the following commands.- kenna-search-assets
- kenna-get-asset-vulnerabilities
- kenna-search-fixes
- kenna-search-vulnerabilities
- Microsoft Graph Mail
Fixed an issue where not all items were retrieved from a mailbox. - QRadar
Fixed an issue where the qradar-get-search-results and qradar-get-search commands ignored the headers argument. - Securonix
Fixed an issue where the integration failed to fetch incidents. - Carbon Black Defense:
- Added proper error messages for missing fetch parameters.
- Added a detailed description that describes how to retrieve the fetch parameters: SIEM Key and SIEM ID.
- Netskope
Fixed an issue in cases when the last time of the fetch was not updated correctly.
Playbooks
2 New Playbooks
- PAN-OS EDL Setup v2
- Configures an external dynamic list in PAN-OS.
- If the EDL file exists on the web server, it will sync to Demisto and create an EDL object with a matching rule.
- PAN-OS - Create Or Edit EDL Rule
Creates or edits a Panorama rule and moves it to the specified position.
2 Improved Playbooks
- Block IOCs from CSV - External Dynamic List
Fixed - the first condition was working only on some of the CSV files and some of them not. - PAN-OS - Block IP and URL - External Dynamic List
- Fixed issue with task inputs.
- Added new sub-playbooks.
For more information about the release, see 20.2.0
Demisto Content Release 20.2.1 (40537)
Demisto Content Release Notes for version 20.2.1 (40537)
Published on 6 February 2020
This is a hotfix release.
- Fixed an issue in the SearchIncidents script in which an error was raised when no incidents were found.
1 New Script
- SearchIncidentsV2:
Searches Demisto incidents.
Deprecated Script
- SearchIncidents:
Use the SearchIncidentsV2 script instead.
Demisto Content Release version 20.2.0 (40231)
Demisto Content Release Notes for version 20.2.0 (40231)
Published on 04 February 2020
Breaking Changes
Changed several indicator field names, which might cause backwards compatibility issues for mapping indicator fields.
Integrations
4 New Integrations
- Devo v2
Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables. - CloudShark
Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system. - Palo Alto Networks - Prisma Cloud Compute
Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment. - Sixgill
Use the Sixgill integration to fetch alerts as incidents. Sixgill provides alerts that are based on organization assets, enabling you to take proactive steps to eliminate and mitigate your threats.
14 Improved Integrations
- Palo Alto Networks Cortex XDR - Investigation and Response
- Fixed an issue where trailing whitespaces would effect outputs.
- Implemented the Cortex XDR API v2.
- Added 11 Traps commands.
- xdr-isolate-endpoint
- xdr-unisolate-endpoint
- xdr-get-endpoints
- xdr-insert-parsed-alert
- xdr-insert-cef-alerts
- xdr-get-audit-management-logs
- xdr-get-audit-agent-reports
- xdr-get-distribution-versions
- xdr-get-distribution-url
- xdr-get-create-distribution-status
- xdr-create-distribution
- Red Canary
Fixed an issue with fetch-incidents in which detections were not properly fetched. - VulnDB
Added the cve command, which returns CVE information. - Palo Alto Networks AutoFocus V2
Added the autofocus-get-export-list-indicators command. - IBM QRadar
Added immediate recovery for HTTP requests in case of connection error, which should help when QRadar SIEM is busy. - Microsoft Graph Mail
Fixed an issue where the listing emails were not comparing the mail ID. - SplunkPy
- The Test button now tests the fetch incidents function when the Fetch incidents option is selected.
- Fixed an issue in the Splunk notable events ES query parameter where the time parameter was not passed to the table in Splunk.
- Rasterize
- Added support for specifying advanced Chrome options.
- Improved rendering of large HTML files.
- Mimecast
Added the mimecast-update-policy command. - Demisto REST API
Improved descriptions and fixed a typo. - Securonix
- Added the Host parameter, which if supplied overrides the default hostname.
- Added 4 commands.
- securonix-create-incident
- securonix-create-watchlist
- securonix-check-entity-in-watchlist
- securonix-add-entity-to-watchlist
- Atlassian Jira (v2)
Fixed an issue in the jira-get-issue command where retrieving issue attachments failed. - dnstwist
Fixed an issue with creating outputs for the dnstwist-domain-variations command. - Kafka V2
Improved the description of the kafka-fetch-partitions command.
