Demisto Content Release Notes for version 18.8.1 (11545)

Demisto Content Release Notes for version 18.8.1 (11545)

Published on 09 August 2018

Integrations

4 New Integrations

• AlphaSOC Network Behavior Analytics
  Retrieve alerts from the AlphaSOC Analytics Engine. For more information, see the AlphaSOC Network Behavior Analysis documentation.
• JASK
  Freeing the analyst with autonomous decisions. For more information, see the JASK documentation.
• Palo Alto AppFramework
  This framework manages all Palo Alto Networks cloud managed products. For more information, see the Palo Alto AppFramework documentation.
• VirusTotal - Private API
  Analyze suspicious hashes, URLs, domains, and IP addresses. For more information, see the Virus Total - Private API documentation.

12 Improved Integrations

• ServiceNow
  Added the servicenow-get-computer command.
• SplunkPy
  Improved handling of same key in _raw event in parseNotableEventsRaw.
• Okta
  Added new commands.
  • list-groups
  • get-groups-members
    Added several arguments for other groups commands.
• urlscan.io
  Improved DBotScore calculation.
• ipinfo
  Improved DBotScore calculation.
• VirusTotal
  • Enhanced outputs for the ip, domain, and file commands.
  • Added support for scans table as output in the file and url commands.
• Zscaler
  Added 4 new commands. For more information, see the Zscaler documentation.
  • zscaler-category-add-url
  • zscaler-category-add-ip
  • zscaler-category-remove-url
  • zscaler-category-remove-ip
• FireEye (AX Series)
  Added the submit-url command.
• Atlassian Jira
  Added support for sub-task creation. For more information, see the Jira documentation.
• OPSWAT-Metadefender
  Added support for Metadefender on cloud.
• FireEye (AX Series)
  Added the submit-url command.
• Joe Security
  Added support for multiple values in the submit and info commands.

---

Scripts

3 New Scripts

• GenericPollingScheduledTask
  Runs the polling command repeatedly, completes a blocking manual task when polling is complete.
• GetDuplicatesMlv2
  Find duplicate incident candidates using machine learning techniques with pre-defined data.
• PrintErrorEntry
  Prints an error entry with a customizable message.

1 Improved Script

• FindSimilarIncidentsByText
  • Support for multiple time fields.
  • Support for custom text length.

1 Deprecated Script

• GetDuplicatesMl
  Use the GetDuplicatesMlv2 script instead.

---

Playbooks

New Playbook

• Dedup - Generic
  Generic playbook to find duplicate incidents with one of the methods we have.

8 Improved Playbook

• Process Email - Generic
  Auto-extract indicators from emails (inline).
• Entity Enrichment - Generic
  Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
• File Enrichment - Generic
  Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
• URL Enrichment
  Added support for the VirusTotal Private API integration.
• IP Enrichment
  Added support for the VirusTotal Private API integration.
• Domain Enrichment
  Added support for the VirusTotal Private API integration.
• Phishing Investigation - Generic
  Added support for indicators extraction from files.
• McAfee ATD Detonate File
  This playbook was added back to Demisto.

---

Demisto v4.0

This content will be available with the official release of Demisto v4.0.

Integrations

• Hybrid Analysis
  Fully automated malware analysis with unique Hybrid Analysis. An out-of-the-box integration instance is provided.
• Carbon Black Enterprise Live Response
  Added explicit Carbon Black Live Response commands.
  • cb-process-kill
  • cb-process-execute
  • cb-memdeump
  • cb-command-create
  • cb-file-delete-from-endpoint
  • cb-registry-query-value
  • cb-registry-create-key
  • cb-registry-delete-key
  • cb-registry-delete-value
  • cb-registry-set-value
  • cb-process-list
  • cb-get-file-from-endpoint
  • cb-push-file-to-endpoint
• Rapid7 Nexpose
  Added scan functionality using Nexpose Scan Site/Assests sub-playbooks.

