Demisto Content Release Notes for version 19.12.1 (36874)

Published on 25 December 2019

Integrations

9 New Integrations

• Microsoft Graph Calendar Use the Microsoft Graph Calendar integration to create and manage different calendars and events according to your requirements.
• Lockpath KeyLight v2 Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
• Flashpoint Use the Flashpoint integration to reduce business risk.
• Infoblox Use the Infoblox integration to to receive metadata about IPs in your network, and manage the DNS Firewall by configuring RPZs.
• PhishLabs IOC DRP Use the PhishLabs IOC DRP integration to retrieve live feeds of Digital Risk Protection from PhishLabs.
• McAfee DXL Use the McAfee DXL integration to enable different products to communicate via a standard API.
• SecBI Use the SecBI integration, a threat, intelligence, and investigation platform, to enable automation of detection and investigation, including remediation and prevention policy, the enforcements on all integrated appliances.
• Akamai WAF SIEM Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
• OpenLDAP (Beta) Use the OpenLDAP (Beta) integration to authenticate using Open LDAP.

27 Improved Integrations

• Palo Alto Networks Cortex Fixed an issue with the fetch incidents function in which failed jobs raised an exception.
• Microsoft Graph User Added content-version and content-name headers to Oproxy request.
• Microsoft Graph Mail Added content-version and content-name headers to Oproxy request.
• Cofense Triage Fixed an issue with test module.
• Joe Security Fixed an issue in the joe-analysis-submit-sample command where the system field output returned duplicates.
• Microsoft Graph Groups Added content-version and content-name headers to Oproxy request.
• IBM QRadar Fixed an issue in which the qradar-get-assets command failed when a user supplied a value for the fields parameter.
• LogRhythm The lr-execute-query command now works as expected.
• PhishLabs IOC EIR
  • Added the period argument to the phishlabs-ioc-eir-get-incidents command, which defines the time range for which to return incidents.
  • Improved implementation of the fetch incidents functionality.
  • Improved the integration documentation.
  • Changed the display name to PhishLabs IOC EIR.
• Palo Alto Networks AutoFocus V2 Added 4 reputation commands.
  • ip
  • domain
  • file
  • url
• SplunkPy Enhanced the execution speed of the splunk-search command.
• Azure Security Center v2 Added content-version and content-name headers to Oproxy request.
• Carbon Black Enterprise Live Response
  • Deprecated the cb-memdeump command. Use the cb-memdump command instead.
  • Fixed an issue where the cb-memdeump did not initiate a memory dump on the server endpoint.
• Azure Compute v2 Added content-version and content-name headers to Oproxy request.
• Mimecast
  • Added 9 commands.
    • mimecast-find-groups
    • mimecast-get-group-members
    • mimecast-add-group-member
    • mimecast-remove-group-member
    • mmimecast-create-group
    • mimecast-update-group
    • mimecast-create-remediation-incident
    • mimecast-get-remediation-incident
    • mimecast-search-file-hash
  • Fixed an issue with instance SSL configuration.
• IntSights Fixed an issue with the is-hidden and the rate arguments in the intsights-close-alert command.
• Tanium v2 Fixed an issue where the tn-get-question-result command returned empty results.
• RSA Archer Fixed an issue where reports generated from the GenerateInvestigationReport script failed to upload to RSA Archer.
• Active Directory Query v2 Fixed a typo in the name of the custom-field-data argument.
• Gmail
  • Added a new command.
    • gmail-get-role
  • Improved the outputs for the following commands.
    • gmail-get-user-roles
    • gmail-list-filters
    • gmail-add-filter
• EWS v2 Fixed an issue where threads did not close after executing commands.
• EWS Mail Sender Improved performance and functionality.
• Microsoft Graph Security Added content-version and content-name headers to Oproxy request.
• RSA NetWitness v11.1 Fixed an issue where the environment proxy affected the integration, when no proxy should be used.
• CrowdStrike Falcon
  • Added the following real-time response API commands.
    • cs-falcon-run-command
    • cs-falcon-upload-script
    • cs-falcon-get-script
    • cs-falcon-delete-script
    • cs-falcon-list-scripts
    • cs-falcon-upload-file
    • cs-falcon-delete-file
    • cs-falcon-get-file
    • cs-falcon-list-files
    • cs-falcon-run-script
  • Added the email argument to the cs-falcon-resolve-detection command, which can be used instead of the ids argument.
• Rasterize Fixed an issue with the rasterize command in which child processes were defunct.
• Windows Defender Advanced Threat Protection Added content-version and content-name headers to Oproxy request.

