Demisto Content Release version 19.2.2 (18802)

Demisto Content Release Notes for version 19.2.2 (18802)

Published on 21 February 2019

Integrations

5 New Integrations

• CounterTack
  CounterTack empowers endpoint security teams to assure endpoint protection
  for identifying cyber threats.
• EclecticIQ Platform
  A threat intelligence platform that connects and interprets intelligence data from open sources, commercial suppliers, and industry partnerships.
• Fidelis Elevate Network
  Automate detection and response to network threats and data leakage in your organization.
• Symantec Endpoint Protection V2
  Query the Symantec Endpoint Protection Manager using the official REST API.
• WhatsMyBrowser
  Parse user agents and determine if they are malicious as well as enrich information about the agent.

13 Improved Integrations

• Anomali ThreatStream
  Fixed an issue with the DBot score.
• ArcSight ESM
  • Fixed an issue in which fetch incidents creates duplicate incidents.
  • You can now update the severity field when running the as-update-case command.
  • Updated all time outputs to be date field, in Date format, not Epoch.
• RSA Archer
  Added the archer-get-valuelist command, which gets a field's value-list.
• EWS v2
  Added the option to search by message-id when running the ews-search-mailbox command.
• IntSights
  • Added the Sub account ID parameter (for MSSP accounts) to the instance configuration.
  • Added the intsights-mssp-get-sub-accounts command.
• MISP V2
  • Added the misp-add-sighting command.
  • Added test connection functionality.
• McAfee Advanced Threat Defense
  Fixed URL parsing.
• McAfee Threat Intelligence Exchange
  Indicators with a DBot reputation score of less than 30 are now set to bad.
• Microsoft Graph
  Improved partial content handling.
• PhishMe Intelligence
  • Reimplemented the way DBot score is calculated.
  • Added 4 threshold parameters to the instance configuration.
  • Added new output paths.
• urlscan.io
  Fixed an issue where the insecure setting was ignored during polling.
• Palo Alto WildFire
  Improved command outputs.
• Windows Defender Advanced Threat Protection
  Added support for OAUTH2 authentication.

Deprecated Integration

• Symantec Endpoint Protection 14 (Deprecated)
  Use Symantec Endpoint Protection V2 instead.

---

Scripts

New Script

• PcapHTTPExtractor
  Parses and extracts HTTP flows (requests/responses) from a pcap/pcapng file.

7 Improved Scripts

• CommonServerPython
  Added the return_outputs() function, which wraps the demisto.results() function.
• CopyFileD2
  Added overwrite support.
• D2Drop
  Added overwrite support.
• FilterByList
  The FilterByList script now supports regex items.
• ReadPDFFile
  Improved script outputs.
• RegPathReputationBasicLists
  • Fixed the score given to a RegistryPath.
  • Added outputs.
• UnEscapeURLs
  Added handling of Microsoft ATP protected URLs.

Deprecated Script

• SEPScan
  Use the sep-scan-endpoint command instead.

---

Reputations

• Added reputation value and context paths for IPs, escaped IPs, domains, MD5s, SHA-1s, URLs, and escaped URLs.
• Removed unnecessary scripts.

---

Breaking Changes

ArcSight ESM instance configuration settings deleted
If you installed Content Release v19.2.1 (18725), certain ArcSight ESM instance parameters might have been deleted in the instances configured before installing this content version.

Demisto Content Release version 19.2.1 (18725)

Demisto Content Release Notes for version 19.2.1 (18725)

Published on 19 February 2019

Integrations

5 New Integrations

• CounterTack
  CounterTack empowers endpoint security teams to assure endpoint protection
  for identifying cyber threats.
• EclecticIQ Platform
  A threat intelligence platform that connects and interprets intelligence data from open sources, commercial suppliers, and industry partnerships.
• Fidelis Elevate Network
  Automate detection and response to network threats and data leakage in your organization.
• Symantec Endpoint Protection V2
  Query the Symantec Endpoint Protection Manager using the official REST API.
• WhatsMyBrowser
  Parse user agents and determine if they are malicious as well as enrich information about the agent.

