Demisto Content Release Notes for version 18.11.1 (14682)

Demisto Content Release Notes for version 18.11.1 (14682)

Published on 18 November 2018

Integrations

5 New Integrations

• BigFix
  IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. For more information, see the IBM BigFix documentation.
• Google Vault
  Archiving and eDiscovery for G Suite. For more information, see the Google Vault documentation.
• Luminate
  Enrich reports and respond to incidents. For more information, see the Luminate documentation.
• Tenable.io
  A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications. For more information, see the Tenable.io documentation.
• Windows Defender Advanced Threat Protection
  Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. For more information, see the Windows Defender ATP documentation.

18 Improved Integrations

• Carbon Black Enterprise Live Response
  • Improved error messages for the session-create-and-wait command.
  • Improved results for the cb-session-close command to reflect the actual session status for a CB Response case.
• Carbon Black Enterprise Response
  • Improved outputs for the command cb-binary command to display full results for the Hostname field.
  • Improved implementation of the cb-process-events command to prevent failure in case the information returned is partial.
• CrowdStrike Falcon Intel
  Improved output for DBotScore when an indicator is not found.
• EWS v2
  Fixed a typo in compliance search methods.
• Gmail
  Added two commands to implement an email blockage use case. For more information, see the Gmail documentation.
  • gmail-add-delete-filter
  • gmail-add-filter
• Cylance Protect v2
  Added 5 commands:
  • cylance-protect-download-threat
  • cylance-protect-add-hash-to-list
  • cylance-protect-delete-hash-from-lists
  • cylance-protect-get-policy-details
  • cylance-protect-delete-devices
• Mimecast v2
  • Refactored the Mimecast integration. Mimecast v1 is now deprecated.
  • Implemented incident fetching.
    • Fetch URL logs: Fetches email logs containing malicious URLs
    • Fetch attachment logs: Fetches email logs containing malicious attachments
    • Fetch impersonation logs: Fetches email logs containing impersonation incidents
  • Added 12 commands:
    • mimecast-list-blocked-sender-policies
    • mimecast-create-policy
    • mimecast-delete-policy
    • mimecast-get-policy
    • mimecast-query
    • mimecast-url-decode
    • mimecast-manage-sender
    • mimecast-list-managed-url
    • mimecast-create-managed-url
    • mimecast-list-messages
    • mimecast-get-url-logs
    • mimecast-get-impersonation-logs
    • mimecast-get-attachment-logs
• Palo Alto MineMeld
  Improved implementation of whitelist/blacklist initialization.
• Rapid7 Nexpose
  Added support to view, stop, pause and resume scans. For more information, see the Rapid7 Nexpose documentation.
• SCADAfence CNM
  Added two commands. For more information, see the SCADAfence CNM documentation.
  • scadafence-getAllConnections
  • scadafence-createAlert
• SplunkPy
  Added support to fetch notable events using Splunk Time instead of the Demisto server time.
• VirusTotal - Private API
  Improved the error message when the quota is exceeded.
• Palo Alto WildFire
  The wildfire-upload command now supports multiple uploads.
• McAfee ePO
  • Added two commands.
    • epo-find-system
    • epo-get-version
  • Improved outputs for the epo-query-table command.
• Rasterize
  Added rasterize-image command to securely display images in war room.
• IBM QRadar
  • Fixed incidents fetching bug.
  • Added the qradar-get-reference-by-name command.
  • Reimplemented the integration in Python.
• Cisco Threat Grid
  • Updated the integration to align with changes in Threat Grid API.
  • Enhanced outputs for the threat-grid-get-analysis-by-id command.
  • Added two commands:
    - threat-grid-search-urls
    - threat-grid-search-samples
• urlscan.io
  • The ip and file commands are no longer supported.
  • Reformatted context outputs.
  • Added the command urlscan-search

---

Scripts

2 New Scripts

• ExifRead
  Read image files' metadata and provide Exif tags.
• ParseExcel
  The automation takes an Excel file (entryID) as an input and parses its content to the War Room and context.