Scripts

• RunPollingCommand
• EmailAskUser
  Communicate with a user through email, and process the reply directly into the investigation.
• TopMaliciousRatioIndicators
  Finds the top malicious ratio indicators.
• MaliciousRatioReputation
  Sets indicator reputation to suspicious when the malicious ratio exceeds the threshold.
• ScheduleGenericPolling
  Called by the GenericPolling playbook, schedules the polling task.

Playbooks

• GenericPolling
  Generic Polling Playbook.

Widgets

• Disk Usage % per Engine
  Current disk usage percentage per engine.
• Disk Usage % per Engine (last 24h)
  Disk usage percentage per engine in the previous 24 hours.
• CPU Usage % per Engine
  Current CPU usage percentage per engine.
• CPU Usage % per Engine (last 24h)
  CPU usage percentage per engine in the previous 24 hours.
• Memory Usage % per Engine
  Current memory usage percentage per engine.
• Memory Usage % per Engine (last 24h)
  Memory usage percentage per engine in the previous 24 hours.
• Workers per Engine
  Current number of workers per engine.
• Busy Workers Count per Engine
  Current number of busy workers per engine.
• Busy Workers per Engine (last 24h)
  Number of busy workers per engine in the previous 24 hours.
• TopMaliciousRatioIndicators
  Malicious Ratio indicator widget displays indicators that appear in high ratio compared to bad incidents.
• My Tasks
  Displays active to-do tasks assigned to a user.

Dashboards

• My Dashboard
  A user-focused dashboard that displays analyst progress and to-do lists.

For the full release notes, see Demisto Content Release v.18.8.1

Demisto Content Release Notes for version 18.8.0 (11465)

Demisto Content Release Notes for version 18.8.0 (11465)

Published on 08 August 2018

Integrations

4 New Integrations

• AlphaSOC Network Behavior Analytics
  Retrieve alerts from the AlphaSOC Analytics Engine. For more information, see the AlphaSOC Network Behavior Analysis documentation.
• JASK
  Freeing the analyst with autonomous decisions. For more information, see the JASK documentation.
• Palo Alto AppFramework
  This framework manages all Palo Alto Networks cloud managed products. For more information, see the Palo Alto AppFramework documentation.
• VirusTotal - Private API
  Analyze suspicious hashes, URLs, domains, and IP addresses. For more information, see the Virus Total - Private API documentation.

14 Improved Integrations

• ServiceNow
  Added the servicenow-get-computer command.
• SplunkPy
  Improved handling of same key in _raw event in parseNotableEventsRaw.
• Okta
  Added new commands.
  • list-groups
  • get-groups-members
    Added several arguments for other groups commands.
• urlscan.io
  Improved DBotScore calculation.
• ipinfo
  Improved DBotScore calculation.
• VirusTotal
  • Enhanced outputs for the ip, domain, and file commands.
  • Added support for scans table as output in the file and url commands.
• Zscaler
  Added 4 new commands. For more information, see the Zscaler documentation.
  • zscaler-category-add-url
  • zscaler-category-add-ip
  • zscaler-category-remove-url
  • zscaler-category-remove-ip
• FireEye (AX Series)
  Added the submit-url command.
• Atlassian Jira
  Added support for sub-task creation. For more information, see the Jira documentation.
• OPSWAT-Metadefender
  Added support for Metadefender on cloud.
• Rapid7 Nexpose
  Added scan functionality using Nexpose Scan Site/Assests sub-playbooks.
• FireEye (AX Series)
  Added the submit-url command.
• Joe Security
  Added support for multiple values in the submit and info commands.
• Carbon Black Enterprise Live Response
  Added explicit Carbon Black Live Response commands.
  • cb-process-kill
  • cb-process-execute
  • cb-memdeump
  • cb-command-create
  • cb-file-delete-from-endpoint
  • cb-registry-query-value
  • cb-registry-create-key
  • cb-registry-delete-key
  • cb-registry-delete-value
  • cb-registry-set-value
  • cb-process-list
  • cb-get-file-from-endpoint
  • cb-push-file-to-endpoint

---

Scripts

3 New Scripts

• GenericPollingScheduledTask
  Runs the polling command repeatedly, completes a blocking manual task when polling is complete.
• GetDuplicatesMlv2
  Find duplicate incident candidates using machine learning techniques with pre-defined data.
• PrintErrorEntry
  Prints an error entry with a customizable message.

