Beispiel #1
0
def format_13(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_13() called')
    
    template = """{{
\"pin_style\": \"blue\"
}}"""

    # parameter list for template variable replacement
    parameters = [
        "SNOW_worknote_manual_task:formatted_data",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_13")

    format_14(container=container)

    return
Beispiel #2
0
def Change_Pin_to_blue(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Change_Pin_to_blue() called')
    
    template = """{{
\"pin_style\": \"blue\"
}}"""

    # parameter list for template variable replacement
    parameters = [
        "get_entity_pin:action_result.data.*.response_body.data.*.id",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Change_Pin_to_blue")

    build_rest_call_url_1(container=container)

    return
def Container_Comment_String(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('Container_Comment_String() called')
    
    template = """Server{0}{1} has {2} peers."""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.destinationHostName",
        "artifact:*.cef.destinationAddress",
        "run_query_1:action_result.summary.total_events",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Container_Comment_String")

    Make_List(container=container)

    return
Beispiel #4
0
def format_connection_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_connection_query() called')
    
    template = """%%
index=corelight sourcetype=corelight_conn {0} | table *
%%"""

    # parameter list for template variable replacement
    parameters = [
        "run_source_dest_query:action_result.data.*.uid",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_connection_query")

    query_connections(container=container)

    return
def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_1() called')
    
    template = """%%
 | savedsearch myHostInfo myhost=\"{0}\"
%%"""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.destinationHostName",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_1")

    run_query_1(container=container)

    return
Beispiel #6
0
def Format_PreCompromise_Service_Query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_PreCompromise_Service_Query() called')
    
    template = """index=corelight sourcetype=corelight_conn src_ip={2} earliest={0} latest={1} | table service dest_ip | stats count by service, dest_ip"""

    # parameter list for template variable replacement
    parameters = [
        "CalcPreCompromiseTime:custom_function_result.data.epoch_time",
        "ConvertCompromiseTimeFormat:custom_function_result.data.epoch_time",
        "artifact:*.cef.sourceAddress",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_PreCompromise_Service_Query")

    Execute_PreCompromise_Service_Query(container=container)

    return
def Summery_XSpamStatus(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Summery_XSpamStatus() called')
    
    template = """{0}
{1}"""

    # parameter list for template variable replacement
    parameters = [
        "XSpamStatus_status_NO:formatted_data",
        "XSpamStatus_status_NO:formatted_data.*",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Summery_XSpamStatus")

    join_Summery(container=container)

    return
Beispiel #8
0
def SNOW_worknote_manual_task(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('SNOW_worknote_manual_task() called')
    
    template = """{0}

Server was started automaticaly"""

    # parameter list for template variable replacement
    parameters = [
        "Format_Server_Address:formatted_data",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="SNOW_worknote_manual_task")

    format_13(container=container)

    return
Beispiel #9
0
def Format_other_service_note(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_other_service_note() called')
    
    template = """%%
Service detected: {0} on {1}
%%"""

    # parameter list for template variable replacement
    parameters = [
        "filtered-data:Internal_Service_Filter:condition_5:Execute_Internal_IP_Query:action_result.data.*.service",
        "filtered-data:Internal_Service_Filter:condition_5:Execute_Internal_IP_Query:action_result.data.*.dest_ip",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_other_service_note")

    Add_other_service_note(container=container)

    return
def finding_format_ip(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('finding_format_ip() called')
    
    template = """%%
{0}
%%"""

    # parameter list for template variable replacement
    parameters = [
        "parse_remote_ip_addrs:custom_function:ip_addresses",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="finding_format_ip")

    finding_geolocate_ip(container=container)
    finding_ip_reputation(container=container)

    return
Beispiel #11
0
def Content_for_Approval(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Content_for_Approval() called')
    
    template = """The Service on the Server needs to be started / restarted.
Server IP / Host:  {0}
Service Name: {1}"""

    # parameter list for template variable replacement
    parameters = [
        "Format_Server_Address:formatted_data",
        "Format_Service_Name:formatted_data",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Content_for_Approval")

    decision_7(container=container)

    return
def format_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_2() called')
    
    template = """index=esa_summary_index earliest=-14d@d \"{0}\"
| stats values(recipient) as recipients
| eval _raw=mvjoin(recipients, \"|\")
| fields _raw"""

