Releases: demisto/content
Releases · demisto/content
Content Release 17.11.1
Release Notes for version 17.11.1 (4833)
Playbooks
1 Improved Playbook
- Tanium Demo Playbook
-- Updated playbook with new commands
Integrations
2 New Integrations
- Demisto REST API
-- Use Demisto REST APIs both in local and external Demisto servers - Icebrg
-- iceberg.io Streaming Network Forensics
15 Improved Integrations
- Tanium
-- Tanium integration was vastly improved and now provides more Tanium SDK options - McAfee Advanced Threat Defense
-- Fixed get-reports command (permissions to download PDF and samples and types of files) - Anomali ThreatStream
-- Added threshold argument to set if query is malicious - Carbon Black Defense
-- Added proxy and skip certificate check options - Service Manager
-- Added descriptions to commands - IntSights
-- Print message body when json parsing fails - LightCyber Magna
-- Added descriptions for some arguments - EWS
-- Fixed fetch-incidents, when there is no "To:" in the e-mail - Phishme Intelligence
-- Changed reputation of threats to be calculated by severity level - PhishTank
-- Integration is now enabled by default - ProtectWise
-- Added descriptions for outputs - QRadar
-- Will print descriptive message in case of parsing error - Urlscan.io
-- Integration is now enabled by default - Vmray
-- Uses public docker image now - CyberArkAIM
-- Support fetch for multiple credentials
-- Added list-credentials command
Scripts
6 New Scripts
- ContextGetPathForString
-- Searches for string in context and returns context path - DemistoCreateList
-- Creates a new Demisto list - DemistoDeleteIncident
-- Deletes an incident from Demisto - DemistoLinkIncidents
-- Links two or more incidents - DemistoSendInvite
-- Sends invitation to join Demisto - JIRAPrintIssue
-- Pretty print JIRA issue into the incident war room
1 Improved Script
- http
-- Added support for downloading a file to the war room
6 Deprecated Scripts
- TaniumApprovePendingActions
-- Deprecated. Use tn-approve-pending-action instead - TaniumAskQuestion
-- Deprecated. Use tn-ask-question instead - TaniumAskQuestionComplex
-- Deprecated. Use tn-ask-question instead - TaniumDeployAction
-- Deprecated. Use tn-deploy-package instead - TaniumFindRunningProcesses
-- Deprecated. Use tn-ask-question instead - TaniumShowPendingActions
-- Deprecated. Use tn-get-all-pending-actions instead
Demisto Content 17.11.0 release
Release Notes for version 17.11.0 (4518)
General
- The form of Demisto content versions has been changed to make them easier to follow. Content version numbers will now be as follows: '<YY>.<MM>.<#>'. For example 17.11.0 is November 2017 first version
Playbooks
2 New Playbooks
- Arcsight - Get events related to the Case
-- Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither are available, ask user for the ID - QRadar - Get offense correlations
-- Get more information from a Qradar Offence
Integrations
5 New Integrations
- Carbon Black Defense
-- Next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware - IsItPhishing
-- Collaborative web service that provides validation on whether a URL is a phishing related page (or not) by analyzing the content of the webpage - McAfee Threat Intelligence Exchange
-- Connect to TIE using its DXL client - McAfee Web Gateway
-- Blacklist/Whitelist URLs - TCPIPUtils
-- Use the TCPIPUtils.com API to get enrichment data about an IP address
5 Improved Integrations
- AlienValut OTX
-- The 'not found' error is now handled more gracefully - ArcSight ESM
-- Added new commands- as-case-delete
- as-get-all-query-viewers
- as-get-case-event-ids
There is no need for ArcSight XML integration anymore, fetch can be done via ArcSight ESM
- Remedy On-Demand
-- Port parameter is now optional - SplunkPy
-- Support different timezones on Splunk ES incident fetch - Nessus
-- Fixed list-scans command issue
Scripts
2 New Scripts
- ContextContains
-- This script searches for a value in a context path - ExposeIncidentOwner
-- Copy the incident owner into 'IncidentOwner' context key
5 Improved Scripts
- ATDDetonate
-- Returns an error on unsupported files - DeleteContext
-- Change function to return an error when no arguments are provided (rather than return a regular message) - ExportToCSV
-- Display string representation of inner object fields - QRadarGetCorrelationLogs
-- Added Context outputs - QRadarGetOffenseCorrelations
-- Updated context outputs
1 Depracated Script
- QRadarClassifier
- Use the Demisto "Classification and Mapping" tool instead
Demisto Content Release Notes for version 18.3.0 (7763)
Demisto Content Release Notes for version 18.3.0 (7763)
Published on 06 March 2018
Playbooks
15 New Playbooks