1 Improved Script

• FindSimilarIncidentsByText
  • Support for multiple time fields.
  • Support for custom text length.

1 Deprecated Script

• GetDuplicatesMl
  Use the GetDuplicatesMlv2 script instead.

---

Playbooks

New Playbook

• Dedup - Generic
  Generic playbook to find duplicate incidents with one of the methods we have.

6 Improved Playbook

• Process Email - Generic
  Auto-extract indicators from emails (inline).
• Entity Enrichment - Generic
  Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
• File Enrichment - Generic
  Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
• URL Enrichment
  Added support for the VirusTotal Private API integration.
• IP Enrichment
  Added support for the VirusTotal Private API integration.
• Domain Enrichment
  Added support for the VirusTotal Private API integration.

---

Demisto v4.0

This content will be available with the official release of Demisto v4.0.

Integrations

• Hybrid Analysis
  Fully automated malware analysis with unique Hybrid Analysis. An out-of-the-box integration instance is provided.

Scripts

• RunPollingCommand
• EmailAskUser
  Communicate with a user through email, and process the reply directly into the investigation.
• TopMaliciousRatioIndicators
  Finds the top malicious ratio indicators.
• MaliciousRatioReputation
  Sets indicator reputation to suspicious when the malicious ratio exceeds the threshold.
• ScheduleGenericPolling
  Called by the GenericPolling playbook, schedules the polling task.

Playbooks

• GenericPolling
  Generic Polling Playbook.

Widgets

• Disk Usage % per Engine
  Current disk usage percentage per engine.
• Disk Usage % per Engine (last 24h)
  Disk usage percentage per engine in the previous 24 hours.
• CPU Usage % per Engine
  Current CPU usage percentage per engine.
• CPU Usage % per Engine (last 24h)
  CPU usage percentage per engine in the previous 24 hours.
• Memory Usage % per Engine
  Current memory usage percentage per engine.
• Memory Usage % per Engine (last 24h)
  Memory usage percentage per engine in the previous 24 hours.
• Workers per Engine
  Current number of workers per engine.
• Busy Workers Count per Engine
  Current number of busy workers per engine.
• Busy Workers per Engine (last 24h)
  Number of busy workers per engine in the previous 24 hours.
• TopMaliciousRatioIndicators
  Malicious Ratio indicator widget displays indicators that appear in high ratio compared to bad incidents.
• My Tasks
  Displays active to-do tasks assigned to a user.

Dashboards

• My Dashboard
  A user-focused dashboard that displays analyst progress and to-do lists.

For the full release notes, see Demisto Content Release v.18.8.0

Demisto Content Release Notes for version 18.7.3 (11000)

Demisto Content Release Notes for version 18.7.3 (11000)

Published on 26 July 2018

Integrations

2 New Integrations

• McAfee Advanced Threat Defense
  Integrated advanced threat detection and enhancing protection from network edge to endpoint.
• Palo Alto - Minemeld
  Orchestrate threat intelligence and enforce new prevention-based controls.

6 Improved Integrations

• PassiveTotal
  Improved handling of missing tag parameters.
• Demisto Lock
  Increased the default timeout to 600 seconds.
• Demisto REST API
  Added support for responses other than JSON.
• Okta
  Changed the proxy parameter from short text to boolean.
• Symantec Managed Security Services
  • Severities for fetching incidents are now a configurable parameter.
  • Fixed the incident occurrence time.
• Cisco Threat Grid
  Added two new commands.
  • threat-grid-detonate-file
  • threat-grid-url-to-file commands

---

Scripts

2 New Scripts

• DocumentationAutomation
  Automates integration documentation.
• SSDeepReputation
  Calculates ssdeep reputation based on similar files (ssdeep similarity) in the system.