6 Improved Scripts

• ADGetUser
  Improved display formatting of UserAccountControl flags.
• BlockIP
  The rulename and ipname arguments are now optional, and include improved defaults.
• CPBlockIP
  The rulename and ipname arguments are now optional, and include improved defaults.
• PanoramaBlockIP
  The rulename argument is now optional, and includes improved defaults.
• ProofpointDecodeURL
  Improved handling of error scenarios.
• ReadPDFFile
  Improved handling PSEOF error.

---

Playbooks

2 New Playbooks

• QRadarFullSearch
  This playbook runs a QRadar query and returns the query results to the context.
• Tenable.io Scan
  Run a Tenable.io scan.

Demisto Content Release Notes for version 18.11.0 (14606)

Demisto Content Release Notes for version 18.11.0 (14606)

Published on 13 November 2018

Integrations

5 New Integrations

• BigFix
  IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. For more information, see the IBM BigFix documentation.
• Google Vault
  Archiving and eDiscovery for G Suite. For more information, see the Google Vault documentation.
• Luminate
  Enrich reports and respond to incidents. For more information, see the Luminate documentation.
• Tenable.io
  A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications. For more information, see the Tenable.io documentation.
• Windows Defender Advanced Threat Protection
  Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. For more information, see the Windows Defender ATP documentation.

18 Improved Integrations

• Carbon Black Enterprise Live Response
  • Improved error messages for the session-create-and-wait command.
  • Improved results for the cb-session-close command to reflect the actual session status for a CB Response case.
• Carbon Black Enterprise Response
  • Improved outputs for the command cb-binary command to display full results for the Hostname field.
  • Improved implementation of the cb-process-events command to prevent failure in case the information returned is partial.
• CrowdStrike Falcon Intel
  Improved output for DBotScore when an indicator is not found.
• EWS v2
  Fixed a typo in compliance search methods.
• Gmail
  Added two commands to implement an email blockage use case. For more information, see the Gmail documentation.
  • gmail-add-delete-filter
  • gmail-add-filter
• Cylance Protect v2
  Added 5 commands:
  • cylance-protect-download-threat
  • cylance-protect-add-hash-to-list
  • cylance-protect-delete-hash-from-lists
  • cylance-protect-get-policy-details
  • cylance-protect-delete-devices
• Mimecast v2
  • Refactored the Mimecast integration. Mimecast v1 is now deprecated.
  • Implemented incident fetching.
    • Fetch URL logs: Fetches email logs containing malicious URLs
    • Fetch attachment logs: Fetches email logs containing malicious attachments
    • Fetch impersonation logs: Fetches email logs containing impersonation incidents
  • Added 12 commands:
    • mimecast-list-blocked-sender-policies
    • mimecast-create-policy
    • mimecast-delete-policy
    • mimecast-get-policy
    • mimecast-query
    • mimecast-url-decode
    • mimecast-manage-sender
    • mimecast-list-managed-url
    • mimecast-create-managed-url
    • mimecast-list-messages
    • mimecast-get-url-logs
    • mimecast-get-impersonation-logs
    • mimecast-get-attachment-logs
• Palo Alto MineMeld
  Improved implementation of whitelist/blacklist initialization.
• Rapid7 Nexpose
  Added support to view, stop, pause and resume scans. For more information, see the Rapid7 Nexpose documentation.
• SCADAfence CNM
  Added two commands. For more information, see the SCADAfence CNM documentation.
  • scadafence-getAllConnections
  • scadafence-createAlert
• SplunkPy
  Added support to fetch notable events using Splunk Time instead of the Demisto server time.
• VirusTotal - Private API
  Improved the error message when the quota is exceeded.
• Palo Alto WildFire
  The wildfire-upload command now supports multiple uploads.
• McAfee ePO
  • Added two commands.
    • epo-find-system
    • epo-get-version
  • Improved outputs for the epo-query-table command.
• Rasterize
  Added rasterize-image command to securely display images in war room.
• IBM QRadar
  • Added the qradar-get-reference-by-name command.
  • Reimplemented the integration in Python.
• Cisco Threat Grid
  • Updated the integration to align with changes in Threat Grid API.
  • Enhanced outputs for the threat-grid-get-analysis-by-id command.
  • Added two commands:
    - threat-grid-search-urls
    - threat-grid-search-samples
• urlscan.io
  • The ip and file commands are no longer supported.
  • Reformatted context outputs.
  • Added the command urlscan-search

---

Scripts

2 New Scripts

• ExifRead
  Read image files' metadata and provide Exif tags.
• ParseExcel
  The automation takes an Excel file (entryID) as an input and parses its content to the War Room and context.