- Malware Investigation - Generic
-- Investigate a malware using one or more integrations - Malware Investigation - Generic - Setup
-- Verify file sample and hostname information for the "Malware Investigation - Generic" playbook - Default Playbook
-- Enrich indicators in incident using one or more integrations - Phishing Playbook - Automated
-- An automated playbook to investigate suspected Phishing attempts - Phishing Investigation - Generic
-- Investigate a phishing incident using one or more integrations - Email Address Enrichment - Generic
-- Get email address reputation using one or more integrations - Process Email - Generic
-- Add email details into the relevant context entities and handle the case where you have attached original emails - Extract Indicators - Generic
-- Extract indicators from input data - DBot Indicator Enrichment - Generic
-- Get indicators internal Dbot score - Calculate Severity - Generic
-- Calculate incident severity by indicators' reputation and user/endpoint membership in critical groups - Entity Enrichment - Generic
-- Enrich entities using one or more integrations - File Enrichment - Generic
-- Get file reputation using one or more integrations - Search Endpoints By Hash - CrowdStrike
-- Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host - Search Endpoints By Hash - TIE
-- Hunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE - Search Endpoints By Hash - Carbon Black Response
-- Hunt for malicious indicators using Carbon Black
Improved Playbooks
- URL Enrichment - Generic
-- Add URL SSL verification
Scripts
2 New Scripts
- URLSSLVerification
-- Verify URL SSL certificate - getMlFeatures
-- Calculate features for machine learning
2 Improved Scripts
- GetIndicatorDBotScore
-- Support for custom indicator types - IsMaliciousIndicatorFound
-- Handle 'includeSuspicious' argument properly
Integrations
2 New Integrations
- Remedy AR
-- Professional development environment that leverages the recommendations of the IT Infrastructure Library (ITIL) and provides a foundation for Business Service Management (BSM) solutions - pyEWS
-- Exchange Web Services and Office 365
6 Improved Integrations
- McAfee ESM-v10
-- Support changing organization when editing a case - Okta
-- Fix issue with unlock action - Remedy On-Demand
-- Added fetch-incidents support - ServiceNow
-- Fetch incidents now supports customised tables - SplunkPy
-- Add command splunk-parse-raw that parse Splunk '_raw' result. Protect Splunk notable events fetch from nil pointer - Rasterize
-- Forcing white background on emails for better visibility in the dark theme
Reputation
- Change IP regex to capture valid IP addresses only
Demisto Content 3.0.4 Release
Release Notes for version 3.0.4 (4329)
Playbooks
8 New Playbooks
- D2 - Endpoint data collection
-- Uses Demisto's d2 agent to collect data from an endpoint for IR purposes - Endpoint data collection
-- Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available - Enrich DXL with ATD verdict
-- Example of using McAfee ATD and pushing any malicious verdicts over DXL Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL. - Enrich McAfee DXL using 3rd party sandbox
-- Example of bridging DXL to a third party sandbox Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL - MAR - Endpoint data collection
-- Use McAfee Active Response to collect data from an endpoint for IR purposes (requires ePO as well) - TIE - IOC Hunt
- WildFire - Detonate file
-- File detonation with WildFire
2 Improved Playbooks
- ATD - Detonate File
-- Check ATD is available and also get PDF report - Hunt for bad IOCs
-- McAfee TIE added
Integrations
7 New Integrations
- Digital Shadows
-- Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web - Cisco Email Security Appliance (IronPort)
-- Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing - McAfee NSM
-- McAfee Network Security Manager - OpsGenie
-- Get current on-call assignments and users info - PhishTank
-- PhishTank is a free community site where anyone can submit, verify, track and share phishing data - iDefense
-- Accenture Security - Sample Incident Generator
-- Generate random incidents per given parameters
15 Improved Integrations
- AMP
-- fixing Test button - FalconHost
-- Fixed upload IOC command - FalconIntel
-- Added cs-report-pdf to retrieve report pdf - ipinfo
-- Added outputs to 'ip' command in order to allow using them in a playbook and proxy support - McAfee Active Response
-- Added mar-search-multiple command - OpenPhish
-- Fixed reload mechanism - QRadar
-- Fixed update offense to use url encoded data - ThreatExchange
-- Will now add DBotScore 0 when no results are returned - VirusTotal
-- Fixed wrong indicator when no response - WildFire