4 Improved Scripts

• DeleteContext
  Added the ability to specify which context keys to retain when deleting all context.
• DisplayHTML
  Fixed script execution when markAsNote was not defined.
• ExportToCSV
  Modified to support more inputs.
• ExposeIncidentOwner
  The script can now handle usernames that include a backslash.

---

Playbooks

New Playbooks

• ATD - Detonate File
  Detonate a file using McAfee ATD.

2 Improved Playbooks

• DeDup incidents
  Renamed the playbook.
• Detonate File - Generic
  Added the detonate-file command in McAfee ATD.

---

Reputations

2 New Reputations

• Extract the domain from URLs.
• Added ssdeep reputation.

Demisto Content Release Notes for version 18.7.2 (10920)

Demisto Content Release Notes for version 18.7.2 (10920)

Published on 24 July 2018

Integrations

2 New Integrations

• RTIR
  Request Tracker for Incident Response (RTIR) is a ticketing system that provides pre-configured queues and workflows designed for incident response teams. For more information, see the RTIR documentation.
• Zoom
  Cloud-based enterprise video and audio conferencing. For more information, see the Zoom documentation.

11 Improved Integrations

• ArcSight ESM
  Improved the as-add-entries command to support passing entries' array from context.
• EWS v2
  The integration now handles unnamed attachments.
• Passive Total
  Several integration improvements.
  • Added support for proxy connections and insecure connections.
  • Added support for id and domain.
  • The url command score is now based on pt-enrichment, according to tags or classification.
• Proofpoint TAP
  You can now specify which event types to fetch.
• SentinelOne
  Updated the default API to v2.0.
• SplunkPy
  Fixed a SplunkPy proxy issue.
• Twilio
  When you test the integration instance, only credentials are checked.
• FireEye (AX Series)
  Added functionality to submit URLs to FireEye and retrieve their status.
  • fe-submit-url
  • fe-submit-url-status
• RSA NetWitness Security Analytics
  Added 50 incident maximum per fetch from Netwitness.
• Rasterize
  Added base64 output to the rasterize-email command.
• AlienVault OTX
  Removed DBot Score outputs.

---

Scripts

2 New Scripts

• FilterByList
  Checks whether a specified item is in a list. The default list is the Demisto Indicators Whitelist.
• RepopulateFiles
  After running DeleteContext, this script can repopulate all of the file entries in the ${File} context key.

2 Improved Scripts

• CrowdStrikeUrlParse
  ID is detected using a build number, which consists of digits (0-9) and has no length limitation.
• ParseEmailFiles
  • Added support for SMTP mail text and ASCII text files.
  • Fixed a bug in email address parsing.

1 Deprecated Script

• CheckWhitelist
  Use the FilterByWhitelist script.

---

Playbooks

2 Improved Playbooks

• Vulnerability Management - Nexpose (Job)
  • Removed built-in hostname.
  • Added a task that closes the investigation when the job completes.
• Process Email - Generic
  Upload HTML-rendered image to the Summary page.

---

Widgets

2 Improved Widgets

• Server CPU Usage % (last 24h)
  Added support for data from the previous 24 hours.
• Server Memory Usage % (last 24h)
  Added support for data from the previous 24 hours.

---

Incident Fields

1 New Incident Field

• Added HTML Image field.

---

Incident Layouts

1 Improved Incident Layout

• Phishing - Summary
  Added HTML Image field.

Demisto Content Release Notes for version 18.7.1 (10607)

Demisto Content Release Notes for version 18.7.1 (10607)

Published on 11 July 2018

Fixes

2 General Fixes

• In the Phishing Investigation - Generic playbook, a task fails due to missing incident fields.
• Added the Domain formatting script.

Integrations

4 New Integrations

• Mail Sender (New)
  Send Python-implemented emails with support for embedded images. For more information, see the Mail Sender (New) documentation.
• RedLock
  Cloud threat defense. For more information, see the RedLock documentation.
• Rapid7 Nexpose
  Rapid7's on-premise vulnerability management solution. For more information, see the Nexpose documentation.
• Recorded Future
  Unique threat intelligence technology that automatically serves up relevant insights in real time. For more information, see the Recorded Future documentation.

