We have exciting news to share! We've released Demisto v3.5 for both enterprise customers and community users. The release is packed with new features suggested to us by our community of customers and partners. The new features enable unparalleled visibility into granular security and business metrics, enhance modularity and reusability of playbooks to accelerate development, and improve machine learning suggestions to build leaner response processes.
Here is a brief overview of what Demisto v3.5 brings to the table:
Deep, accurate, and flexible measurement of SOC metrics: Demisto v3.5 has customizable dashboards and reports with a widget library that enables users to accurately measure metrics of their choice and leverage Demisto’s powerful underlying data. For instance, CISOs can measure SOC health and business risk, SOC Managers can measure analyst productivity and incident bottlenecks, and analysts can measure incident and indicator trends. Users can build incident type focused widgets through ad hoc queries or use one of the many widget templates available to visualize data that is tailored to their organization. The widget library will be updated with our fortnightly content releases.
Fig 1: Demisto v3.5 custom dashboards showing incident-level metrics
Role Based Incident Access: Incident accessibility can now be based on roles. Roles can also be nested, with the parent role containing all permissions of the sub-role.
Orchestration and Automation
Simplified playbook development: Playbook creators now have access to a filter and transform library in Demisto playbook tasks that increases flexibility and ease of use without sacrificing automation and workflow fidelity. These filters eschew the need for writing code while creating playbook tasks, parsing data for inputs, or creating conditions; this improves overall logical clarity and expands the scope of use across SOC employees.
Fig 2: Setting custom filters for playbook task inputs from filter library
Reusable and portable playbooks: Demisto v3.5 enhances nesting of parent and child playbooks through seamless passing of arguments and a UI-based drilldown of sub-playbooks, allowing users to port multi-task blocks across incident types. This improves reuse of playbook nests across the SOC and eliminates any rework and ‘dead time’ that accompanies repeated playbook creation.
Fig 3: Sub-playbook UI drilldown during playbook creation and editing
Streamlined communication flows: Users can now edit and delete their own chat entries to avail a War Room more tailored and sanitized to their needs. Integration brands and instance names have also been added to each command response in War Room for improved context.
Role Based Script/Automation Access: Sensitive script permissions and sensitive script flags are now available for automation scriptlets, allowing for automation-specific permission definitions required for access.
Granular insights for leaner operations: Demisto v3.5 will provide argument/parameter suggestions for playbook task automations, facilitating creation of best-in-class response workflows that are primed for continuous improvement. In addition to our existing ML-based insights, these suggestions will continue to allow users to maximize productivity in real-time and hone in on the most effective resolution procedures.
Additionally, incident management can now be streamlined by using the duplicate and related score suggestions with built-in Demisto commands such as duplicateIncidents and relatedIncidents.
Additional Product Release Highlights
- Indicator Whitelist: There is now a dedicated UI for whitelisting indicators using Regex and Indicator values.
Fig 4: Indicator whitelisting UI
- Indicators: Hostname and Username are captured automatically from automations.
- Custom content transferability: Users can now export and import custom content from development to production servers with one click.
- Syslog: Syslog events can be ingested as incidents by enabling the syslog integration.
- Slack: Mirroring investigations in Slack is more robust, with mirroring now supported in both channels and groups. The addition of mirror direction and send file capabilities further strengthen this feature.
- Python 3.5 is now supported in Demisto.
If you are a Demisto customer and are interested in knowing more about these features, view the release notes on the Demisto Support portal.
If you are new to Demisto and would like to explore these new features, sign up for our Community Edition. All Demisto v3.5 features are available with full functionality for 30 days in the Community Edition.
Stay tuned for in-depth feature breakdowns, playbook blogs, video walkthroughs, and more supporting material for Demisto v3.5 updates over the coming weeks.