Demisto Content Update 2.0.1 - 1Feb2017

Release Notes for version 2.0.1 - 1Feb2017

Integrations

• RSA Netwitness Security Analytics - Added more commands and ability to use system proxy
• Cuckoo integration - Added ability to use system proxy

Demisto Content Update 2.0.0 - 22Jan2017

Release Notes for version 2.0.0

Integrations

• Trend Micro DSM
• RSA Security Analytics
• RSA Netwitness Packets and Logs (Decoder, Concentrator and Broker)
• Koodous
• OSQuery

Playbooks

• Phishing playbook enhancements
  • Added steps to find emails in all mailboxes that contain them, and use Mimecast if available
  • Separate tasks for finding emails and deleting them, allowing for human review and approval.
  • Separate tasks for extracting entities from html and text parts of the email.
• TrendMicro Alert Example playbook

Scripts

• Autoruns script now saves MD5s of startup modules in context
• IsIpInRanges - Script to check whether an IP address belongs to a range, e.g. to check internal vs. external in playbooks
• RunSqlQuery (For MSSQL and MySQL)
• OSQuery - foundation scripts for querying processes, users, sockets, etc.
• ExchangeSearch script improved and delete action moved to separate script to enable human approval if desired and more modular usability in playbooks.
• ADGetEmailForAllUsers - Get a full list of mailboxes for all AD users
• SendEmail - Now able to send textual entry in email body by giving a noteEntryID
• CheckWhitelist - see whether an item is in the named whitelist
• ADGetUser and ADGetComputer - display chosen attributes of a computer/user from AD
• BinaryReputationPy - ability to do X retries if hit rate limit for free virustotal key
• Cuckoo scripts enhanced with better output formatting, parameters for detonation, and more
• CuckooGetScreenshot - retrieve screenshots from Cuckoo execution into war room
• SendEmail - ability to send a text entry as an email by entryid

Demisto Content Update 1.1.1 - 25Dec2016

Release Notes for version 1.1.1

Integrations

• LightCyber
• Mimecast
• Checkpoint Sandblast Threat Emulation Sandbox
• Algosec BusinessFlow (ABF), Firewall Analyzer (AFA) and FireFlow (AFF)
• Giphy

Playbooks

• Enhanced Automated Phishing investigation playbook
• McAfee playbooks enhanced with automated tasks
• Default playbook enhanced with clearer steps to classify email alerts
• Classifier playbook centralizes the logic that picks the correct incident type for incoming incidents
• Tanium example playbook that demonstrates interaction with Tanium

Scripts

• ADExpirePassword - Set an AD user's password as expired
• ADSetNewPassword - Set a new password for an AD user
• TaniumShowPendingActions - Show actions pending approval (if four-eyes rule is configured)
• TaniumApprovePendingActions - Approve only actions which use the specified packages.
• MimecastFindEmail - Use Mimecast to search for an email across all mailboxes.
• TaniumAskQuestion - default timeout behavior fixed
• ADUserLogonInfo bugfix
• Slack Mirroring - new feature to mirror War Room activity into Slack
• SandboxDetonateFile now supports Sandblast
• SandboxDetonateFile now supports explicitly picking which sandboxes to use by specifying "using-brand" argument
• ScheduleCommand - Schedule recurring execution of a command. Can be used inside playbooks.
• Background reputation checks for URLs and IP addresses now include PassiveTotal (if configured).
• IncidentSet now updates context after modifying incident metadata
• StixParser script for incoming Threat Intel

Demisto Content Update 1.1.0 - 27Nov2016

Release Notes for version 1.1.0

Integrations

• Amazon Web Services
• Vectra
• Okta
• Box
• Imperva Skyfence
• Imperva Incapsula

Playbooks

• Rapid IOC Hunting playbook - Takes an incoming CSV with new IPs and MD5s and reacts rapidly to search and block them using a variety of security integrations.
• Symantec Endpoint Compliance playbook - Use Symantec Endpoint Protection to check the latest AV Definitions from Symantec Cloud and verify AV Definitions versions in endpoints. If any outdated endpoints are found open a ticket and send an email alert.
• McAfee ePO Repository compliance - Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
• McAfee ePO Endpoint compliance - Discover endpoints that are not using the latest McAfee AV Signatures.
• McAfee ePO Endpoint Connectivity Diagnostics playbook - Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.
• Checkpoint Firewall Configuration Backup playbook - Connects to several Checkpoint firewall appliances using SSH and triggers a backup task, then pulls the resulting backup file to Demisto using SCP, while generating a report to show whether any firewalls failed to trigger the backup task.

Scripts

• VolJson and VolMalfindDump are now server scripts using RemotExec (ssh through a RemoteAccess integration instance) to run volatility without running a d2 agent
• CheckSenderDomainDistance - may now receive a comma-separated list of domains as an argument. It will check if the sender's email address uses a domain that is close to any of the domains supplied. This is useful in case your organization has several domains being used for employee email addresses e.g. both acmemail.com and acme.com
• CBFindIP and CBFindHash - use Carbon Black to search your enterprise quickly for an IP or Hash.
• CBLiveGetFile - Use Carbon Black to open a Live shell on an endpoint and pull the designated file
• CBPBanHash - Now supports banning multiple hashes at once (comma-separated) using Carbon Black Protection (Bit9)
• CBPCatalogFindHash - Look up a hash in the Bit9 file catalog
• PWFindEvents - Takes several IP addresses and finds all events involving at least one of them.
• Elasticsearch
• SearchIncidents - search for other existing incidents within Demisto