13 Improved Integrations

• CrowdStrike Falcon Sandbox
  Added support for single-server setup.
• Cylance Protect v2
  In context, device data outputs are now under path Endpoint.
• Farsight DNSDB
  • Improved error handling for 400 and 404 responses.
  • Improved human readable output.
• EWS v2
  Fixed handling of attachments with empty name or content.
• ipinfo
  Added support to use API token for paid plans.
• PostgreSQL
  Fixed the no rows returned error.
• Tanium
  Fixed Tanium timeout on errors.
• VMware
  Fixed VMware timeout on errors.
• CrowdStrike Falcon Intel
  Added support for v2 indicator API. For more information, see the CrowdStrike Falcon Intelligence v2 documentation.
• TruSTAR
  Added priority level and deep links to the related-indicators command.
• AWS - EC2
  Added 6 new commands:
  - aws-ec2-copy-image
  - aws-ec2-copy-snapshot
  - aws-ec2-describe-reserved-instances
  - aws-ec2-monitor-instances
  - aws-ec2-unmonitor-instances
  - aws-ec2-reboot-instances.
• Palo Alto WildFire
  Handled the missing report exception for the wildfire-report command.
• Demisto REST API
  Added the demisto-api-multipart and the demisto-api-download commands to upload and download files from Demisto server.

---

Scripts

4 New Scripts

• IPToHost
  Get the hostname correlated with the input IP.
• NexposeCreateIncidentsFromAssets
  Create incidents based on the Nexpose asset ID and vulnerability ID.
• DemistoLogsBundle
  Imports the Demisto Log Bundle to the current War Room.
• DemistoUploadFile
  Upload a file from the current incident's War Room to another incident's War Room.

2 Improved Scripts

• EmailAskUser
  Added cc and bcc arguments.
• ExtractDomainFromUrlAndEmail
  Avoid error in domain format script.

---

Playbooks

4 New Playbooks

• Access Investigation - Generic
  Investigate an access incident by gathering user and IP information.
• Access Investigation - QRadar
  Use the QRadar integration to investigate an access incident by gathering user and IP information.
• Vulnerability Handling - Nexpose
  Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools.
• Vulnerability Management - Nexpose (Job)
  Manage assets' vulnerabilities using Rapid7 Nexpose.

5 Improved Playbooks

• Calculate Severity - 3rd-party integrations
  Added support for Nexpose severity.
• Calculate Severity - Generic
  Added support for Nexpose severity.
• IP Enrichment - Generic
  Added ip to host capability.
• Process Email - Generic
  This is now a generic playbook, and supports all relevant integrations (not only EWS).
• Tanium Demo Playbook
  Removed the deploy action command at the end of the playbook.

Demisto Content Release Notes for version 18.7.0 (10573)

Demisto Content Release Notes for version 18.7.0 (10573)

Published on 10 July 2018

Integrations

4 New Integrations

• Mail Sender (New)
  Send Python-implemented emails with support for embedded images. For more information, see the Mail Sender (New) documentation.
• RedLock
  Cloud threat defense. For more information, see the RedLock documentation.
• Rapid7 Nexpose
  Rapid7's on-premise vulnerability management solution. For more information, see the Nexpose documentation.
• Recorded Future
  Unique threat intelligence technology that automatically serves up relevant insights in real time. For more information, see the Recorded Future documentation.