13 Improved Integrations

• Anomali ThreatStream
  Fixed an issue with the DBot score.
• ArcSight ESM
  • Fixed an issue in which fetch incidents creates duplicate incidents.
  • You can now update the severity field when running the as-update-case command.
  • Updated all time outputs to be date field, in Date format, not Epoch.
• RSA Archer
  Added the archer-get-valuelist command, which gets a field's value-list.
• EWS v2
  Added the option to search by message-id when running the ews-search-mailbox command.
• IntSights
  • Added the Sub account ID parameter (for MSSP accounts) to the instance configuration.
  • Added the intsights-mssp-get-sub-accounts command.
• MISP V2
  • Added the misp-add-sighting command.
  • Added test connection functionality.
• McAfee Advanced Threat Defense
  Fixed URL parsing.
• McAfee Threat Intelligence Exchange
  Indicators with a DBot reputation score of less than 30 are now set to bad.
• Microsoft Graph
  Improved partial content handling.
• PhishMe Intelligence
  • Reimplemented the way DBot score is calculated.
  • Added 4 threshold parameters to the instance configuration.
  • Added new output paths.
• urlscan.io
  Fixed an issue where the insecure setting was ignored during polling.
• Palo Alto WildFire
  Improved command outputs.
• Windows Defender Advanced Threat Protection
  Added support for OAUTH2 authentication.

Deprecated Integration

• Symantec Endpoint Protection 14 (Deprecated)
  Use Symantec Endpoint Protection V2 instead.

---

Scripts

New Script

• PcapHTTPExtractor
  Parses and extracts HTTP flows (requests/responses) from a pcap/pcapng file.

7 Improved Scripts

• CommonServerPython
  Added the return_outputs() function, which wraps the demisto.results() function.
• CopyFileD2
  Added overwrite support.
• D2Drop
  Added overwrite support.
• FilterByList
  The FilterByList script now supports regex items.
• ReadPDFFile
  Improved script outputs.
• RegPathReputationBasicLists
  • Fixed the score given to a RegistryPath.
  • Added outputs.
• UnEscapeURLs
  Added handling of Microsoft ATP protected URLs.

Deprecated Script

• SEPScan
  Use the sep-scan-endpoint command instead.

---

Reputations

• Added reputation value and context paths for IPs, escaped IPs, domains, MD5s, SHA-1s, URLs, and escaped URLs.
• Removed unnecessary scripts.

Demisto Content Release version 19.2.0 (18017)

Demisto Content Release Notes for version 19.2.0 (18017)

Published on 05 February 2019

Integrations

2 New Integrations

• Freshdesk
  Manage tickets, agents, and contacts.
• Kafka V2
  The Open source distributed streaming platform.

17 Improved Integrations

• AbuseIPDB
  The 'Unverified HTTPS request is being made' warning is ignored when the Trust any certificate checkbox is selected.
• ArcSight ESM
  Improved proxy usage in the as-get-security-events command.
• RSA Archer
  Added a caching mechanism that improves command execution performance.
• Cisco Umbrella Investigate
  DBotScore now displays even when there is no rank.
• CrowdStrike Falcon Sandbox
  Improved error handling of the crowdstrike-submit-sample command.
• CrowdStrike Falcon Intel
  Added the threshold parameter to identify and label malicious indicators.
• Cylance Protect v2
  Improved error handling for the cylance-protect-get-device command when no device is found.
• EWS v2
  • Added the ews-expand-group.
  • Fixed an issue with 2010-2016 mixed environments.
• Gmail
  Fixed an issue with the gmail-revoke-user-role command.
• Joe Security
  Added support in the joe-analysis-submit-sample command for EML files when there are no files attachments to analyze.
• McAfee Advanced Threat Defense
  The url argument in the _atd-upload-file command does not require a protocol prefix.
• Palo Alto Firewall and Panorama
  • Improved error messages.
  • Added support for Service and Service groups objects.
• PhishMe Intelligence
  Improved argument and command descriptions.
• Recorded Future
  Added: Commands for retrieving threats by a specified order; Retrieving risk lists as csv files (with additional scripts to create indicators using them); Retrieving and fetching alerts.
• Check Point Sandblast Cloud Services
  Made improvements to Context and DBot score.
• ServiceNow
  • Fixed severity mapping.
  • Improved parameter descriptions.
  • Fixed human readable headers.
  • Added the Opened At argument to ticket creation.
  • Added a command to get ticket notes using sys_journal_field table.
• SplunkPy
  Improved human readable output for the splunk-search command.

---

Scripts

3 New Scripts

• HighlightWords
  Highlight words inside a given text.
• SendEmailOnSLABreach
  Sends an email informing the user assigned to an incident of an SLA breach.
• Cut
  Cut a string by delimiter and return specific fields.

