Demisto Content Release Notes for version 19.9.1 (29841)

Published on 18 September 2019


4 New Integrations

  • ThreatQ v2
    Use the ThreatQ v2 integration to manage indicator scoring, types, and attributes.
  • Elasticsearch v2
    Use the Elasticsearch v2 integration to query and search indexes using the Lucene syntax. Supports Elasticsearch version 6 and later.
  • Shodan v2
    A search engine used for searching Internet-connected devices.
  • AttackIQ FireDrill
    An attack simulation platform that provides validations for security controls, responses, and remediation exercises.

25 Improved Integrations

  • IBM QRadar
    • The note_id argument is now optional in the qradar-get-note command. If the note_id argument is not specified, the command will return all notes for the the offense.
    • Fixed an issue when closing an offense with the qradar-update-offense command, in which a user would specify a close reason, but an error was returned specifying that there was no close reason.
  • Whois
    • Updated the integration documentation to reflect capabilities of the Whois integration.
    • Added context outputs to match context standards, which enables outputs to be found for field mapping.
  • AlienVault USM Anywhere
    • Improved implementation of the fetch incidents function.
    • Improved integration documentation.
    • Added the Fetch limit and Time format parameters to the instance configuration.
  • VirusTotal - Private API
    Added context outputs to match context standards, which enables outputs to be found for field mapping.
  • EWS v2
    Improved handling of uploaded EML files.
  • SentinelOne V2
    • Fixed an issue in the Fetch incidents function.
    • Fixed date parameters in the sentinelone-get-threats command.
    • Added the fetch_limit parameter, which specifies the maximum number of incidents to fetch.
  • Palo Alto Networks Minemeld
    • Improved error handling for API errors.
    • Changed the name of the proxy parameter from Use system proxy to Use system proxy settings.
  • IntSights
    Improved the error message in cases where the URL address is incorrect.
  • Cuckoo Sandbox
    You can now enter an array of IDs for the cuckoo-view-task command.
  • EWS Mail Sender
    Improved logging implementation.
  • GitHub
    Added 14 commands.
    - ***GitHub-get-stale-prs***
    - ***GitHub-get-branch***
    - ***GitHub-create-branch***
    - ***GitHub-delete-branch***
    - ***GitHub-list-teams***
    - ***GitHub-get-team-membership***
    - ***GitHub-request-review***
    - ***GitHub-create-comment***
    - ***GitHub-list-issue-comments***
    - ***GitHub-list-pr-files***
    - ***GitHub-list-pr-reviews***
    - ***GitHub-get-commit***
    - ***GitHub-add-label***
    - ***GitHub-get-pull-request***
  • Cybereason
    Fixed the Filters argument in the cybereason-query-malops command.
  • Hybrid Analysis
    • Added calculation for DbotScore.
    • Added 4 new commands.
      • hybrid-analysis-quick-scan-url
      • hybrid-analysis-quick-scan-url-results
      • hybrid-analysis-submit-url
      • hybrid-analysis-list-scanners
    • Added the malicious_threat_levels argument to the hybrid-analysis-scan command.
    • Added the min_malicious_scanners argument to the hybrid-analysis-search command.
    • Updated outputs in the hybrid-analysis-scan command.
  • Gmail
    • Added 7 commands.
      • gmail-hide-user-in-directory
      • gmail-set-password
      • gmail-get-autoreply
      • gmail-set-autoreply
      • gmail-delegate-user-mailbox
      • gmail-remove-delegated-mailbox
      • send-mail
    • Fixed an issue where in some cases, emails from different timezones did not create incidents. This might cause duplicate incidents shortly after upgrading.
  • Palo Alto Networks AutoFocus V2
    Added several arguments to the autofocus-samples-search and autofocus-sessions-search commands.
    • file_hash.
    • domain.
    • ip.
    • url.
    • wildfire_verdict.
    • first_seen.
    • last_updated.
  • Cylance Protect v2
    Added the batch_size argument to the cylance-protect-delete-devices command, which specifies the number of devices to delete per request (batch).
  • Palo Alto Networks PAN-OS
    • Added the tag argument to several commands.
    • List commands - filter by a tag.
    • Create and edit commands.
    • Added the context output Tags to all list, create, edit, and get commands.
    • Added support in the panorama-query-logs command to supply a list of arguments, which are separated using the "OR" operator.
    • Improved error messaging when trying to configure a device-group that does not exist.
  • Palo Alto Networks WildFire v2
    • Fixed an issue in which the wildfire-report command failed for specific hash values.
    • Fixed an issue in which the wildfire-report command failed when issuing it for an in-progress analysis.
  • Microsoft Teams
    • Added verification for the authorization header signature.
    • Added support for HTTPS.
  • Active Directory Query v2
    • Fixed an issue in the custom-field-data argument.
    • Fixed an issue in the ad-create-contact command.
    • Improved description of the filter argument in the ad-search command.
    • Fixed the example value description for the custom-attribute argument in the ad-create-user and ad-create-contact commands.
    • Added support for the Verdict result from the API.
    • Default privacy setting is now customizable, which enables submissions to be public or private (globally).
  • ThreatConnect
    Added 8 new commands.
    - ***tc-get-group***
    - ***tc-get-group-attributes***
    - ***tc-get-group-security-labels***
    - ***tc-get-group-tags***
    - ***tc-download-document***
    - ***tc-get-group-indicators***
    - ***tc-get-associated-groups***
    - ***tc-associate-group-to-group***
  • Slack v2
    Added support for multi-line JSON when creating an incident in a direct message.
  • DUO Admin
    Fixed an issue in the duoadmin-get-authentication-logs-by-user command.
  • Carbon Black Enterprise Protection V2
    Fixed an issue with the fetch-incidents command where users received an error when there were no incidents to fetch.