12 Improved Integrations

• CrowdStrike Falcon Sandbox
  Added support for single-server setup.
• Cylance Protect v2
  In context, device data outputs are now under path Endpoint.
• Farsight DNSDB
  • Improved error handling for 400 and 404 responses.
  • Improved human readable output.
• EWS v2
  Fixed handling of attachments with empty name or content.
• ipinfo
  Added support to use API token for paid plans.
• PostgreSQL
  Fixed the no rows returned error.
• Tanium
  Fixed Tanium timeout on errors.
• VMware
  Fixed VMware timeout on errors.
• CrowdStrike Falcon Intel
  Added support for v2 indicator API. For more information, see the CrowdStrike Falcon Intelligence v2 documentation.
• TruSTAR
  Added priority level and deep links to the related-indicators command.
• AWS - EC2
  Added 6 new commands:
  - aws-ec2-copy-image
  - aws-ec2-copy-snapshot
  - aws-ec2-describe-reserved-instances
  - aws-ec2-monitor-instances
  - aws-ec2-unmonitor-instances
  - aws-ec2-reboot-instances.
• Palo Alto WildFire
  Handled missing report exception at wildfire-report command.

---

Scripts

2 New Scripts

• IPToHost
  Get the hostname correlated with the input IP.
• NexposeCreateIncidentsFromAssets
  Create incidents based on the Nexpose asset ID and vulnerability ID.

2 Improved Scripts

• EmailAskUser
  Added cc and bcc arguments.
• ExtractDomainFromUrlAndEmail
  Avoid error in domain format script.

---

Playbooks

4 New Playbooks

• Access Investigation - Generic
  Investigate an access incident by gathering user and IP information.
• Access Investigation - QRadar
  Use the QRadar integration to investigate an access incident by gathering user and IP information.
• Vulnerability Handling - Nexpose
  Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools.
• Vulnerability Management - Nexpose (Job)
  Manage assets' vulnerabilities using Nexpose.

5 Improved Playbooks

• Calculate Severity - 3rd-party integrations
  Added support for Nexpose severity.
• Calculate Severity - Generic
  Added support for Nexpose severity.
• IP Enrichment - Generic
  Added ip to host capability.
• Process Email - Generic
  This is now a generic playbook, and supports all relevant integrations (not only EWS).
• Tanium Demo Playbook
  Removed the deploy action command at the end of the playbook.

Demisto Content Release Notes for version 18.6.1 (10262)

Demisto Content Release Notes for version 18.6.1 (10262)

Published on 26 June 2018

Integrations

2 New Integrations

• AlphaSOC Wisdom
  Manage DNS and IP threat intelligence using the AlphaSOC platform. For more information, see the AlphaSOC documentation.
• Demisto Lock
  Locking mechanism that prevents concurrent execution of different tasks. For more information, see the Demisto Lock documentation.

9 Improved Integrations

• Demisto REST API
  Added support for responses other than JSON.
• EWS v2
  When searching all mailboxes, mailboxes without mailboxId are now skipped.
• Lastline
  Fixed the lastline-upload command.
• SplunkPy
  Fixed the issue in which the splunk-notable-event-edit command took proxy settings when not required.
• Symantec MSS
  Severity levels for fetching incidents are now a configurable parameter.
  Fixed incident occurrence time.
  For more information, see the Symantec documentation.
• VxStream
  Added the following items to this integration.
  • submit-file-by-url command
  • DBot Score support
  • Improved handling of empty results returned from the scan command.
• Intezer
  Added the intezer-upload command. For more information, see the Intezer documentation.
• Carbon Black Defense
  Added outputs to cbd-get-alert-details.
• RSA NetWitness Packets and Logs
  Updated argument types.

---

Scripts

2 New Scripts

• ExtractDomainFromUrlAndEmail
  Extract the domain from a URL or email.
• SplunkPySearch
  Run a query through Splunk and format the results as a table.

4 Improved Scripts

• DisplayHTML
  Fixed script execution in cases that markAsNote was not defined.
• ExposeIncidentOwner
  Handling usernames that include backslash.
• QRadarFullSearch
  Removed the auto-log line.
• BuildEWSQuery
  Added parameter for stripping the subject from prefixes.

---

Playbooks

1 New Playbook

• DeDup incidents
  Checks the current incident for duplicate incidents and closes any duplicates.

2 Improved Playbooks

• CrowdStrike Falcon Sandbox - Detonate file
  Added support for this command to the upgraded integration.
• Search And Delete Emails - EWS
  Added the target-mail-box input parameter to the Delete emails from EWS task.