6 Improved Scripts

• ADGetUser
  Improved display formatting of UserAccountControl flags.
• BlockIP
  The rulename and ipname arguments are now optional, and include improved defaults.
• CPBlockIP
  The rulename and ipname arguments are now optional, and include improved defaults.
• PanoramaBlockIP
  The rulename argument is now optional, and includes improved defaults.
• ProofpointDecodeURL
  Improved handling of error scenarios.
• ReadPDFFile
  Improved handling PSEOF error.

---

Playbooks

2 New Playbooks

• QRadarFullSearch
  This playbook runs a QRadar query and returns the query results to the context.
• Tenable.io Scan
  Run a Tenable.io scan.

Demisto Content Release Notes for version 18.10.3 (14022)

Demisto Content Release Notes for version 18.10.3 (14022)

Published on 30 October 2018

Integrations

3 New Integrations

• AWS - CloudWatchLogs
  Amazon Web Services CloudWatch Logs (logs). For more information, see the Amazon Web Services CloudWatch documentation.
• BitDam
  BitDam secure email gateway protects against advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source. For more information, see the BitDam documentation.
• Red Canary
  Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon.

15 Improved Integrations

• AWS - S3
  Added the aws-s3-upload-file command. For more information, see the AWS S3 documentation.
• Carbon Black Enterprise Live Response
  Improved the integration test.
• IntSights
  Improved integration implementation and execution. For more information, see the IntSights documentation.
• Devo
  Added a default results limit of 30.
• EWS v2
  Added support for Public Folders and compliance search in Office 365.
• FireEye HX
  Added enforcement of passing either the defaultSystemScript argument or both the script and scriptName arguments when running the fireeye-hx-data-acquisition command.
• Lastline
  For more information, see the Lastline documentation.
  • Improved outputs, error messages, and code readability.
  • Added support to insert multiple inputs for the lastline-get command.
• PagerDuty v2
  Added support to send ServiceKey with the PagerDuty-submit-event command.
• Dell Secureworks
  Added support for getting ticket attachments.
• ServiceNow
  • Added support for the catalog task ticket type.
  • Improved error messages.
• SumoLogic
  Added support to use the equal sign in the query and headers arguments for the search command.
• ThreatConnect
  Fixed a filter issue when the ratingThreshold argument is specified.
• FireEye iSIGHT
  Added DBot score output for indicators that do not contain data.
• McAfee ePO
  Added 2 commands:
  • epo-get-tables
  • epo-query-table
• Cisco Umbrella Investigate
  Added 13 commands:
  • domain
  • umbrella-get-related-domains
  • umbrella-get-domain-classifiers
  • umbrella-get-domain-queryvolume
  • umbrella-get-domain-details
  • umbrella-get-domains-for-email-registrar
  • umbrella-get-domains-for-nameserver
  • umbrella-get-whois-for-domain
  • umbrella-get-malicious-domains-for-ip
  • umbrella-get-domains-using-regex
  • umbrella-get-domain-timeline
  • umbrella-get-ip-timeline
  • umbrella-get-url-timeline

---

Scripts

2 New Scripts

• IsListExist
  Checks if a list exists in Demisto lists.
• RegexGroups
  Extracts elements that are contained in all the subgroups that match the pattern.

5 Improved Scripts

• EPOFindSystem
  Improved error handling.
• FireEyeDetonateFile
  Added arguments to enable setting analysis type and pre-fetch when running the script.
• PagerDutyAlertOnIncident
  PagerDuty API v2 is now supported.
• UnzipFile
  Enabled decompression of AES encrypted files.
• TextFromHTML
  Added support for multiple languages.

