Demisto Content Release Notes for version 20.4.0 (47887)#

Published on 14 April 2020#

Breaking Changes#

Deleted several deprecated playbooks. See the Playbooks section for full details. This is only applicable to Cortex XSOAR 5.5.

Integrations#

9 New Integrations#

  • Sixgill DarkFeed™ Threat Intelligence
    Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the Demisto platform.
  • MongoDB
    Use the MongoDB integration to search and query entries in your MongoDB.
  • MongoDB Log
    Writes log data to a MongoDB collection.
  • MongoDB Key Value Store
    Manipulates key/value pairs according to an incident utilizing the MongoDB collection.
  • Okta v2
    Integration with Okta's cloud-based identity management service.
  • Cisco ASA
    Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects.
  • Cisco Firepower
    Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
  • Azure Sentinel
    Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.
  • SafeBreach v2
    SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses.

18 Improved Integrations#

  • Sixgill Deep Insights
    • Updated the README.
    • Updated the integration Docker image.
    • Added support to use proxies.
    • Updated tests.
    • Updated the integration logo.
    • Removed the get-indicators command.
    • Removed playbooks that used the get-indicators command.
  • Expanse
    • Added support for pulling behavior data to create new incidents.
    • Added support for the expanse-get-behavior command.
    • Added support for the expanse-get-certificate command.
  • Exabeam
    Fixed connection error without proxy.
  • SlashNext Phishing Incident Response
    Added the slashnext-api-quota command, which gets information about user's API quota.
  • Microsoft Teams
    • Set the listener host to 0.0.0.0 in order to handle IPv6.
    • Fixed an issue where the email address of the message sender was not handled properly.
  • Slack v2
    Reduced the maximum number of threads used by the integration.
  • MISP v2
    Fixed the integration filter parameter, Influence on the Entry context returned.
  • Fidelis Elevate Network
    Fixed an issue with partial results parsing.
  • Have I Been Pwned? v2
    Added the pwned-username command, which enables searching usernames.
  • Prisma Cloud (RedLock)
    • Improved logging for fetch_incidents.
    • Improved error handling.
  • SplunkPy
    Added the splunk-job-status command, which checks the status of a job.
  • AWS - EC2
    Added the following commands.
    • aws-ec2-delete-subnets
    • aws-ec2-describe-internet-gateway
    • aws-ec2-detach-internet-gateway
    • aws-ec2-delete-internet-gateway
    • aws-ec2-create-traffic-mirror-session
    • aws-ec2-delete-vpc
    • Fixed an issue where the email address of the message sender was not handled properly.
  • IBM X-Force Exchange v2
    Fixed an issue in the file command.
  • TAXII Server
    Updated the reference to the traffic light protocol indicator field to use the new cliname.
  • AlienVault USM Anywhere
    Fixed an issue where fetching incidents created duplicate incidents.
  • VulnDB
    Improved exception parsing when the API quota is exceeded.
  • ExtraHop Reveal(x) v2
    Updated the names of alert rule commands to clarify that these commands only manage alert rules, they do not fetch alert events.
  • Palo Alto Networks Cortex XDR - Investigation and Response
    • Fixed the issue where the xdr-isolate-endpoint command failed in the following situations:
      • The endpoint was disconnected.
      • The isolation was still pending.
      • The isolation cancellation was still pending.
    • Fixed the issue where the xdr-unisolate-endpoint failed in the following situations:
      • The endpoint was disconnected.
      • The isolation was still pending.
      • The isolation cancellation was still pending.
  • Palo Alto Networks BPA
    Updated the integration name to Palo Alto Networks BPA.

Feeds (From Cortex XSOAR 5.5 only)#

Added the Tags parameter to the following feeds:

  • Azure Feed
  • Bambenek Consulting Feed
  • Blocklist_de Feed
  • Cloudflare Feed
  • DShield Feed
  • Fastly Feed
  • Feodo Tracker Hashes Feed
  • Feodo Tracker IP Blocklist Feed
  • HTTPFeedApiModule
  • JSON Feed
  • Malware Domain List Active IPs Feed
  • Plain Text Feed
  • Spamhaus Feed

Improved Feed#

  • Tor Exit Addresses Feed
    Added default mapping of indicator fields.

Scripts#

New Script#

  • HTMLtoMD
    Converts the passed HTML to Markdown.

5 Improved Scripts#

  • ParseEmailFiles
    Improved handling of attachments.
  • DockerHardeningCheck
    Added the memory_check argument to specify how to test memory limitations.
  • FormattedDateToEpoch
    Fixed an issue where time conversion didn't support timezone.
  • SlackAsk
    The script will now send a message using the Slack V2 integration only.
  • GetLicenseID
    Fixed an issue where the script wasn't returning results.

Playbooks#

5 New Playbooks#

  • SafeBreach Rerun Insights
    Reruns a SafeBreach insight based on ID, and waits for the playbook to completes. Returns the updated insight object after post rerun.
  • SafeBreach Insights Feed Playbook
    Triggers automated remediation for all SafeBreach generated indicators generated by insights. Then it reruns related insights and tags remaining indicators as not remediated ("NotRemediated" tag).
  • DBot Create Phishing Classifier V2 From File
    Creates a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content.
  • Get Mails By Folder Paths
    Gets emails from specific folders and pre-processes them using EWS.
  • Slack - General Failed Logins v2.1
    Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.

8 Improved Playbooks#

  • QRadar Indicator Hunting V2
    Improved the AQL query.
  • Splunk Indicator Hunting
    Fixed transformer and task input.
  • TIM - Process Indicators Against Business Partners IP List
    Removed hard-coded list name from inputs.
  • TIM - Process Indicators Against Organizations External IP List
    Removed default list names.
  • TIM - Run Enrichment For Hash Indicators
    Fixed input name.
  • TIM - Process Indicators - Fully Automated
    Added conditional tasks to check for result scores.
  • Panorama Query Logs Added timeout to generic polling.
  • PAN-OS Commit Configuration
    Improved the error message when a commit or push fails.

Deprecated Playbook#

  • Get Mails By Folder Pathes
    Use the Get Mails By Folder Paths playbook instead.

Deleted Playbooks (For Cortex XSOAR 5.5 only)#

The following deprecated playbooks have been deleted.

  • QRadar Add Url Indicators
    Use the TIM - QRadar Add Url Indicators playbook instead.
  • QRadar Add IP Indicators
    Use the TIM - QRadar Add IP Indicators playbook instead.
  • QRadar Add Hash Indicators
    Use the TIM - QRadar Add Bad Hash Indicators playbook instead.
  • QRadar Add Domain Indicators
    Use the TIM - QRadar Add Domain Indicators playbook instead.
  • Process Url Indicators
    Use the TIM - Add Url Indicators to SIEM playbook instead.
  • Process IP Indicators
    Use the TIM - Add IP Indicators To SIEM playbook instead.
  • Process Hash Indicators
    Use the TIM - Add Bad Hash Indicators To SIEM playbook instead.
  • Process Domain Indicators
    Use the TIM - Add Domain Indicators To SIEM playbook instead.
  • ArcSight Add Domain Indicators
    Use the TIM - ArcSight Add Domain Indicators playbook instead.
  • ArcSight Add Hash Indicators
    Use the TIM - ArcSight Add Bad Hash Indicators playbook instead.
  • ArcSight Add IP Indicators
    Use the TIM - ArcSight Add IP Indicators playbook instead.

Layouts#

New Layouts#

  • GCP Compute Engine Misconfiguration - Summary

Improved Layout#

  • Indicator Feed - New/Edit Added the New/Edit Form layout for the Indicator Feed incident type.

Assets#