Demisto Content Release Notes for version 19.12.0 (35835)#

Published on 10 December 2019#


5 New Integrations#

  • Accessdata Use the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks.
  • IronDefense Use the IronDefense Integration to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity.
  • Microsoft Graph Groups Use the Microsoft Graph Groups integration to create and manage different types of groups and group functionality.
  • Gmail Single User (Beta) Use the Gmail Single User integration to send and receive emails from a single user's mailbox. Authentication is performed using OAuth 2.0 protocol.
  • Blue Coat Content and Malware Analysis (Beta) Blue Coat Content and Malware Analysis.

22 Improved Integrations#

  • MISP V2 You can now filter an event by attribute data fields.
  • Alexa Rank Indicator
    • Added fallback for when the default endpoint is inaccessible.
    • Added support for connection from a proxy.
    • Updated DBotScore outputs.
  • CrowdStrike Falcon Sandbox The crowdstrike-submit-sample command now works as expected.
  • PhishLabs IOC EIR v2 Changed the display name to PhishLabs EIR v2.
  • Microsoft Graph User Fixed an issue where the msgraph-user-create command did not work if the optional argument other_properties was not supplied. You can now run this command without supplying the other_properties argument.
  • RSA Archer
    • Fixed an issue when retrieving app IDs for applications with reverse field mapping.
    • Added support for multiselect fields in the following commands.
      • archer-create-record
      • archer-update-record
    • Added support for specifying users in type 8 fields in the following commands.
      • archer-create-record
      • archer-update-record
  • WhatIsMyBrowser Added support for the extend-context argument in the ua-parse command.
  • LogRhythm Fixed an issue with an error message in the lr-get-alarms command.
  • Palo Alto Networks PAN-OS EDL Management
    • Updated the detailed description.
    • Fixed an issue where the pan-os-edl-update command failed when the file path included space characters at scp_execute().
    • Fixed an issue where the ssh_execute() function failed when the file name included space characters.
    • Added the following commands.
      • pan-os-edl-update-internal-list
      • pan-os-edl-update-external-file
  • VirusTotal
    • Added batch support for the reputation commands (ip, url, and domain).
    • Fixed an issue where the DBotScore would create duplications in the incident context. This effects Demisto v5.5 and later.
  • Symantec Managed Security Services You can now use special characters in comments when running the symantec-mss-update-incident command.
  • Atlassian Jira (v2) Improved support for the following authentication methods. (Requires Demisto v5.0)
    • Basic
    • OAuth 1.0
  • Exabeam
    • Improved error handling.
    • Added the prefix exabeam- to all commands.
    • Added 2 new commands.
      • exabeam-delete-watchlist
      • exabeam-get-asset-data
  • FireEye HX Fixed an issue where fireeye-hx-file-acquisition command would fail on a timeout.
  • Anomali ThreatStream v2
    • The threatstream-import-indicator-with-approval command now works as expected.
    • Added support for comma-separated values in reputation commands (ip, file, domain, and url).
  • Palo Alto Networks PAN-OS
    • Fixed an issue where the status log queries that returned zero results did not update to Completed.
    • Added 2 commands.
      • panorama-get-url-category-from-cloud
      • panorama-get-url-category-from-host
    • Added support to get, create, and edit custom URL category objects, including using the categories attribute in PAN-OS v9.x and above.
  • EWS Mail Sender Fixed issue where threads not closed after executing the command.
  • Active Directory Query v2 Improved handling of error messages.
  • PhishLabs IOC EIR Changed the display name to Phishlabs IOC EIR.
  • Microsoft Graph Mail Added 7 new commands.
    • msgraph-mail-list-folders
    • msgraph-mail-list-child-folders
    • msgraph-mail-create-folder
    • msgraph-mail-update-folder
    • msgraph-mail-delete-folder
    • msgraph-mail-move-email
    • msgraph-mail-get-email-as-eml
  • Slack v2
    • Fixed an issue where mirrored investigations contained mismatched user names.
    • Added reporter and reporter email as labels to incidents that are created by direct messages.
  • CrowdStrike Falcon Fixed an issue with fetch incidents, which caused incident duplication.

Deprecated Integration#

  • Phishme Intelligence Use the Cofense Intelligence integration instead.


5 New Scripts#

  • AccessdataCheckProcessExistsInSnapshot Reads the contents of the processes list XML file from context and checks if the given process exists in the process list.
  • GetEWSFolder Retrieves emails from multiple folders of an account in a single batch.
  • ExportMLModel Exports an existing machine learning (ML) model to a file.
  • ImportMLModel Imports a file that contains a machine learning (ML) model.
  • ConvertAllExcept Converts all selected values but exceptions.

9 Improved Scripts#

  • ReadPDFFileV2
    • Added support for processing PDF files that generate a warning.
    • Fixed an issue with URL extraction from PDF files.
  • ParseEmailFiles Fixed an issue with handling smime signed files with no attachments.
  • CheckEmailAuthenticity
    • Fixed an issue where the script did not properly determine the authenticity of some emails.
    • Fixed an issue where DKIM Signing-Domain was not identified.
  • ZipFile Fixed an issue where output values did not match the output paths.
  • QRadarGetOffenseCorrelations Added support for different CRE name default values.
  • UnzipFile Fixed an issue where supplying a wrong password would still upload a file to the War Room.
  • UnEscapeURLs Fixed an issue where special characters in URLs were parsed incorrectly.
  • ProofpointDecodeURL Deprecated. Changed to call UnEscapeURLs.
  • QRadarGetCorrelationLogs Added support for different CRE name default values.


3 New Playbooks#

  • PAN-OS Query Logs For Indicators This playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP, hash, and url.
  • Get Mails By Folder Pathes This playbook retreives emails from specified folders and executes pre-processing using EWS.
  • Accessdata: Dump memory for malicious process Use this playbook as a sub-playbook to dump memory if a given process is running on a legacy AD agent.

2 Improved Playbooks#

  • PAN-OS Commit Configuration Removed PA-VM as the firewall identifier and changed the condition to else.
  • PhishingDemo-Onboarding The playbook now uses the updated File output context path of the extractIndicators command.


Improved Report#

  • Critical and High incidents Table column names are now capitalized.

Classification & Mapping#

New Classification & Mapping#

  • Gmail Single User Gmail Single User integration now supports the OAuth 2.0 protocol.

2 Improved Classification & Mapping#

  • RedLock Updated the classifier with a new transformer.
  • prismaCloud_app Updated the classifier with a new transformer.