2 Deprecated Integrations

• Intezer Use the Intezer v2 integration instead.
• Lockpath Keylight Use the Lockpath Keylight v2 integration instead.

---

Scripts

4 New Scripts

• RegexExtractAll
  • Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and all matches of a specified pattern, not just specific groups. Useful for extraction, using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. The 'regex' library is used and supports more advanced regex functionality than the standard 're' library.
  • The following arguments have been added.
    • The convenience argument, which enhances usability, multi-line, ignore_case, and period_matches_newline.
    • The error_if_no_match argument. The script will not throw an error if a match is not found. If it does not use a transformer within a playbook, you might want to throw an error if the expression doesn't match.
• GetMLModelEvaluation Finds a threshold for the ML model and performs an evaluation based on it.
• PrettyPrint Pretty-print data using Python's pprint library. This is useful for seeing the structure of an incident and context data.
• KeylightCreateIssue Use this script to simplify the process of creating or updating a record in Keylight v2.

11 Improved Scripts

• IPv4Blacklist
  • Improved script implementation.
  • Breaking changes: updated Docker image.
• DBotPredictPhishingWords
  • Added support for text highlighting.
  • Added support for minimum text-length argument.
  • Added an argument, when there is prediction, not to return an error.
• GetTime Fixed an issue where providing a date input from context returned the current date instead of the provided date.
• IPv4Whitelist
  • Improved script implementation.
  • Breaking changes: updated Docker image.
• UnzipFile The file size (in bytes) is returned as expected.
• SaneDocReports
  • Fixed an issue where the line chart x-axis was not readable.
  • Fixed an issue with the graph width.
• IsRFC1918Address
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• IsNotInCidrRanges
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• DBotTrainTextClassifierV2 Added new evaluation methodology and metrics to the logic of the trained model.
• IsInCidrRanges
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• ParseEmailFiles Added handling for cases where an attachment has neither the DisplayName nor the AttachFilename properties.

---

Playbooks

5 New Playbooks

• CVE Enrichment - Generic v2 Performs CVE Enrichment using the following integrations.
  • VulnDB
  • CVE Search
  • IBM X-Force Exchange
• Active Directory - Get User Manager Details Takes an email address or a username of a user account in an Active Directory, and returns the email address of the user's manager.
• PANW - Hunting and threat detection by indicator type This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on file hashes, IP addresses, or domain names provided manually or taken from outputs of other playbooks.
• Block IOCs from CSV - External Dynamic List Parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists.
• QRadar Indicator Hunting Queries QRadar SIEM for indicators, such as file hashes, IP addresses, domains, and URLs.

14 Improved Playbooks

• Endpoint Malware Investigation - Generic Added new playbook inputs.
• Intezer - Analyze by hash Fixed an issue where the playbook finished before the analysis was completed.
• PAN-OS - Block URL - Custom URL Category Added new playbook inputs.
• DBot Create Phishing Classifier V2 Updated evaluation metrics of the trained model.
• Intezer - Analyze Uploaded file Fixed an issue where the playbook finished before the analysis was completed.
• PAN-OS EDL Setup Rule position is no longer mandatory, the default position was changed to Top.
• Palo Alto Networks - Endpoint Malware Investigation
  • Added the new sub-playbook PANW - Hunting and threat detection by indicator type.
  • Added new playbook inputs.
• PAN-OS - Block IP and URL - External Dynamic List
  • Fixed an issue with EDL refresh for Panorama.
  • Added new playbook inputs.
• PAN-OS - Create Or Edit Rule Rule position is no longer mandatory, and the default position was changed to Bottom.
• PAN-OS DAG Configuration Rule position is no longer mandatory, and the default position was changed to Top.
• Access Investigation - Generic - NIST
  • Fixed inputs for IP Enrichment - Generic v2.
  • Removed the Change severity task.
• Block IP - Generic v2 Added playbook inputs to establish the PAN-OS remediation path.
• Palo Alto Networks - Malware Remediation Added the new sub-playbook PAN-OS - Block Domain - External Dynamic List.
• PAN-OS - Block Domain - External Dynamic List
  • Fixed an issue with EDL refresh for Panorama.
  • Added new playbook inputs.

---

Assets

• Download: content_new.zip
• Browse the Source Code: Content Repo @ 19.12.1