3 Improved Scripts

• CommonServerPython
  Added the is_error and get_error helper functions to remove errors from demisto.executeCommand() result.
• UnEscapeURLs
  Added support for ProofPoint encrypted URLs.
• ParseEmailFiles
  Improved implementation and fixed several issues.

2 Deprecated Scripts

• SplunkPySearch
  Use the splunk-search command instead.
• StringContains
  Use the StringContainsArray filter instead.

---

Playbooks

1 Improved Playbook

• PanoramaCommitConfiguration
  Filters JobIDs and executes the GenericPolling task only for those JobIDs.

---

Reputations

Added reputation value and context path for SHA256. Auto-Extract should now work properly for SHA256.

Demisto Content Release version 19.1.2 (17432)

Demisto Content Release Notes for version 19.1.2 (17432)

Published on 22 January 2019

Integrations

4 New Integrations

• Alexa Rank Indicator
  Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence.
• MaxMind GeoIP2
  Enriches IP addresses.
• ThreatMiner
  Discover additional information on IOCs.
• Google Resource Manager
  Google Cloud Platform Resource Manager

20 Improved Integrations

• AWS - CloudTrail
  Fixed a bug in aws-cloudtrail-lookup-events command.
• AWS - CloudWatchLogs
  Improved argument implementation for the region command.
• AWS - S3
  Fixed a bug in the aws-s3-upload-file command.
• Carbon Black Enterprise Live Response
  Improved outputs for the cb-directory-listing command.
• Cybereason
  • Enhanced outputs for the cybereason-query-malops command.
  • Improved implementation of the command cybereason-isolate-machine to match all Cybereason versions.
• Cylance Protect
  Enhanced outputs for the cp-download-threat and cylance-protect-download-threat commands.
• EWS v2
  Improved EWS instance configuration.
• Gmail
  Improved text conversion for HTML only emails.
• Hybrid Analysis
  Added the hybrid-analysis-get-report-status command.
• Microsoft Graph
  Implemented OAUTH2 authentication, please see integration documentation for further details.
• Palo Alto Firewall and Panorama
  • Improved error handling for port configuration.
  • improved implementation of the panorama-custom-block command.
  • Fixed generic rulename given to Security Rules when not supplying a rule name, for several commands.
• RSA NetWitness v11.1
  Fixed a bug in the netwitness-update-incident command.
• Shodan
  Added the page argument to the search command.
• SplunkPy
  • Added the unsecure parameter.
  • Fixed a bug in the command splunk-notable-event-edit.
• ThreatConnect
  For the tc-update-indicator command, we added support for the following arguments:
  • falsePositive
  • observations
  • securityLabel
  • threatAssessConfidence
  • threatAssessRating
• Cisco Threat Grid
  Added data to raw response for the feeds commands.
• Windows Defender Advanced Threat Protection
  Added the microsoft-atp-update-alert command.
• Rasterize
  Added the size argument to the rasterize-image command.
• FireEye HX
  Added the fireeye-hx-create-indicator command.
• JASK
• Improved implementation of fetched incidents
• Added a parameter which enables you to define the result limit.

---

Scripts

5 New Scripts

• ConvertKeysToTableFieldFormat
  Converts object keys to match table keys.
  Use this script when mapping object/collection to a grid (table) field.
• ExtractIndicatorsFromTextFile
  Extracts indicators from a text-based file.
• ExtractIndicatorsFromWordFile
  Extracts indicators from Word files (DOC, DOCX).
• ReadPDFFile
  Loads a PDF file's contents and metadata into context.
• StringContainsArray
  Checks whether a substring or an array of substrings is within a string array (each item will be checked).

5 Improved Scripts

• ExtractIndicatorsFromTextFile
  Updated the script to use the enhanced extractIndicators command.
• IsMaliciousIndicatorFound
  Added support for Email and Domain indicators.
• ParseCSV
  Improved handling of null byte character.
• Ping
  Updated the script to use native ping utility.
• ReadPDFFile
  Updated the script to use the enhanced extractIndicators command.

---

Playbooks

New Playbook

• Detonate File - HybridAnalysis
  Detonates one or more files using the Hybrid Analysis integration.

5 Improved Playbooks

• Calculate Severity - Critical assets
  Replaced use of the StringContains script with a new filter.
• Detonate File - Generic
  Added the Hybrid Analysis detonate file playbook.
• Extract Indicators From File - Generic
  The playbook now utilizes the new feature of extracting indicators from Word documents.
• Get File Sample By Hash - Cylance Protect
  Added support fo Cylance Protect v2 and Cylance Protect v1 integrations.
• Get File Sample From Hash - Generic
  Added MD5 and SHA-256 inputs to the playbook.