Deprecated Script

• CloseInvestigation
  Use the closeInvestigation command.

---

Playbooks

13 New Playbooks

• Add Indicator to Miner - Palo Alto MineMeld
  Add indicators to the relevant Miner using MineMeld.
• Detonate File - BitDam
  Detonates one or more files using BitDam integration.
• Block Account - Generic
  This playbook blocks malicious usernames using all integrations that you have enabled.
• Block File - Carbon Black Response
  This playbook receives an MD5 hash and adds it to the blacklist in Carbon Black Enterprise Response..
• Block File - Generic
  A generic playbook for blocking files from running on endpoints.
• Block IP - Generic
  This playbook blocks malicious IPs using all integrations that you have enabled.
• Block Indicators - Generic
  This playbook blocks malicious Indicators using all integrations that you have enabled.
• Block URL - Generic
  This playbook blocks malicious URLs using all integrations that you have enabled.
• Demisto Self-Defense - Account policy monitoring playbook
  Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.
• Detonate File - Lastline
  Detonates a File using the Lastline sandbox.
• Detonate URL - Lastline
  Detonates a URL using the Lastline sandbox integration.
• Office 365 Search and Delete
  Run a ComplianceSearch on Office 365 and delete the results.
• Phishing Investigation - Generic
  Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

3 Improved Playbooks

• Detonate File - Generic
  Added the Lastline Detonate File playbook.
• Detonate URL - Generic
  Added the Lastline Detonate URL playbook.
• Phishing Investigation - Generic
  Added support for blocking malicious indicators in relevant integrations.

Demisto Content Release Notes for version 18.10.2 (13642)

Demisto Content Release Notes for version 18.10.2 (13642)

Published on 19 October 2018

Integrations

4 New Integrations

• AWS - CloudTrail
  Amazon Web Services CloudTrail. For more information, see the AWS - CloudTrail documentation
• Devo
  Query data from Devo. For more information, see the Devo documentation.
• Cyber Triage
  Conduct a mini-forensic investigation on an endpoint. For more information, see the Cyber Triage documentation.
• ActiveMQ
  Message broker with a full message service client. For more information, see the ActiveMQ documentation.

Updated Integration

• McAfee ePO
  The command and commandArgs arguments of the command epo-command are no longer available from the CLI and as playbook inputs, but can still be used in the command.

5 Improved Integrations

• CrowdStrike Falcon Host
  Added 2 new commands. For more information, see the CrowdStrike Falcon Host documentation.
  • cs-detection-search
  • cs-detection-details
• Joe Security
  Added the URL parameter to integration configuration.
• McAfee NSM
  Improved integration outputs. For more information, see the McAfee NSM documentation.
• ServiceNow
  Improved integration outputs.
• VirusTotal - Private API
  Improved outputs for the vt-private-get-url-report command .

Demisto Content Release Notes for version 18.10.1 (13492)

Demisto Content Release Notes for version 18.10.1 (13492)

Published on 16 October 2018

Integrations

4 New Integrations

• AWS - CloudTrail
  Amazon Web Services CloudTrail. For more information, see the AWS - CloudTrail documentation
• Devo
  Query data from Devo. For more information, see the Devo documentation.
• Cyber Triage
  Conduct a mini-forensic investigation on an endpoint. For more information, see the Cyber Triage documentation.
• ActiveMQ
  Message broker with a full message service client. For more information, see the ActiveMQ documentation.

5 Improved Integrations

• CrowdStrike Falcon Host
  Added 2 new commands. For more information, see the CrowdStrike Falcon Host documentation.
  • cs-detection-search
  • cs-detection-details
• Joe Security
  Added the URL parameter to integration configuration.
• McAfee NSM
  Improved integration outputs. For more information, see the McAfee NSM documentation.
• ServiceNow
  Improved integration outputs.
• VirusTotal - Private API
  Improved outputs for the vt-private-get-url-report command .