---

Reputations

2 New Reputations

• Extract the domain from URLs.
• Added ssdeep reputation.

Demisto Content Release Notes for version 18.6.0 (9870)

Demisto Content Release Notes for version 18.6.0 (9870)

Published on 13 June 2018

Integrations

7 New Integrations

• IBM Resilient Systems
  Case management that enables visibility across your tools for continual IR improvement. For more information, see the IBM Resilient Systems documentation.
• Dell SecureWorks
  Handle tickets in SecureWorks. For more information, see the Dell SecureWorks documentation.
• AWS - EC2
  Amazon Web Services Elastic Compute Cloud (EC2). For more information, see the AWS EC2 documentation.
• AWS - GuardDuty
  Amazon Web Services Guard Duty Service (gd). For more information, see the AWS GuardDuty documentation.
• AWS - IAM
  Amazon Web Services Identity and Access Management (IAM). For more information, see the AWS IAM documentation.
• AWS - Route53
  Amazon Web Services Managed Cloud DNS Service. For more information, see the AWS Route 53 documentation.
• AWS - SQS
  Amazon Web Services Simple Queuing Service (SQS). For more information, see the AWS SQS documentation.

5 Improved Integrations

• EWS Mail Sender
  Solved the error_message not defined issue.
• AWS - S3
  Changed authentication method to STS assumerole. For more information, see the AWS S3 documentation.
• EWS v2
  This integration can now handle errors when moving an item between mailboxes using impersonation. For more information, see the EWS Mail Sender documentation.
• Rasterize
  Improved Test button functionality.
• Cisco Umbrella Investigate
  Fixed categorization false positive.

---

Scripts

2 New Scripts

• CrowdStrikeUrlParse
  Parse a CrowdStrike alert URL, extract the Agent ID, and pass to the cs-device-details command to return device details.
• DecodeMimeHeader
  Decode MIME base64 headers.

12 Improved Scripts

• BuildEWSQuery
  • Converted to Python.
  • Added output context.
  • Added support for query limitation.
• EmailAskUserResponse
  This script can now handle BR tags in an HTML response.
• FindSimilarIncidents
  This script can now:
  • Handle exceptions for empty results.
  • Support more than one incident key.
  • Support multiple date formats.
• ParseEmailFiles
  You can now print both text and HTML body parts in a War Room entry.
• Strings
  Improved handling of text files.
• SetDateField
  Changed the SetDateField time format, to correctly include year.
• IncidentSet
  Deprecated - use the setIncident command instead.

Better error handling for:

• DomainReputation
• EmailReputation
• FileReputation
• IPReputation
• URLReputation

---

Playbooks

6 New Playbooks

• Calculate Severity - 3rd-party integrations
  Calculates the incident severity level according to the methodology of a 3rd-party integration.
• Calculate Severity - Critical assets
  Determines if a critical asset is associated with the investigation. The playbook returns a severity level of Critical if a critical asset is associated with the investigation.
• Calculate Severity - Indicators DBotScore
  Calculates the incident severity level according to the highest indicator DBotScore.
• Search And Delete Emails - EWS
  This playbook searches EWS to identify and delete emails with similar attributes of a malicious email.
• Search And Delete Emails - Generic
  This playbook searches and deletes emails with similar attributes of a malicious email.

2 Improved Playbooks

• Calculate Severity - Generic
  Separated playbook logic into sub-playbooks, and improved documentation.
• Phishing Investigation - Generic
  Added a response section, including support for search and delete malicious emails.

---

Incident Layouts

New Incident Layouts

• Malware
  New Summary and New/Edit layout for malware.

---

Classification & Mapping

New Classification & Mapping

• crowdstrike-streaming-api
  Added Malware mapping for CrowdStrike Mapping.

Improved Classification & Mapping

• SplunkPy
  Added Malware mapping.