Demisto Content Release version 19.1.1 (16961)

Demisto Content Release Notes for version 19.1.1 (16961)

Published on 13 January 2019

Integrations

2 New Integrations

• CIRCL
  CIRCL Passive DNS is a database storing historical DNS records from various resources.
  CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the CIRCL documentation.
• MISP V2
  Malware information sharing platform and threat sharing.
  This integration replaces the MISP (Deprecated) integration.

10 Improved Integrations

• Pwned
  Fixed an issue in the email command that affected backward compatibility.

• AbuseIPDB

  • Fixed context issues.
  • Added the AbuseIPDB-PopulateIndicators script.

• Cybereason

  • Improved implementation of malop fetching as incidents.
  • Added 5 new commands:
    • cybereason-prevent-file
    • cybereason-unprevent-file
    • cybereason-query-file
    • cybereason-query-domain
    • cybereason-query-user

  For more information, see the Cybereason documentation.

• Google Vault

  • Added 4 new commands:
    • gvault-get-drive-results
    • gvault-get-mail-results
    • gvault-get-groups-results
    • gvault-download-results
  • Added 4 new Google Vault playbooks:
    • Google Vault - Search Mail
    • Google Vault - Search Drive
    • Google Vault - Search Groups
    • Google Vault - Display results
    • In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

  For more information, see the Google Vault documentation.

• IntSights

  • The get_alerts command now retrieves all alert details.
  • Added the time-delta argument, which retrieves alerts based on a given time delta (in days).

  For more information, see the IntSights documentation.

• ServiceNow
  Improved handling of empty responses and missing fields.

• Cisco Threat Grid
  You can now submit a file that has unicode characters in the name.

• TruSTAR
  Added 4 new commands:

  • file
  • url
  • ip
  • domain

  For more information, see the TruSTAR documentation.

• Have I Been Pwned?
  Added DBot score.

• ThreatConnect

  • Added context and markdown to existing commands.
  • Added new commands.

---

Scripts

7 New Scripts

• AbuseIPDBPopulateIndicators
  Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
• ChangeRemediationSLAOnSevChange
  Changes the remediation SLA when a change in incident severity occurs.
• CopyContextToField
  Copy a context key to an incident field to multiple number of incidents, based on a query.
• CybereasonPreProcessingExample
  Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
• DT
  This automation allows the usage of DT scripts within playbook transformers.
• LinkIncidentsWithRetry
  Running multiple link incidents simultaneously can cause DB version errors. Use the LinkIncidentsWithRetry script to avoid this error.
• StopTimeToAssignOnOwnerChange
  Stops the Time To Assign timer when the incident owner changes.

6 Improved Scripts

• cveReputation
  Added a fixed number of retries to execute the cve-search command when a 404 error is returned.
• ProofpointDecodeURL
  Added a helpful error description when a URL is not found in the query.
• SSDeepReputation
  You can now use this script as an indicator reputation script.
• SplunkPySearch
  • Fixed 'Missing headers param' bug.
  • Added error validation for the command result.

Deprecated Scripts

• misp_download_sample
  Script is deprecated, use the misp-download-sample command in the MISP V2 integration instead.
• misp_upload_sample
  Script is deprecated, use the misp-upload-sample command in the in MISP V2 integration instead.

---

Playbooks

4 New Playbooks

• Google Vault - Display Results
  Queues and displays Google Vault search results.
• Google Vault - Search Drive
  Performs Google Vault searches in Drive accounts, and displays the results.
• Google Vault - Search Groups
  Performs Google Vault searches in Groups, and displays the results.
• Google Vault - Search Mail
  Performs Google Vault searches in Mail accounts, and displays the results.

---

Widgets

1 Improved Widget

• MTTR by Type
  MTTR is now in the timeline widget.

---

Demisto v4.1.0

This content is available on Demisto v4.1.0 and later

Playbooks

Improved Playbook

• Phishing Investigation - Generic
  Added detection and remediation timers based on SLA fields.

---

Dashboards

1 New Dashboard

• SLA
  Displays an overview of your SLAs.

