We have exciting news to share! We are releasing Demisto 4.0 today for our user community. This release is packed with features that enable security teams to heighten investigation quality, improve context collection and visualization, and accelerate incident response at scale. Demisto has always been shaped by your feedback and we’re delighted to have executed improvements based on your suggestions. So, our massive thanks to you, you, and even you in the back row making paper planes.
Okay, fasten those belts and let’s go. Here’s what you can expect from Demisto 4.0:
Security attacks are never linear as attackers weave a web across entry points, move laterally, and evolve target assets with time. With Demisto’s Investigation Canvas, you can now visualize attack campaigns, identify missing edges, and resolve incidents through visual collaboration. By combining your intelligence with machine learning insights, you can interactively map the progression path of an incident uncover correlations in real-time. The Canvas will tell an incident’s story better than endless rows and columns of data ever could. See it in action.
Like snowflakes, no two incidents are exactly the same, usually differing in terms of SLAs, attack phases, ingestion sources, and more. You can create dynamic fields in Demisto 4.0 incident forms, allowing for automatic changes to available fields as the attack status evolves.
Sharing is caring as long as we’re not talking about malicious IOCs. You can now share customized dashboards with other users in your environment to always stay on top of important metrics and drive action from data.
Augmented Cloud Orchestration
As cloud adoption increases, the threat surface continues to expand with the quickness of in-prime Usain Bolt. Our new Amazon SNS capability allows Demisto to receive notifications from Amazon Simple Notification Service, convert them to incidents, and kick off playbooks that coordinate actions across both cloud and on-premise environments.
Improved Indicator Visibility
Getting one-stop indicator visibility is easier than ever on Demisto 4.0 with a new comprehensive reputation window. Access consolidated threat scores, known indicator history, and custom comments from one source for faster, more informed decision-making. See it in action.
Investigation Actions Menu
We can all agree that a swarm of open tabs is not ideal while conducting focused incident response. With a new universal menu for investigation actions, you can retain greater control over investigations by editing, deleting, and managing incidents from any incident screen.
A wise person (probably) once said, “Clicking on stuff is better than typing stuff.” Following that adage, you can now access a dedicated investigation button on the CLI to access categories of actions for quick and easy execution. Go ahead, chart out your response routine without memorizing any command execution language.
Start Your Engines
Automating response is one thing and executing that same automation quality at scale is something else entirely. With Demisto 4.0, you can leverage the power of load-balanced engine pools for faster performance, increased redundancy, and horizontal scalability. Choose and customize engine pools for specific integrations and watch those lightning bolts fly!
Faster Playbook Editing
We’re always on a mission to make our visual playbook editor more intuitive and easier to work with. You can now speed up playbook creation and deployment by selecting multiple tasks and executing actions such as drag and delete.
Ready, Set, Mark Evidence
Your journey to highlight critical information is now shorter than ever. By marking notes and evidence directly from the Work Plan window, you can leverage your knowledge of past playbook runs and ensure that key indicators of root causes are automatically captured with minimal window-switching. See it in action.
Additional Release Highlights
While the following features may not fit in our three blog-friendly buckets, they’re powerful enough for you to have a look:
Auto-extract indicators: Set up auto-extraction and enrichment of indicators for specific incident types, obviating the need for playbook tasks.
Playbook Task Approval: Restrict playbook task approval to specific users, ensuring that only the designated user continues playbook execution for sensitive use cases.
Incident Summary Reports: Create customized reports based on the Incident Summary page by either selecting the required fields or using a pre-existing template. See it in action.
Improved Linux Compatibility: In addition to existing supported environments, Demisto 4.0 now supports SUSE Enterprise, openSUSE, and Fedora.
More droplets have been added to our deluge of product integrations. Here are a few to look out for:
Amazon Web Services: Demisto now integrates with many AWS solutions such as GuardDuty, SQS, IAM, Route 53, S3, and EC2 for fully orchestrated cloud incident response and IT operations. Learn more about our AWS integrations here.
Hybrid Analysis: An out-of-the-box integration instance with Hybrid Analysis allows for fully automated malware analysis and response.
Carbon Black Enterprise Live Response: We’ve added a range of commands to improve our Carbon Black Enterprise Live Response integration, enabling you to execute and kill processes, delete files from endpoints, manage keys and values, and collect endpoint memory dumps.
If your curiosity is sufficiently piqued after reading about our 4.0 evolution, we’d love for you to sign-up for access to our free edition. Just fill out your details by clicking the button below and a download mail should land in your inbox before you can say ‘Security Orchestration, Automation, and Response’. Granted, that does take some time to say.
We’re looking forward to honest feedback about the features and any bugs you might encounter along your explorations. Please leave your comments on the #demisto-discussions channel on our Slack community, or email firstname.lastname@example.org.
Stay tuned for in-depth 4.0 feature walkthroughs and videos in the coming weeks!