Demisto Content Release Notes for version 18.10.0 (13017)

Demisto Content Release Notes for version 18.10.0 (13017)

Published on 02 October 2018

Integrations

2 New Integrations

• Microsoft Graph
  Unified gateway to security insights - all from a unified Microsoft Graph Security API.
• RSA NetWitness Endpoint
  Monitor and collect activity across all of your endpoints, on and off your network.

9 Improved Integrations

• AWS - EC2
  • Added the aws-ec2-get-password-data command.
  • Fixed several bugs.
• FalconHost
  Fixed support for the Trust any certificate checkbox.
• Cybereason
  Improved fetch incidents implementation.
• FireEye HX
  Fix fetch events to handle empty results.
• McAfee Advanced Threat Defense
  The integration is now written in Python.
• Rapid7 Nexpose
  When site scanning, you can now scan all assets within the site.
• ServiceNow
  Added an option to get ticket attachments (get command, fetch incidents) and additional outputs.
• SplunkPy
  Added support for UTF8 encoding for search.
• McAfee ePO
  Added outputs and error messages.

---

Scripts

1 New Script

• PortListenCheck
  Checks whether a port was opened on a specific host.

2 Improved Scripts

• D2O365ComplianceSearch
  Better error handling in PS script run.
• D2O365SearchAndDelete
  Better error handling in PS script run.

Demisto Content Release Notes for version 18.9.2 (12802)

Demisto Content Release Notes for version 18.9.2 (12802)

Published on 20 September 2018

Integrations

9 Improved Integrations

• CrowdStrike Falcon Intel
  Improved integration tolerance in the cs-reports command.
• Demisto REST API
  Added the demisto-delete-incidents command.
• Imperva Incapsula
  • Improved outputs for the in-cap-upload-public-key command.
  • Reorganized the urlDict and commands to match and correspond to the Incapsula API Documentation layout.
  • Added Account Management API Calls.
  • Added Site Management - Rules API Calls.
  • Added Site Management - Data Centers API Calls.
  • Added Infrastructure Protection Test Alert API Calls.
• IBM QRadar
  Fixed a bug in which pagination missed some incidents.
• ServiceNow
  Rewrote the integration in Python.
• VirusTotal
  Lowercase the protocol of a given url.
• Zscaler
  Added the following commands:
  • zscaler-get-blacklist
  • zscaler-get-whitelist
• Rasterize
  Do not send the Rasterize base64 image as output, because large images can affect system performance. The correct way is to mark the Rasterize entry as note or with a tag.
• Cisco Webex Team
  Renamed integration name from Cisco Spark cause of product renaming.

---

Scripts

4 Deprecated Scripts

• DemistoDeleteIncident
  Use the demisto-delete-incidents command in the Demisto RESTAPI integration instead.
• WhileLoop
  Use native loops instead.
• WhileNotExistLoop
  Use native loops instead.
• WhileNotMdLoop
  Use native loops instead.

---

Dashboards

Improved Dashboards

• System Health
  Updated memory graphs and CPU usage graphs.

---

Incident Fields

Removed the HTML Image field, because large images can affect system performance.

---

Incident Layouts

Improved Incident Layout

• Phishing - Summary
  Replaced the HTML Image field with the HTML Image section, because large images can affect system performance.

Demisto Content Release Notes for version 18.9.1 (12565)

Demisto Content Release Notes for version 18.9.1 (12565)

Published on 06 September 2018

Integrations

3 New Integrations

• PagerDuty v2
  Alert and notify users using PagerDuty. For more information, see the PagerDuty documentation.
• SCADAfence CNM
  Query and fetch data from SCADAfence CNM. For more information, see the SCADAfence documentation.
• Aella Starlight
  Pervasive breach detection system. For more information, see the Aella Starlight documentation.