---

Widgets

4 New Widgets

• Detection SLA by Status
  The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.
• Mean Time to Detection
  The mean time (average time) to detection across all incidents whose severity was determined. By default, the widget takes into account incidents from the last 30 days.
• MTTD by Type
  A widget that displays the Mean Time to Detection, by incident type.
• Remediation SLA by Status
  The remediation SLA status of all incidents that initiated a remediation process. By default, the widget takes into account incidents from the last 30 days, and inherits a new time range when the dashboard time changes.

---

Incident Fields

• Added Detection SLA field.
• Added Remediation SLA field.
• Added Time to Assignment field.

---

Incident Layouts

1 New Incident Layout

• Phishing - Quick View
  Added SLAs for Quick View layouts.

1 Improved Incident Layout

• Phishing - Summary
  New SLA content.

Demisto Content Release version 19.1.0 (16707)

Demisto Content Release Notes for version 19.1.0 (16707)

Published on 08 January 2019

Integrations

2 New Integrations

• CIRCL
  CIRCL Passive DNS is a database storing historical DNS records from various resources.
  CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the CIRCL documentation.
• MISP V2
  Malware information sharing platform and threat sharing.
  This integration replaces the MISP (Deprecated) integration.

9 Improved Integrations

• AbuseIPDB

  • Fixed context issues.
  • Added the AbuseIPDB-PopulateIndicators script.

• Cybereason

  • Improved implementation of malop fetching as incidents.
  • Added 5 new commands:
    • cybereason-prevent-file
    • cybereason-unprevent-file
    • cybereason-query-file
    • cybereason-query-domain
    • cybereason-query-user

  For more information, see the Cybereason documentation.

• Google Vault

  • Added 4 new commands:
    • gvault-get-drive-results
    • gvault-get-mail-results
    • gvault-get-groups-results
    • gvault-download-results
  • Added 4 new Google Vault playbooks:
    • Google Vault - Search Mail
    • Google Vault - Search Drive
    • Google Vault - Search Groups
    • Google Vault - Display results
    • In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

  For more information, see the Google Vault documentation.

• IntSights

  • The get_alerts command now retrieves all alert details.
  • Added the time-delta argument, which retrieves alerts based on a given time delta (in days).

  For more information, see the IntSights documentation.

• ServiceNow
  Improved handling of empty responses and missing fields.

• Cisco Threat Grid
  You can now submit a file that has unicode characters in the name.

• TruSTAR
  Added 4 new commands:

  • file
  • url
  • ip
  • domain

  For more information, see the TruSTAR documentation.

• Have I Been Pwned?
  Added DBot score.

• ThreatConnect

  • Added context and markdown to existing commands.
  • Added new commands.

---

Scripts

7 New Scripts

• AbuseIPDBPopulateIndicators
  Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
• ChangeRemediationSLAOnSevChange
  Changes the remediation SLA when a change in incident severity occurs.
• CopyContextToField
  Copy a context key to an incident field to multiple number of incidents, based on a query.
• CybereasonPreProcessingExample
  Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
• DT
  This automation allows the usage of DT scripts within playbook transformers.
• LinkIncidentsWithRetry
  Running multiple link incidents simultaneously can cause DB version errors. Use the LinkIncidentsWithRetry script to avoid this error.
• StopTimeToAssignOnOwnerChange
  Stops the Time To Assign timer when the incident owner changes.

6 Improved Scripts

• cveReputation
  Added a fixed number of retries to execute the cve-search command when a 404 error is returned.
• ProofpointDecodeURL
  Added a helpful error description when a URL is not found in the query.
• SSDeepReputation
  You can now use this script as an indicator reputation script.
• SplunkPySearch
  • Fixed 'Missing headers param' bug.
  • Added error validation for the command result.

Deprecated Scripts

• misp_download_sample
  Script is deprecated, use the misp-download-sample command in the MISP V2 integration instead.
• misp_upload_sample
  Script is deprecated, use the misp-upload-sample command in the in MISP V2 integration instead.

---

Playbooks

4 New Playbooks

• Google Vault - Display Results
  Queues and displays Google Vault search results.
• Google Vault - Search Drive
  Performs Google Vault searches in Drive accounts, and displays the results.
• Google Vault - Search Groups
  Performs Google Vault searches in Groups, and displays the results.
• Google Vault - Search Mail
  Performs Google Vault searches in Mail accounts, and displays the results.

---

Widgets

1 Improved Widget

• MTTR by Type
  MTTR is now in the timeline widget.

---

Demisto v4.1.0

This content is available on Demisto v4.1.0 and later

Playbooks

Improved Playbook

• Phishing Investigation - Generic
  Added detection and remediation timers based on SLA fields.