Scripts
7 New Scripts
- IsInternalHostName
Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. - CreateIndicatorsFromSTIX
Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0. - PrismaCloudComputeParseAuditAlert
Parses raw JSON data for Audit alerts. - PrismaCloudComputeParseComplianceAlert
Parses raw JSON data for Compliance alerts. - PrismaCloudComputeParseVulnerabilityAlert
Parses raw JSON data for Vulnerability alerts. - PrismaCloudComputeParseCloudDiscoveryAlert
Parses raw JSON data for Cloud Discovery alerts. - YaraScan
Performs a Yara scan on the supplied files.
6 Improved Scripts
- SaneDocReports
Fixed an issue where, in rare cases, investigation reports crashed. - UnzipFile
Fixed an issue where the script returned the file metadata instead of the file contents. - ReadPDFFileV2
Fixed an issue where the script failed for some PDF files with the error: Syntax Error: Invalid object stream Internal Error: xref num 2245 not found but needed, try to reconstruct<0a>. - ParseEmailFiles
Added handling for EML files with no Content-Type header. The script will treat the file as email text with no attachments. - CommonServerPython
Added the ip_to_indicator_type command. - XDRSyncScript
Updated outputs and added additional alert outputs.
Playbooks
10 New Playbooks
- *SANS - Incident Handler's Handbook Template
This playbook contains the phases for handling an incident as they are described in the SANS Institute Incident Handler's Handbook by Patrick Kral.* - *SANS - Incident Handlers Checklist
This playbook follows the "Incident Handler's Checklist" described in the SANS Institute Incident Handler's Handbook by Patrick Kral. - *SANS - Lessons Learned
This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute Incident Handler's Handbook by Patrick Kral. - Wait Until Datetime
Pauses execution until the date and time that was specified in the playbook input is reached. - Prisma Cloud Compute - Cloud Discovery Alert
The default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts. - Prisma Cloud Compute - Vulnerability Alert
Default playbook for parsing Prisma Cloud Compute vulnerability alerts. - Prisma Cloud Compute - Audit Alert
Default playbook for parsing Prisma Cloud Compute audit alerts. - Splunk Indicator Hunting
Queries Splunk for indicators such as file hashes, IP addresses, domains, or URLs. It outputs detected users, IP addresses, and hostnames related to the indicators. - Sixgill - DarkFeed - Indicators
Extracts a STIX bundle and then uses the StixParser automation to parse and push indicators to Demisto. - Prisma Cloud Compute - Compliance Alert
The default playbook for parsing Prisma Cloud Compute compliance alerts.
* Disclaimer: The SANS playbooks do not ensure compliance with SANS regulations.
3 Improved Playbooks
- PANW - Hunting and threat detection by indicator type V2
Fixed missing task link. - IT - Employee Offboarding
Added functionality that enables offboarding employees on a future date. - IT - Employee Offboarding - Manual
Added functionality that enables offboarding employees on a future date (manually).
Incident Fields
- Offboarding Date
The date and time when the employee offboarding process should begin.
This incident field is associated to the new AWS EC2 Instance Misconfiguration incident type.
Incident Layouts
6 New Incident Layouts
- AWS EC2 Instance Misconfiguration - Summary
- Sixgill Threat - Summary
- Prisma Cloud Compute Audit - Summary
- Prisma Cloud Compute Compliance - Summary
- Prisma Cloud Compute Cloud Discovery - Summary
- Prisma Cloud Compute Vulnerability - Summary
2 Improved Incident Layouts
- Employee Offboarding - Summary
Added a field for the date and time when the offboarding process began. - Employee Offboarding - New/Edit
Added an option to select a future date and time at which to begin employee offboarding.
Classification & Mapping
3 Improved Classification & Mapping
- RedLock
Added classification to the AWS EC2 Instance Misconfiguration incident type. - Cortex XDR - IR
Added the host_count field to the mapping of the Cortex XDR integration, with the incident type Cortex XDR Incident. (Available from Demisto v5.0) - prismaCloud_app
Added classification to the AWS EC2 Instance Misconfiguration incident type.