Demisto Content Release Notes for version 18.5.4 (9454)

Demisto Content Release Notes for version 18.5.4 (9454)

Published on 29 May 2018

Integrations

2 New Integrations

• ReversingLabs A1000
  ReversingLabs A1000 Malware Analysis Platform.
• ReversingLabs Titanium Cloud
  ReversingLabs Data provides malware status of the sample.

8 Improved Integrations

• Carbon Black Enterprise Live Response
  Added an option to configure instances with Carbon Black Defense credentials.
• FalconHost
  Added context output for cs-device-details command.
• Cybereason
  Improved the query sent in query-connections, added outputs to is-probe-connected and removed login command.
• Cylance Protect v2
  Added DBotScore support including file threshold to set malicious files.
• EWS v2
  Added ews-move-between-mailboxes command. When fetching emails, email attachments will be saved in the war-room. ews-get-attachment on an attached email message (ItemAttachment) will now save it and all of it's attachments as downloadable files to the warroom.
• QRadar
  Fixed upgrade issue for fetch incidents.
• WildFire
  Added verification for MD5/SHA256 arguments.
• Jira
  Added option to use proxy.

---

Scripts

3 New Scripts

• DisplayHTML
  Displays HTML in the War Room.
• QualysCreateIncidentFromReport
  Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID).
• SetDateField
  Sets a custom incident-field with current date.

Improved Scripts

• EmailAskUser
  Added support for parallel execution of the script, with better error handling.

---

Playbooks

9 New Playbooks

• CVE Enrichment - Generic
  Enrich CVE using one or more integrations.
• Vulnerability Handling - Qualys
  Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.
• Vulnerability Handling - Qualys - Add custom fields to default layout
  Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.
• Vulnerability Management - Qualys (Job)
  Use the latest Qualys report to manage vulnerabilities.

Improved Playbooks

• Calculate Severity - Generic
  Added support for Qualys.
• Domain Enrichment - Generic
  Enrich Domain using one or more integrations.
• Email Address Enrichment - Generic
  Get email address reputation using one or more integrations.
• File Enrichment - Generic
  Get file reputation using one or more integrations.
• IP Enrichment - Generic
  Enrich IP using one or more integrations.
• URL Enrichment - Generic
  Enrich URL using one or more integrations.

Added support for auto-extract for the following playbooks:

• Domain Enrichment - Generic
• Email Address Enrichment - Generic
• File Enrichment - Generic
• IP Enrichment - Generic
• URL Enrichment - Generic

---

Incident Fields

Add default Vulnerability fields.

---

Incident Layouts

New Incident Layouts

• Vulnerability - Summary and New/Edit default layouts

---

Reputations

Add Domain reputation type.

Demisto Content Release Notes for version 18.5.3 (9191)

Demisto Content Release Notes for version 18.5.3 (9191)

Published on 14 May 2018

Integrations

2 New Integrations

• Amazon SQS
  Manage messages in your Amazon SQS environment.
• SafeBreach
  SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness.

2 Improved Integrations

• CrowdStrike Falcon Sandbox
  Upgraded to API v2 and added the following commands: get-screenshots, submit-url, file and detonate-url
• FireEye HX
  Add option to acquire files using the API.

You can now specify the threshold value for malicious indicators as an instance parameter.

• VirusTotal
• XFE

Playbooks

4 Improved Playbooks

• Malware Investigation - Generic
  You can now investigate malware using one or more integrations.
• Entity Enrichment - Generic
  Added support for auto extract.
• Malware Investigation - Generic
  Added support for auto extract.
• Phishing Investigation - Generic
  Added support for auto extract.
• Process Email - Generic
  Added support for EWS and Phishing default mapping.

Scripts

New Scripts

• FindSimilarIncidentsByText
  Find similar incidents by text comparison - the algorithm is based on TF-IDF method.
  To read more about this method: https://en.wikipedia.org/wiki/Tf%E2%80%93idf

2 Improved Scripts

• CommonServerPython
  Fixed tableToMarkdown escaping bug.
• JIRAPrintIssue
  Added dependency on the jira-get-issue command.

Reputations

Improved Reputations