---

Dashboards

1 New Dashboard

• SLA
  Displays an overview of your SLAs.

---

Widgets

4 New Widgets

• Detection SLA by Status
  The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.
• Mean Time to Detection
  The mean time (average time) to detection across all incidents whose severity was determined. By default, the widget takes into account incidents from the last 30 days.
• MTTD by Type
  A widget that displays the Mean Time to Detection, by incident type.
• Remediation SLA by Status
  The remediation SLA status of all incidents that initiated a remediation process. By default, the widget takes into account incidents from the last 30 days, and inherits a new time range when the dashboard time changes.

---

Incident Fields

• Added Detection SLA field.
• Added Remediation SLA field.
• Added Time to Assignment field.

---

Incident Layouts

1 New Incident Layout

• Phishing - Quick View
  Added SLAs for Quick View layouts.

1 Improved Incident Layout

• Phishing - Summary
  New SLA content.

Demisto Content Release version 18.12.2 (16142)

🎄 Demisto Content Release Notes for version 18.12.2 (16142) 🎄

Published on 25 December 2018

❄️ Integrations ❄️

3 New Integrations

• HashiCorp Vault
  Manage secrets and protect sensitive data.
• Attivo BOTsink
  Network-based threat deception for post-compromise threat detection.
• AbuseIP
  Central repository to report and identify IP addresses that have been associated with malicious activity online.

4 Improved Integrations

• EWS v2
  Improved error messages.
• FireEye HX
  Added two commands:
  • fireeye-hx-search
  • fireeye-hx-get-host-set-information
• Rasterize
  Improved error handling for Rasterize errors.
• Palo Alto Networks Panorama
  • Added support for Palo Alto Firewall.
  • Added 28 new commands, which are related to:
    - Commit and push configurations
    - Object handling: Addresses, Address Groups, Custom URL Category and URL FIltering
    - Security rule management: Create, edit, move, and delete rules

---

☃️ Scripts ☃️

5 New Scripts

• DBotPredictPhishingEvaluation
  Evaluate pre-trained machine learning phishing model in Demisto.
• DBotPredictPhishingLabel
  Predict text labels using the pre-trained machine learning phishing model.
• DBotPredictTextLabel
  Predict text labels using the pre-trained machine learning phishing model.
• DBotPreparePhishingData
  This script is part of phishing model training using machine learning.
• DBotTrainTextClassifier
  Create a text classifier model using machine learning.

Improved Script

• findIncidentsWithIndicator
  Fixed the Indicator and incidentIDs context keys (this fix is not backward compatible).

6 Deprecated Scripts

• PanoramaBlockIP
  Use the panorama-custom-block-rule command.
• PanoramaCommit
  Use the integration panorama-commit command.
• PanoramaConfig
  Use the panorama-config command.
• PanoramaDynamicAddressGroup
  Use the panorama-create-address-group command.
• PanoramaMove
  Use the panorama-move-rule command.
• PanoramaPcaps

---

🎅 Playbooks 🎅

3 New Playbooks

• DBotCreatePhishingClassifier
  Create a phishing classifier using machine learning technique, based on email content. For more information, see the Demisto Phishing Email Classifier documentation.
• DBotCreatePhishingClassifierJob
  Train the phishing machine learning model.
• PanoramaCommitConfiguration
  Commit configurations to Palo Alto Networks Firewall and Panorama.

7 Improved Playbooks

• Detonate File - BitDam
  Only supported file types are submitted to BitDam.
• Detonate File - Lastline
  Only supported file types are submitted to Lastline.
• ATD - Detonate File
  Only supported file types are submitted to McAfee ATD.
• Detonate File - SNDBOX
  Only supported file types are submitted to SNDBOX.
• Detonate File - ThreatGrid
  Only supported file types are submitted to ThreatGrid.
• WildFire - Detonate file
  Only supported file types are submitted to WildFire.
• Extract Indicators From File - Generic
  Fixed duplicate parsing of .eml and .msg files. These file types are now ignored when extracting indicators from files.

Demisto Wishes You Happy Holidays !