-- Ignoring SHA1 hashes - Zendesk
-- Added zendesk-add-comment command. Improved incident fetching mechanism. Improved zendesk-list-tickets output. - Censys
-- Set docker dependency to default docker image - CyberArkAIM
-- added reset credentials and account details commands - jira
-- Changed issueJson argument to accept any object
Scripts
4 New Scripts
- ContextSearchForString
-- Searches for string in a path in context. If path is null, string will be searched in full context - ConvertXmlFileToJson
-- Converts XML file entry to JSON format - EPOFindSystem
-- Return system info - UnPackFile
-- UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context
10 Improved Scripts
- ADGetUser
-- Support query from multiple ad instances - CommonIntegrationPython
-- Added missing entry types - CommonServer
-- Updated flattenFields to support the case in which path is not given as argument, Added mergeForeignObjects function - CommonServerPython
-- Added function to create file result from existing file Add missing entry types - ContainsCreditCardInfo
-- Fix regex - ConvertXmlToJson
-- Changed verbose to be True by default - CreateEmailHtmlBody
-- Added the ability to provide values in object as argument. Returning the HTML body as an object for non-incident usage (i.e. pre-processing scripts) - PCAPMiner
-- Do not read / copy extracted files - PDFUnlocker
-- Do not re-read pdf file - UnzipFile
-- Do not read / copy unzipped files
Removed Scripts
- DataHashReputation
- DataIPReputation
- DataURLReputation
Hypersearch
- Reputation score calculation changed to better use caches for indicators. By default, scores are calculated by assigning the max score received from vendors. To change the behavior, you can specify your own score calculation script under reputationScriptName
Demisto Content 3.0.3 Release
Release Notes for version 3.0.3 (4089)
Integrations
2 New Integrations
- McAfee Active Response
-- Connect to MAR using its DXL client - SentinelOne
-- Endpoint protection
5 Improved Integrations
- ArcSight ESM
-- Fix proxy parameter type - RSA Archer
-- Add parser to Group type fields - SplunkPy
-- Add capability to edit notable event in Splunk ES and create job in Splunk - VirusTotal
-- Added subdomains, whois lookup, and DNS IP addresses to response entry - CyberArkAIM
-- Fixed timeout issue when no existing connections
Reports
Improved Reports
- Investigation Summary
-- Added the ability to format queries for indicators and incidents
-- Added indicators table section with bad and suspicious indicators related to investigation
Scripts
2 New Scripts
- ContainsCreditCardInfo
-- Checks if a given argument contains a credit card info. Will return 'no' otherwise - StringReplace
-- Replaces regex match/es in string. Returns the string after replace was performed
6 Improved Scripts
- AssignAnalystToIncident
-- Added the ability to assign owner by email. Added the ability to assign randomly from all online analysts - CommonServer
-- Added pascalToSpace function and header formatting interface to createEntry - CommonServerPython
-- Fixed bug in sectionsToMarkdown - ConvertXmlToJson
-- Converting xml to json object (till now it was string) - EmailAskUser
-- Added replyTo to the send-mail command - SendEmail
-- Added replyTo option
Demisto Content 3.0.2 Release
Release Notes for version 3.0.2 (3923)
Integrations
7 New Integrations
- AlienVault OTX
-- Query IOCs in AlienVault - Autofocus
-- PaloAlto Networks Autofocus - MxToolBox
-- All of your MX record, DNS, blacklist and SMTP diagnostics in one integrated tool - VxStream
-- Fully automated malware analysis with unique Hybrid Analysis - Zendesk
-- IT service management - CyberArk
-- Query CyberArk Application Identity Manager for accounts and credentials - nmap
-- Run nmap scans with the given parameters
9 Improved Integrations
- ArcSight XML
-- ArcSight XML will support mapping - Check Point
-- Clearer error messages - McAfee ESM-v10
-- Fixed fetch incidents of cases: get all new cases associated with integration user with ID over integration parameter - F5 firewall
-- Added command list all user sessions - LogRhythm
-- Fixed lr-get-alarm-events-by-id command - EWS
-- Added find folders command, support fetching mails from a predefined folder and different fixes to command outputs - PassiveTotal
-- Fixed search command - SplunkPy
-- Add capabilities to search events and create events back into splunk - Vectra
-- Fix some edge case of vec-detections api call
Scripts
5 New Scripts
- CreateEmailHtmlBody
-- This script allows creating an HTML email body, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Placeholders are marked in DQ format (i.e. ${incident.id} for incident ID).
