We have exciting news to share! We are releasing Demisto v5.0 today for both enterprise customers and community users. The release is packed with new features suggested to us by you, you, and even you there, throwing popcorn from the back row. Our community of customers, partners, and independent users are the reason we exist, and we’re thrilled that you’re a part of our journey. Demisto v5.0’s new features help you:
- Personalize case layouts with a reimagined user interface
- Gain indicator visibility with new threat intelligence capabilities
- Achieve horizontal scalability with database scaling
and much more!
Sunglasses at the ready? Here is a brief peek at the blinding light Demisto v5.0 shoots into the stratosphere:
Reimagined User Interface
With data and context being so critical to security operations, it’s imperative to have a UI that structures said data and context in an intuitive, persona-friendly manner. Demisto v5.0 introduces a brand new UI that streamlines global navigation while also enhancing the delivery of information within each incident.
The main navigation panel is collapsed by default in Demisto v5.0, enabling you to maximise screen real estate and improve visibility without sacrificing the ability to navigate easily across your Demisto environment.
Fig 1: Demisto’s main navigation pane is collapsed by default
Demisto v5.0 comes with a completely redesigned incident summary page. This new page (called ‘Case Info’) enables you to quickly digest critical information about the incident with little to no scrolling. All new and existing incident types will include this redesigned summary page. You can still use the legacy summary views if you’d like (the value of comfort and familiarity can’t be overstated).
Here’s a before-after view to whet your appetite.
Fig 2: Old Demisto Incident Summary
Fig 3: New Demisto ‘Case Info’
Standardized case management can only take you so far. People in the trenches will know that a phishing incident needs different information - in a different layout - from a malware incident. Each incident in Demisto v5.0 comes with a fully customizable ‘Investigation’ page, enabling you to select the What, Where, and How of information visualization.
The GIF below highlights the Investigation page for an alert from Cortex XDR. This page lists alert details (including threats and processes blocked by Traps), file artifact details, and granular indicator information.
Fig 4: Custom Demisto investigation page for an alert from Cortex XDR
Custom Incident Tabs and Page Layouts
While the ‘Case Info’ and ‘Investigation’ pages are two of the default options available for Demisto incidents, you can add tabs for any other information you’d like highlighted for a specific incident type. For each new tab added, you can also build the page layout from scratch leveraging both OOTB and user-created widgets.
In the GIF below, we create a new ‘Campaign Info’ tab for the ‘Access’ incident type, populating the page with sections such as ‘Linked Incidents’, ‘Child Incidents’, and ‘Dropped or Duplicate Incidents’.
Fig 5: Creating a new tab and page layout for a Demisto incident
All incident tabs come with full Role Based Access Control, allowing administrators to grant incident sub-view privileges to relevant roles depending on the sensitivity of the data.
Enhanced Threat Intelligence
Visualizing and executing on indicator information is often spread across disparate tool sets, resulting in persistent silos that hamper security performance. Threat intel enhancements in Demisto v5.0 allow users to access rich indicator intelligence from integrated sources and take action on them in a scalable manner. You can create custom indicator layouts that display relevant data for each indicator type and operationalize this data by leveraging Demisto’s orchestration and automation.
Custom Indicator Layouts
You can customize indicator summary layouts in Demisto v5.0, either by choosing from OOTB sections or creating your own sections and indicator fields from scratch. Just like snowflakes (but in a bad way), no two indicators are exactly the same, so it makes sense to give you the power to visualize indicators the way you see fit.
In the GIF below, we add a ‘Reputation’ section to the URL indicator summary (which is one of the OOTB Demisto sections available to you).
Fig 6: Adding OOTB sections to indicator layouts
If you prefer your suits tailored-to-fit, you can also create sections from scratch and populate them with relevant indicator fields of your choosing. In the GIF below, we add a new section to the CVE indicator summary and populate it with fields that will provide information about the malware family, detection engines, and custom comments.
Fig 7: Creating and populating new section in indicator layout builder
File Hash Consolidation
Starting from Demisto v5.0, file objects will use a single file indicator. This means that file indicators will appear with their SHA256 hash, with all other hashes (MD5, SHA1, SSDeep, etc.) being displayed as properties of the same indicator. If the file appears in a different incident with a different name and has any of the same hash values, it will automatically be associated with the original indicator. You can learn more about hash consolidation here.
The screenshot below illustrates a consolidated file indicator.
Fig 8: Consolidated file indicator in Demisto v5.0
We know that using multiple enterprise security products often turns into an exercise in load management, with your computing resources wheezing for mercy as alert volumes rise. To ensure that your Demisto deployment continues running like Usain Bolt on Red Bull, you can now install the Demisto app server and databases on separate machines. These multi-tier configurations let you scale your environment and manage resources efficiently.
Demisto v5.0 supports two multi-tier configurations:
- One app server and one database server on separate machines, or
- One app server and multiple database servers on separate machines.
These configurations are illustrated below.
Fig 9: Distributed database configurations in Demisto v5.0
Additional Release Highlights
Other features in Demisto v5.0 include:
- SOAR on the fly: No worries, you can step away from that computer screen for a second. Demisto v5.0 introduces chat support in the mobile application, letting you update relevant stakeholders on-the-go. You can also manage notifications from the web app, choosing to receive updates on email, Slack, Mattermost, or the mobile app.
- Clearing the fog of war: You can now select which entry types to filter out from the War Room. You can also copy the entryID of a War Room entry to the clipboard, allowing for seamless transitions to automated or ad-hoc tasks using the War Room entry as input. If you have a Demisto support account, you can learn more about War Room filtering here.
- Putting the ‘play’ in playbooks: Our playbooks become more Lego-like by the day. You can now map outputs to fields while configuring a playbook task, automatically populating the field with its mapped key value. You can also edit OOTB playbooks now without duplicating them. Just detach them from content updates and edit to your heart’s content!
- Loop the loop: While working with sub-playbooks, you can now pass an array of inputs to a task and have it loop through the inputs. This ability should be useful in instances like sifting through a list of email addresses and the different subject texts for each address. More info can be found here if you have a Demisto support account.
If you’re an existing Demisto Community Edition user, we hope you’ve enjoyed your time with DBot so far and that these enhancements will help further improve your security operations. If you haven’t tried Demisto yet, we hope these new features are the nudge that sends you SOARing!
For more details about the features in Demisto v5.0, you can view the release notes on our support portal (if you have a Demisto support account).
We invite you to upgrade to Demisto v5.0 by downloading our new Community Edition. We’d love it if you gave us your honest feedback on the #demisto-discussions Slack channel in our DFIR community. You can also email firstname.lastname@example.org if you’re a stamps-and-letters kind of person.