Demisto Content Release Notes for version 18.12.1 (15710)

Demisto Content Release Notes for version 18.12.1 (15710)

Published on 11 December 2018

Integrations

9 New Integrations

• AWS - Security Hub
  Amazon Web Services Security Hub Service.
• AWS SageMaker
  AWS SageMaker - Demisto Phishing Email Classifier.
• Cymon
  Analyzes suspicious domains and IP addresses. For more information, see the Cymon documentation.
• SNDBOX
  SNDBOX as a service. For more information, see the SNDBOX documentation.
• Cisco Stealthwatch Cloud
  Protect your cloud assets and private network. For more information, see the Stealthwatch Cloud documentation.
• Whois
  Provides data enrichment for domains and IP addresses. For more information, see the Whois documentation.
• dnstwist
  Domain name permutation engine for detecting typo squatting, phishing and corporate espionage. For more information, see the dnstwist documentation.
• InfoArmor VigilanteATI
  VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team. For more information, see the InfoArmore VigilanteATI documentation.
• Awake Security
  Network Traffic Analysis. For more information, see the Awake Security documentation.

20 Improved Integrations

• AWS - EC2
  • Added two commands:
    - aws-ec2-modify-instance-attribute.
    - aws-ec2-modify-network-interface-attribute.
  • Upgraded Boto3 version to v1.9.55.
• AWS - IAM
  Added nine commands:
  • aws-iam-create-policy
  • aws-iam-delete-policy
  • aws-iam-create-policy-version
  • aws-iam-delete-policy-version
  • aws-iam-list-policy-versions
  • aws-iam-get-policy-version
  • aws-iam-set-default-policy-version
  • aws-iam-create-account-alias
  • aws-iam-delete-account-alias
• AWS - S3
  You can now create a bucket in any region.
• ArcSight ESM
  Added logout handling.
• Box
  Added two command:
  • box_files_get
  • box_files_get_info
• Lastline
  Improved quota error handling.
• McAfee Advanced Threat Defense
  • Improved outputs for malicious files.
  • Added support to get reports of various types.
  • Fixed rounding long numbers of IDs.
• McAfee NSM
  Added the sensor_id argument to the get-alert-details command.
• Mimecast
  Added two commands:
  • mimecast-get-message.
  • mimecast-download-attachments.
• okta
  Added three commands:
  • okta-get-user-factors
  • okta-verify-push-factor
  • okta-reset-factor
• OpenPhish
  Added support to trust any certificate in HTTP requests.
• PagerDuty v2
  Added two commands:
  • PagerDuty-acknowledge-event
  • PagerDuty-resolve-event commands
• ServiceNow
  Added the servicenow-get-table-name command.
• Tenable.io
  Improved integration outputs.
• Tenable.sc
  Improved implementation of the tenable-sc-get-device command.
• urlscan.io
  Improved integration outputs.
• Venafi
  Improved integration implementation.
• Zscaler
  URL validation for the zscaler-blacklist-url command matches the Zscaler GUI.
• Cisco Meraki
  Updated the API login URL.
• Atlassian Jira
  Improved authentication process.

Deprecated Integration

• Mimecast Authentication Deprecated
  Use the Mimecast integration.

---

Scripts

4 New Scripts

• DemistoUploadFileToIncident
  Upload a file to a specified incident using the EntryID.
• JiraCreateIssue-example
  Use this script simplify the process of creating a new issue in Jira.
• ServiceNowCreateIncident
  Use this script to wrap the generic create-record command in ServiceNow.
• ServiceNowQueryIncident
  Use this script to wrap the generic query-table command in ServiceNow.
• ServiceNowUpdateIncident
  Use this script to wrap the generic update-record command in ServiceNow.

6 Improved Scripts

• ADGetUser
  Return multiple results when running the script with a custom query.
• Base64ListToFile
  Support for compressed data (zipped).
• CBFindHash
  Fixed an issue in which the script does not return results.
• FindSimilarIncidents
  • Added support for the OR condition.
  • Added a custom query argument.
• QRadarGetCorrelationLogs
  The start_time field can now be either epoch time or a date string.
• QRadarGetOffenseCorrelations
  The start_time field can now be either epoch time or a date string.

---

Playbooks

New Playbook

• Detonate File - SNDBOX
  Detonates a file using the SNDBOX integration.

4 Improved Playbooks

• Detonate File - Generic
  Added support for the SNDBOX integration.
• ATD - Detonate File
  Improved playbook outputs.
• Detonate URL - McAfee ATD
  Improved playbook outputs.
• CrowdStrike Endpoint Enrichment
  Improved playbook outputs.