New Script

  • PadZeros
    Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

6 Improved Scripts

  • IdentifyAttachedEmail
    Fixed an issue where in some cases output was not set to the context.
  • HTMLDocsAutomation
    • Added the permissions argument with the following options:
      • per-command - the permissions entry will be displayed in every command section.
      • global - the permissions entry will be displayed once, in its own section.
      • none - if there are no permissions required for this integration, there will be no permissions section.
    • Added a comment with an HTML example showing how to manually add an image to each command HTML section.
    • Fixed an issue in the arguments descriptions.
  • SlackAsk
    Added support for users to reply within a thread to messages sent from the Demisto integration.
  • FindSimilarIncidents
    Added support for list values in context keys and incident fields.
  • CommonServerPython
    Added the parse_date_string function, which parses the date string to a datetime object.
  • ParseEmailFiles
    Removed the hyperlink from links.


16 New Playbooks

  • PAN-OS - Block IP - Custom Block Rule
    • This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall.
    • The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration.
  • Calculate Severity By Email Authenticity
    Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script.
  • PAN-OS Log Forwarding Setup And Configuration
    This playbook sets up and maintains log forwarding for the Panorama rulebase. It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy.\nYou can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured.
  • Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account
    AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events).
  • Calculate Severity By Highest DBotScore
    Calculates the incident severity level according to the highest indicator DBotScore.
  • Calculate Severity - Generic v2
    Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
    • DBotScores of indicators.
    • Critical assets.
    • Email authenticity.
    • Current incident severity.
  • Calculate Severity - Standard
    Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
  • Cortex XDR Incident Handling
    • This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
    • The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.
    • Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.
    • For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
  • Block IP - Generic v2
    • This playbook blocks malicious IPs using all integrations that are enabled. The playbook supports the following integrations.
      • Check Point Firewall
      • Palo Alto Networks MineMeld
      • Palo Alto Networks PAN-OS
      • Zscaler
  • PAN-OS - Block URL - Custom URL Category
    • This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories.
    • The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration.
  • Calculate Severity - Critical Assets v2
    • Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
    • Critical assets refer to: users, user groups, endpoints and endpoint groups.
  • Phishing Investigation - Generic v2
    • Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
    • The final remediation tasks are always decided by a human analyst.
  • Hybrid-analysis quick-scan
    Use this playbook to run the quick-scan command with generic-polling.
  • PAN-OS - Block IP and URL - External Dynamic List
    • This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
    • It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IP addresses and URLs to the relevant lists.
  • Palo Alto Networks - Malware Remediation
    This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
  • PAN-OS - Block IP - Static Address Group
    • This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall.
    • The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, and adds them and commits the configuration.
    • Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.

5 Improved Playbooks

  • Phishing Investigation - Generic v2
    • Improved the Calculate Severity - Generic v2 playbook to evaluate more accurately the severity of an incident.
    • Added a check for email authenticity using SPF, DKIM and DMARC. The verdict will also appear on the summary page of phishing incidents.
  • Block URL - Generic
    • Added section headers.
    • Added two sub-playbooks.
      • PAN-OS - Block URL - Custom URL Category.
      • PAN-OS - Block IP and URL - External Dynamic List.
  • Block IP - Generic
    • Added section headers.
    • Fixed an issue with implementation of the ZScaler integration.
  • Block Indicators - Generic
    Added the sub-playbook Block IP - Generic v2.
  • PAN-OS Commit Configuration
    Improved names and the layout.

Incident Fields

New Incident Field

  • Email Authenticity Check Indicates the authenticity of the email, which is determined by using the CheckEmailAuthenticity script.