Available placeholders for example:- ${incident.labels.Email/from}
- ${incident.name}
- ${args.subject}
- See incident Context Data menu for available placeholders
- DumpJSON
-- Dumps a json from context key input, and returns a json object string result - GoogleAuthURL
-- Generate a Google auth URL to authenticate for a given list of scopes - StringLength
-- Returns the length of the string passed as argument - http
-- Wrapper around http common function
22 Improved Scripts
- CommonServerPython
-- Added methods like json2xml and xml2json - DataDomainReputation
-- Use caching to determine whether to run script again or not (from version 3.1.0) - DataHashReputation
-- Use caching to determine whether to run script again or not (from version 3.1.0) - DataIPReputation
-- Use caching to determine whether to run script again or not (from version 3.1.0) - DataURLReputation
-- Use caching to determine whether to run script again or not (from version 3.1.0) - ExportToCSV
-- Wrap values that have commas with quotes - HTTPListRedirects
-- Make sure we have an http prefix for URLs - PCAPMiner
-- The ability to provide Demisto lib location - ParseEmailFiles
-- Remove pip install for olefile dependency, not needed - Print
-- Added Markdown support - ToTable
-- Faltten data objects by default - UnzipFile
-- updated unzip files to war room - VectraClassifier
-- Depercated, use classification wizard instead - VectraDetections
-- Depercated, use vectra-detections command instead - VectraGetDetetctionsById
-- Depercated, use vectra-detections command instead - VectraGetHostById
-- Depercated, use vectra-hosts command instead - VectraHealth
-- Depercated, use vectra-health command instead - VectraHosts
-- Depercated, use vectra-hosts command instead - VectraSensors
-- Depercated, use vectra-sensors command instead - VectraSettings
-- Depercated, use vectra-settings command instead - VectraSummary
-- Depercated - VectraTriage
-- Depercated, use vectra-triage command instead
Demisto Content 3.0.1 Release
Release Notes for version 3.0.1 (3674)
Playbooks
New Playbooks
- McAfeeESMTest
Modified Playbooks
- Phishing Playbook - Automated
-- Fix default display name in email message
Integrations
New Integrations
- AlienValut OTX
-- Query IOCs in AlienVault - RSA Archer
-- The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business. - Cisco Spark
-- Send messages, create rooms and more, via the Cisco Spark API. - Cybereason
-- Gets processes/connections using the Cybereason API. - DomainTools
-- Domain name, DNS and Internet OSINT-based cyber threat intelligence and cybercrime forensics products and data - Endgame
-- Endpoint protection built to stop advanced attacks before damage and loss occurs - Service Manager
-- Service Manager By Micro Focus (Formerly HPE Software). - MISP
-- Malware Information Sharing Platform and Threat Sharing - malwr
-- Analyze files using the malwr sandbox - PacketMail
-- Intel look up for IPS - Panorama
-- Manage Palo Alto Networks firewalls via the Panorama management interface - Phishme Intelligence
-- Human-vetted, Phishing-specific Threat Intelligence from Phishme. - SumoLogic
-- Cloud-based service for logs & metrics management - Symantec Advanced Threat Protection
-- Advanced protection capabilities from Symantec - urlscan.io
-- Urlscan.io reputation - Verodin
-- Verodin simulations and topology - fireeye
-- Perform malware dynamic analysis - jamf
-- Jamf device management
Modified Integrations
- Cisco Umbrella Investigate
-- Fix response in non-existing domains/ip - Cisco CloudLock
-- Added Demisto side filtering of results - Cylance Protect
-- Better error notifications - McAfee ESM-v10
-- Added Support for case management and fetch incidents of cases - Incapsula
-- Added proxy setting support - LightCyber Magna
-- Added the commands lcm-host-autoruns, lcm-host-processes-internet-connections, lcm-host-loaded-modules, lcm-host-processes, lcm-host-processes, lcm-host-suspicious-artifacts, lcm-host-opened-ports - LogRhythm
-- Support exporting incident full JSON - EWS
-- Support get attachment of an item(mail) - ProtectWise
-- Consolidated command names. Upgraded with outputs. Can fetch incidents from Protectwise events with filtering on event names. Timestamps presented in human readble format. - QRadar
-- Support exporting incident full JSON - RSA NetWitness Packets and Logs
-- Add last minutes functionality - RSA NetWitness Security Analytics
-- Upgrade to new format. Added human readable format and some command fixes - SplunkPy
-- First fetch to bring last 10 minutes notable events - ThreatConnect
-- Fix proxy condition in TC, add threshold, and fix various issues, support Dbot score and context update, change no results outputs - Threat Grid
-- Fixed file return bug - Vectra
-- Support exporting incident full JSON - Venafi