Demisto Content Release Notes for version 18.12.0 (15435)

Demisto Content Release Notes for version 18.12.0 (15435)

Published on 05 December 2018

Integrations

2 Improved Integrations

• IBM QRadar
  • Added remoteDestinationCount field to indicate an offense has a remote destination.
  • Added ability to use custom output path in the command qradar-get-search-results.
  • Converted CloseTime field to date string.
  • Fixed fetch incidents bug.
• Symantec Endpoint Protection 14
  Improved proxy implementation in HTTP requests.

---

Playbooks

2 Improved Playbooks

• Detonate File - Cuckoo
  Changed File argument not to be mandatory.
• Detonate URL - Cuckoo
  Changed URL argument not to be mandatory.

Demisto Content Release Notes for version 18.11.2 (15082)

Demisto Content Release Notes for version 18.11.2 (15082)

Published on 28 November 2018

Integrations

3 New Integrations

• Server Message Block (SMB)
  Retrieve files from an SMB server. For more information, see the SMB documentation.
• FortiGate
  Manage firewall settings and groups. For more information, see the FortiGate documentation.
• Tenable Security Center
  Get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster. For more information, see the Tenable.sc documentation.

12 Improved Integrations

• ServiceNow

  • Added support to retrieve records from any table generically in addition to tickets.
  • Deprecated the servicenow-get command. Use the servicenow-get-ticket and servicenow-get-record commands instead.
  • Deprecated the servicenow-create command. Use the servicenow-create-ticket and servicenow-create-record commands instead.
  • Deprecated the servicenow-update command. Use the servicenow-update-ticket and servicenow-update-record commands instead.
  • Deprecated the servicenow-query command. Use the servicenow-query-tickets and servicenow-query-table commands instead.
  • Added the servicenow-list-table-fields command.

• Cylance Protect v2
  Improved fetch incidents implementation.

• Lastline
  In the lastline-get-report command, we added the isArray option to the uuid argument.

• Mimecast

  • Added 3 authentication commands:
    - mimecast-login
    - mimecast-discover
    - mimecast-refresh-token
  • Improved outputs for the mimecast-query command command.
  • Added a process for automatic token refresh.

• PagerDuty v2
  Added fetch incidents functionality.

• Phish.AI
  Added generic polling functionality for URLs.

• IBM QRadar
  Added 5 commands:

  • qradar-create-reference-set
  • qradar-delete-reference-set
  • qradar-create-reference-set-value
  • qradar-update-reference-set-value
  • qradar-delete-reference-set-value

• Recorded Future
  Improved the error message when an IOC does not exist in Recorded Future.

• Venafi

  • Added the venafi-get-certificate-details command.
  • Improved outputs for the venafi-get-certificates command.

• RSA NetWitness Endpoint
  Fixed a bug when querying machines by hostname.

• FireEye HX
  Fixed a fireeye-hx-host-containment command name error.

• RSA NetWitness v11.1
  Fixed an error for bad responses when retrieving a token.

---

Scripts

6 New Scripts

• JSONFileToCSV
  Converts a JSON file War Room output to a CSV file.
• JSONtoCSV
  Converts a JSON War Room output via EntryID to a CSV file.
• SetByIncidentId
  Sets a value to the context with the specified context key of a given incident.
• URLDecode
  Decodes a URL from a URL query to human-readable URL.
• WordTokenize
  Tokenize the words of an input text.
• ParseJSON
  Parse a given JSON string "value" to a representative object.

4 Improved Scripts

• GetTime
  • Added time functions: UTC, year, month, day in week, hours, and UTC hours.
  • Fixed GMT time to use UTC, and to not be case-sensitive.
• LoadJSON
  Parses complicated JSON structures.
• CreateEmailHtmlBody
  • Added the ability to have custom fields in the template in both .incident.CustomFields. and incident._ formats.
  • Added the option to replace non-found placeholder values with empty string.
• ActiveUsersD2
  Discarded uniqBy use.

---

Playbooks

New Playbooks

• Detonate File - Cuckoo
  Detonates files using the Cuckoo integration.
• Detonate URL - Cuckoo
  Detonates URLs using the Cuckoo integration.
• Detonate URL - Phish.AI
  Detonates a URL using the Phish.AI integration.
• Launch Scan - Tenable.sc
  Launches an existing Tenable.sc scan by scan ID, and waits for the scan to finish by polling the scan status according to predefined intervals.

2 Improved Playbooks

• Detonate File - Generic
  Added support for Cuckoo Sandbox.
• Detonate URL - Generic
  Added support for Cuckoo Sandbox.