20 Improved Integrations

• RSA Archer
  Passwords now support special characters.
• Carbon Black Defense
  Improved outputs in the cbd-get-alerts-details command. For more information, see the Carbon Black Defense documentation.
• CrowdStrike Falcon Host
  Improved outputs for the cs-device-search command. For more information, see the CrowdStrike Falcon Host documentation.
• Cybereason
  For more information, see the Cybereason documentation.
  • Added the following commands.
    • cybereason-add-comment
    • cybereason-query-malops
    • cybereason-update-malop-status
    • cybereason-malop-processes
  • Added malops fetch.
  • Added client-certificate authentication.
• McAfee ESM v10
  Added the following commands.
  • esm-get-alarm-event-details
  • esm-list-alarm-events
• GRR Rapid Response
  Improved property identifier to username. For more information, see the GRR Rapid Response documentation.
• MISP
  Fix proxy parameter issue.
• McAfee Advanced Threat Defense
  Deprecated several commands. You should use the relevant detonate playbook. For more information, see the McAfee Advanced Threat Defense documentation.
  • deprecate detonate-file
  • detonate-url commands
• McAfee NSM
  Added proxy support.
• Okta
  Added the following commands. For more information, see the Okta documentation.
  • okta-suspend-user
  • okta-unsuspend-user
• RSA NetWitness v11.1
  There are separate checkboxes to fetch incident data and to fetch alert data. If you want to fetch alert data, you need to select both checkboxes. For more information, see the NetWitness v11 documentation.
• Rapid7 Nexpose
  Added the nexpose-create-site command. For more information, see the Rapid7 Nexpose documentation.
• Salesforce
  Added the salesforce-delete-case command. For more information, see the Salesforce documentation.
• SplunkPy
  Fixed an encoding issue in the splunk-submit-event command.
• Cisco Threat Grid
  Added the playbook parameter.
• Tanium
  • Added the following commands.
    • tn-ask-manual-question
    • tn-get-sensor
    • tn-get-action
  • Modified the tn-deploy-package command.
    • Added sensor variables as an argument.
    • Added action details to the outputs.
    • Improved raw response.
  • Modified the tn-get-package command.
    • Added sensor variable to outputs.
• urlscan.io
  Fixed the display for empty ASN.
• VirusTotal
  ScanID will appear now in the context data instead of in the command war-room output.
• CyberArk AIM
  Added the cyber-ark-aim-query command.
• Atlassian Jira
  Improved the jira-edit-issue command. For more information, see the Jira documentation.

---

Scripts

1 New Script

• EncodeToAscii
  Input text data to encode as ASCII. (Ignores any chars that are not interpreted as ASCII).

13 Improved Scripts

• D2O365ComplianceSearch
  Fixed the file argument not found error.
• D2O365SearchAndDelete
  Fixed the file argument not found error.
• DeleteContext
  • Changed user from limited user to DBot.
  • Added support to keep keys from nested objects and auto-trim for context path.
• DomainReputation
  Domain argument marked as default, so script can be executed as ehnancement on Domain indicators.
• IsEmailAddressInternal
  Handled context to prevent duplicates.
• IsValueInArray
  Improved support for manual execution (parse string array).
• MatchRegex
  Added the option to return all matches.
• PagerDutyAlertOnIncident
  Updated to match PagerDuty API v2.
• PagerDutyAssignOnCallUser
  Updated to match PagerDuty API v2.
• PanoramaBlockIP
  Fixed the output types.
• ParseEmailFiles
  Fixed header parsing.
• ParseCSV
  • Added the entryID argument to get the file entry by ID.
  • The file argument is deprecated.
• IsIPInRanges
  Improved handling of spaces and new lines in provided IP ranges string.

---

Incident Fields

Added the In-Reply-To field to the incident details.

---

Classification & Mapping

New Classification & Mapping

• Aella Starlight

2 Improved Classification & Mapping

• EWS v2
  Removed default mapping of html-body to prevent the rendering of malicious links.
• Gmail
  Gmail classifier.

Demisto v4.0

This content will be available with the official release of Demisto v4.0.

Integrations

1 Improved Integration

• Palo Alto WildFire
  • Deprecated the detonate-file-remote and detonate-file commands.
    Use the WildFire Detonate playbook instead.
  • Added the wildfire-upload-file-remote command.
  • Improved outputs.
  • Added support for multiple inputs for the wildfire-report command.

Scripts

1 New Script

• FailedInstances
  Executes a test for all available integration instances, and returns a detailed table that displays information about failed integration instances.

