We have exciting news to share! We are releasing Demisto v4.5 today for both enterprise customers and community users. The release is packed with new features suggested to us by our community of customers, partners, and independent users. The new features help you:
- Achieve control of incident response processes on the go
- Engage end users for scalable data collection and incident enrichment
- Simplify development of integrations and automation scripts
- Customize incident triage and categorization during ingestion
and much more!
Here is a brief overview of the pixie-dust that Demisto v4.5 blows into the wind:
Mobile App: Keep Response Running
In today’s fast-moving security world, every second that an incident festers in your system is a dangerous second. Demisto’s mobile-first experience for Android and iOS enable you to positively affect the state of your SOC even when you don’t have access to your Demisto web app.
- Dashboards: You can view standard Demisto dashboards (SLA, System Health, Incidents etc.) as well as create custom mobile-friendly dashboards so that you always have access to critical SOC data.
- Incident summaries: Summaries and task lists for every incident are within your sight with the mobile app. You can also create custom incident summary layouts for the mobile-app that highlight critical context that you need when you’re remote.
- Tasks: The Tasks tab for each incident help you assign specific tasks to your team members, choose quick investigation options, and manually mark tasks as complete. Including this task approval in the mobile app allows Demisto playbooks to run even when security analysts are not at the helm.
- Incident actions: Rather than replicating a fully-fledged Demisto web app on mobile, the mobile app empowers you to execute ‘just enough’ and let the web app take the baton from there. In terms of incident actions, you can assign the incident to an analyst, set incident severity, change the incident type, and close the incident from the mobile app.
If you have a Demisto support account, you can view more product documentation about the mobile app here.
Communication Tasks: Bringing Automation to the End User
While Demisto playbooks unify unique and granular intelligence from security products, we can always do more to provide security teams with all the data they need for investigation. With Demisto v4.5, we have introduced communication tasks that can be built into playbooks to send surveys to Demisto users and external users for data collection and enrichment. This information can be used for analysis and act as inputs for subsequent playbook tasks as well. Here are a few examples of communication tasks in Demisto today:
- Ask Tasks: These are conditional ‘one-question’ surveys, the answers to which will determine how the playbook will proceed.
- Data Collection Task: These are more detailed surveys that relevant users can access through a link sent to their email. All responses to the survey are stored in incident context, enabling you to use the data as inputs for playbook tasks.
The communication tasks are fully customizable, allowing you to set the email subject and body, question formats, task type, frequency of sending the questionnaire, and more. The screenshot below shows a daily status report that you can send to analysts and transfer knowledge during shift changes in your SOC.
If you want an early preview of how communication tasks work, we had some fun with them last week and you can try it out.
If you have a Demisto support account, you can view more product documentation about communication tasks here.
PyCharm Add-on: Simplifying Integration Development
Demisto’s extensible integration network has always been the primary lifeblood of our platform. To further simplify third-party integration and script development, Demisto v4.5 debuts an add-on for PyCharm and enables users to author Python content for Demisto directly in PyCharm. Here are some highlights of what you can accomplish with the Demisto add-on for PyCharm:
- Leverage PyCharm capabilities: Take advantage of smart code completion, error highlighting, and quick navigation to accelerate development of third-party integrations and scripts in Demisto.
- Console flexibility: Choose between running scripts locally in PyCharm or running them in Demisto and having the results display in PyCharm.
- End-to-end development: Create new Python/YML files, edit existing files, and export files to Demisto.
- Remote execution: Execute Demisto integration/automation commands in PyCharm and have results display in PyCharm.
If you have a Demisto support account, you can view more product documentation about the PyCharm add-on here.
Pre-process Rules: Customizing Incident Triage
There’s no dearth of data in security today but extracting the ‘right’ data from all that ‘big’ data is the challenge teams always grapple with. Demisto v4.5 introduces pre-process rules using which you can perform UI-based triage of incidents as they are ingested into Demisto. You can create rules for specific incidents that accomplish actions when it meets certain criteria. Some illustrative actions are given below:
- Dropping the incident (if you find it to be a duplicate incident)
- Linking the incident to another incident already in your environment
- Linking the incident and closing it
- Running a pre-processing script on the incident
For example, in the screenshot below, the pre-processing rule drops a phishing incident if the email subject is identical to an older incident in the system. The older incident is then updated with this duplicate information.
If you have a Demisto support account, you can view more product documentation about pre-process rules here.
Additional Release Highlights
Other features in Demisto v4.5 include:
- These are a few of my favorite thi- I mean, incidents: You can mark incidents as favorites (denoted by a star icon) to easily identify and access them in the future.
- More slice and dice: You can filter active incidents by your favorites, the incidents you own, and the incidents you participated in, enabling you to quickly home in on the data that matters to you.
- Back to the future: Going back in time, really?! Well, kind of. The new taskReopen command lets you reopen a playbook task by specifying its task ID. You still can’t un-own those jeans, we’re afraid.
- Completing each other’s sandwiches: When you select an automation for a playbook task, the automation’s description will now auto-populate in the task description. You can still edit this description to your liking, but now you have a solid and speedy start.
If you’re an existing Demisto Community Edition user, we hope you’ve enjoyed your time with DBot so far and that these enhancements will help further improve your security operations. If you haven’t tried Demisto yet, we hope these new features are the nudge that sends you SOARing!
For more details about the features in Demisto v4.5, you can view the release notes on our support portal (if you have a Demisto support account).
We invite you to upgrade to Demisto v4.5 by downloading our new Community Edition. We’d love it if you gave us your honest feedback on the #demisto-discussions Slack channel or by emailing firstname.lastname@example.org.