-- Context creation by Venafi search and new serach arguments - jira
-- Merging Ticket entity by Id - McAfeeDAM
-- Support exporting incident full JSON - Rasterize
-- Added proxy settings - Trend Micro
-- Support exporting incident full JSON
Reports
Scripts
New Scripts
- DataDomainReputation
-- Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned. - EmailAskUserResponse
-- Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. - ExtractDomain
-- Extract Domains from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON. - ExtractDomainFromURL
-- Extract Domain from a URL. Domain will include sub-domain as well - ExtractDomain
-- Extract Domains from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON. - HTTPListRedirects
-- List the redirects for a given URL - IsValueInArray
-- Look for value in an array - MatchRegex
-- Extract regex data from given text - supports groups as well - PanoramaDynamicAddressGroup
- ResolveShortenedURL
-- Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api) - ToTable
-- Convert an array to a nice table display. Usually, from the context. - URLNumberOfAds
- isError
-- Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. - misp_download_sample
-- Download malicious file sample from MISP - misp_upload_sample
-- Upload malicious file sample to MISP
Modified Scripts
- ADGetAllUsersEmail
-- Deprecated - ADGetComputer
-- Split Groups in context into array - ADGetGroupMembers
-- Split Groups in context into array - ADGetUser
-- Added limit param and set default size limit - AreValuesEqual
-- Arguments are not mandatory anymore. If either of the arguments are missing, no is returned. - CommonServer
-- Added createdEntry function and dqQueryBuilder - CommonServerPython
-- added html to formats - DataHashReputation
-- Manually set value of indicator reputation will now superceed threat intel sites - DataIPReputation
-- Manually set value of indicator reputation will now superceed threat intel sites - DataURLReputation
-- Manually set value of indicator reputation will now superceed threat intel sites - EmailAskUser
-- Options in HTML email are clickable links that open a new email with the selected option - ExposeList
-- Deprecated - ExposeUsers
-- Deprecated - 'getUsers' builtin command should be used - ExtractURL
-- The ability to extract urls from query string - FileCreateAndUpload
-- Converted to JS. Added the ability to take entry ID for storing its content to file. - IsMaliciousIndicatorFound
-- Added the ability to check suspicious indicators as well - LoadJSON
-- Add outputs and save in context - NessusCreateScan
-- deprecated. Use integration command - NessusGetReport
-- deprecated. Use integration command - NessusHostDetails
-- deprecated. Use integration command - NessusLaunchScan
-- deprecated. Use integration command - NessusListScans
-- deprecated. Use integration command - NessusScanDetails
-- deprecated. Use integration command - NessusScanStatus
-- deprecated. Use integration command - NessusShowEditorTemplates
-- deprecated. Use integration command - NotInContextVerification
-- removed spaces from cmdArgs - ParseEmailFiles
-- Adding support for mixed CR/LF in fileType. Support utf-8 chars. - StringContains
-- Support looking for one substring out of a list - VerifyContext
-- removed spaces from field names
Removed Scripts
- SendURLDetailsByEmail
Release Notes for version 2.0.4 - 7Mar2017
Release Notes for version 2.0.4 - 7Mar2017
Scripts
- CVE lookup scripts
- ParseEmailFile displaying parsed results and better handling of unicode emails
- Fixed problem in IP Reputation and removed PassiveTotal background queries
- FireEyeDetonateFile script for FireEye AX
- VirustotalIsMalicious - for detailed detection results from Virustotal
Release Notes for version 2.0.3 - 5Mar2017
Release Notes for version 2.0.3 - 5Mar2017
Integrations
- Cylance PROTECT - Can now fetch threats as Demisto incidents
- RSA Netwitness Security Analytics - updated to support v10.6.2
- ThreatConnect
- CVE Search (circl.lu)
- Censys.io [ Demisto Community - shadejinx ]
- McAfee DAM
- Shodan
- IntSights
Scripts
- PublishEntriesToContext - save any data into context on demand
- BlockIP generic script
- ThreatConnect added to reputation scripts
- SetTime - fill current time into a custom incident field
- McafeeDAMSensorDown - preProcessing script for McAfee DAM - check if sensor is down.
- Utility scripts - MathUtil, Sleep, Print, ConvertXmlToJson, ContextFilter
HyperSearch
Added support for SHA1, SHA256 and CVE IDs.
Release Notes for version 2.0.2 - 6Feb2017
Release Notes for version 2.0.2 - 6Feb2017
Integrations
- Cylance PROTECT
- Venafi
- Lockpath KeyLight
- Rasterize - Render and rasterize a URL into an image or PDF
- Salesforce
Scripts
- AddEvidence - mark entries as evidence using a script and within playbooks