Playbooks

2 Improved Playbooks

• Nexpose Scan Assets
  Fixed playbook inputs.
• Nexpose Scan Site
  Added validations.

Demisto Content Release Notes for version 18.9.0 (12477)

Demisto Content Release Notes for version 18.9.0 (12477)

Published on 04 September 2018

Integrations

3 New Integrations

• PagerDuty v2
  Alert and notify users using PagerDuty. For more information, see the PagerDuty documentation.
• SCADAfence CNM
  Query and fetch data from SCADAfence CNM. For more information, see the SCADAfence documentation.
• Aella Starlight
  Pervasive breach detection system. For more information, see the Aella Starlight documentation.

20 Improved Integrations

• RSA Archer
  Passwords now support special characters.
• Carbon Black Defense
  Improved outputs in the cbd-get-alerts-details command. For more information, see the Carbon Black Defense documentation.
• CrowdStrike Falcon Host
  Improved outputs for the cs-device-search command. For more information, see the CrowdStrike Falcon Host documentation.
• Cybereason
  For more information, see the Cybereason documentation.
  • Added the following commands.
    • cybereason-add-comment
    • cybereason-query-malops
    • cybereason-update-malop-status
    • cybereason-malop-processes
  • Added malops fetch.
  • Added client-certificate authentication.
• McAfee ESM v10
  Added the following commands.
  • esm-get-alarm-event-details
  • esm-list-alarm-events
• GRR Rapid Response
  Improved property identifier to username. For more information, see the GRR Rapid Response documentation.
• MISP
  Fix proxy parameter issue.
• McAfee Advanced Threat Defense
  Deprecated several commands. You should use the relevant detonate playbook. For more information, see the McAfee Advanced Threat Defense documentation.
  • deprecate detonate-file
  • detonate-url commands
• McAfee NSM
  Added proxy support.
• Okta
  Added the following commands. For more information, see the Okta documentation.
  • okta-suspend-user
  • okta-unsuspend-user
• RSA NetWitness v11.1
  There are separate checkboxes to fetch incident data and to fetch alert data. If you want to fetch alert data, you need to select both checkboxes. For more information, see the NetWitness v11 documentation.
• Rapid7 Nexpose
  Added the nexpose-create-site command. For more information, see the Rapid7 Nexpose documentation.
• Salesforce
  Added the salesforce-delete-case command. For more information, see the Salesforce documentation.
• SplunkPy
  Fixed an encoding issue in the splunk-submit-event command.
• Cisco Threat Grid
  Added the playbook parameter.
• Tanium
  • Added the following commands.
    • tn-ask-manual-question
    • tn-get-sensor
    • tn-get-action
  • Modified the tn-deploy-package command.
    • Added sensor variables as an argument.
    • Added action details to the outputs.
    • Improved raw response.
  • Modified the tn-get-package command.
    • Added sensor variable to outputs.
• urlscan.io
  Fixed the display for empty ASN.
• VirusTotal
  ScanID will appear now in the context data instead of in the command war-room output.
• CyberArk AIM
  Added the cyber-ark-aim-query command.
• Atlassian Jira
  Improved the jira-edit-issue command. For more information, see the Jira documentation.

---

Scripts

1 New Script

• EncodeToAscii
  Input text data to encode as ASCII. (Ignores any chars that are not interpreted as ASCII).

13 Improved Scripts

• D2O365ComplianceSearch
  Fixed the file argument not found error.
• D2O365SearchAndDelete
  Fixed the file argument not found error.
• DeleteContext
  • Changed user from limited user to DBot.
  • Added support to keep keys from nested objects and auto-trim for context path.
• DomainReputation
  Domain argument marked as default, so script can be executed as ehnancement on Domain indicators.
• IsEmailAddressInternal
  Handled context to prevent duplicates.
• IsValueInArray
  Improved support for manual execution (parse string array).
• MatchRegex
  Added the option to return all matches.
• PagerDutyAlertOnIncident
  Updated to match PagerDuty API v2.
• PagerDutyAssignOnCallUser
  Updated to match PagerDuty API v2.
• PanoramaBlockIP
  Fixed the output types.
• ParseEmailFiles
  Fixed header parsing.
• ParseCSV
  • Added the entryID argument to get the file entry by ID.
  • The file argument is deprecated.
• IsIPInRanges
  Improved handling of spaces and new lines in provided IP ranges string.

---

Incident Fields

Added the In-Reply-To field to the incident details.

---

Classification & Mapping

New Classification & Mapping

• Aella Starlight

2 Improved Classification & Mapping

• EWS v2
  Removed default mapping of html-body to prevent the rendering of malicious links.
• Gmail
  Gmail classifier.

Demisto v4.0

This content will be available with the official release of Demisto v4.0.

Integrations

1 Improved Integration

• Palo Alto WildFire
  • Deprecated the detonate-file-remote and detonate-file commands.
    Use the WildFire Detonate playbook instead.
  • Added the wildfire-upload-file-remote command.
  • Improved outputs.
  • Added support for multiple inputs for the wildfire-report command.

Scripts

1 New Script

• FailedInstances
  Executes a test for all available integration instances, and returns a detailed table that displays information about failed integration instances.

Playbooks

2 Improved Playbooks

• Nexpose Scan Assets
  Fixed playbook inputs.
• Nexpose Scan Site
  Added validations.

Demisto Content Release Notes for version 18.8.2 (11982)

Demisto Content Release Notes for version 18.8.2 (11982)

Published on 21 August 2018

Integrations

2 New Integrations

• Gmail
  Search and process emails in the organizational Gmail mailboxes.
• FireEye ETP
  FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks. For more information, see the FireEye ETP documentation.

5 Improved Integrations

• Moloch
  Updated the moloch_sessions_json command. For more information, see the Moloch documentation.
  • Returns http method and status code.
  • Follows the new API structure.
• Shodan
  Made several enhancements to this integration. For more information, see the Shodan documentation.
  • Added error handling of 404 error responses.
  • Enhanced human readable output for the ip command.
• Zscaler
  • Added the zscaler-get-categories command.
  • Improved support for custom categories.
• Cisco Threat Grid
  Added the playbook argument to the threat-grid-upload-sample command.
• Atlassian Jira
  Added new commands.
  • jira-edit-issue
  • jira-get-comments

---

Scripts

3 New Scripts

• DBotClosedIncidentsPercentage
  Data output script for populating a dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. See the corresponding Closed by DBot widget in the Widgets section.
• DemistoGetIncidentTasksByState
  Get all tasks for a specific incident according to the incident state.
• ShowScheduledEntries
  Display all scheduled entries for a specific incident.

6 Improved Scripts

• DeleteContext
  Added the ability to delete a specific index in a key.
• ParseCSV
  Fixed a unicode encoding issue.
• TopMaliciousRatioIndicators
  Improved handling of duplicate indicators.
• FindSimilarIncidents
  Enhanced the output declaration.
• FindSimilarIncidentsByText
  Enhanced the output declaration.
• GetDuplicatesMlv2
  Enhanced the output declaration.

---

Playbooks

3 New Playbooks

• File Enrichment - File reputation
  Get the reputation for a file using one or more integrations.
• File Enrichment - Virus Total Private API
  Get file information using the Virus Total Private API integration.
• Get Original Email - Generic
  Use this playbook to retrieve the original email in the thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. This playbook contains the following sub-playbooks:
  • Get Original Email - EWS
  • Get Original Email - Gmail

5 Improved Playbooks

• File Enrichment - Generic
  Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
• Domain Enrichment - Generic
  Added support for the VirusTotal Private API integration.
• IP Enrichment - Generic
  Added support for the VirusTotal Private API integration.
• URL Enrichment - Generic
  Added support for the VirusTotal Private API integration.
• Process Email - Generic
  Added support for retrieving the original email from both EWS and Gmail mail services.

---

Widgets

New Widget

• Closed By DBot
  Displays the percentage of incidents handled and closed by DBot, without an assigned owner, across all incidents in the specified time period.

Classification & Mapping

New Classification & Mapping

• Gmail
  Added Phishing mapping for Gmail Mapping.