    # parameter list for template variable replacement
    parameters = [
        "cf_community_list_drop_none_1:custom_function_result.data.*.item",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_2")

    run_query_2(container=container)

    return
def Format_Pin_Zone_Level(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_Pin_Zone_Level() called')
    
    template = """Asset identified in Perdue Level \"{0}\" and Location at \"{1}\", production line 
\"{2}\""""

    # parameter list for template variable replacement
    parameters = [
        "Check_for_OT_Asset_Info:action_result.data.*.zone_no",
        "Check_for_OT_Asset_Info:action_result.data.*.location",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_system",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Pin_Zone_Level")

    Pin_Zone_Level(container=container)

    return
def format_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_2() called')
    
    template = """%%
CPU: {0} wait time percent: {1}
%%"""

    # parameter list for template variable replacement
    parameters = [
        "run_query_1:action_result.data.*.cpu",
        "run_query_1:action_result.data.*.PercentWaitTime",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_2")

    post_data_1(container=container)

    return
Beispiel #15
0
def Format_Start_Marker(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('format_1() called')
    
    playbook_info = phantom.get_playbook_info()
    guid = phantom.get_data(playbook_info[0]['id'], clear_data=False)
    
    template = "eventcreate /id 999 /D \"started test on {0} guid=%s\" /T INFORMATION /L application" % guid

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.destinationAddress"
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Start_Marker")

    Run_Start_Marker(container=container)

    return
Beispiel #16
0
def Summery_URL_reputation(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Summery_URL_reputation() called')
    
    template = """Result URL reputation check
URL: {1}
Result: {0}"""

    # parameter list for template variable replacement
    parameters = [
        "url_reputation_1:action_result.message",
        "url_reputation_1:action_result.parameter.url",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Summery_URL_reputation")

    Summery_save_object(container=container)

    return
Beispiel #17
0
def SOC_email_format_1(action=None,
                       success=None,
                       container=None,
                       results=None,
                       handle=None,
                       filtered_artifacts=None,
                       filtered_results=None,
                       custom_function=None,
                       **kwargs):
    phantom.debug('SOC_email_format_1() called')

    template = """Hi SOC team,

This alert is triggered when malware alert triggered on Symentac details are mentioned below and based on that please do Sandboxing and update the result on below mention Incident raised for Wintel team.

UserID= {0}

Machine Name= {1}

File Path = {2}

File Hash= {3}

Reported action by Symantec= {4}

Nothing Suspicious found while checking file reputation please check at your end once and take action accordingly."""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.dest_owner",
        "artifact:*.cef.dest",
        "artifact:*.cef.filePath",
        "artifact:*.cef.fileHash",
        "artifact:*.cef.vendor_action",
    ]

    phantom.format(container=container,
                   template=template,
                   parameters=parameters,
                   name="SOC_email_format_1")

    Send_mail_to_SOC_1(container=container)

    return
Beispiel #18
0
def format_es_url(action=None,
                  success=None,
                  container=None,
                  results=None,
                  handle=None,
                  filtered_artifacts=None,
                  filtered_results=None,
                  custom_function=None,
                  **kwargs):
    phantom.debug("format_es_url() called")

    ################################################################################
    # Format a URL for the link back to the Notable ID. Change the port number as
    # needed.
    ################################################################################

    template = """https://{0}/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest={1}&latest=now&search=event_id%3D{2}"""

    # parameter list for template variable replacement
    parameters = [
        "asset_get_splunk:custom_function_result.data.configuration.device",
        "filtered-data:event_id_filter:condition_1:artifact:*.cef.info_min_time",
        "filtered-data:event_id_filter:condition_1:artifact:*.cef.event_id"
    ]

    ################################################################################
    ## Custom Code Start
    ################################################################################

    # Write your custom code here...

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.format(container=container,
                   template=template,
                   parameters=parameters,
                   name="format_es_url",
                   scope="all")

    pin_es_url(container=container)

    return
def Format_OT_Asset_Search(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_OT_Asset_Search() called')
    
    template = """| `reverse_asset_lookup(\"{0}\")`
| strcat asset_vendor \" : \" asset_model asset_vendor_model
| rex field=zone \"level[_]*(?<zone_no>\\d+)\"
| mvexpand zone_no
| table asset asset_id asset_vendor_model asset_model asset_status asset_system asset_tag asset_type asset_vendor asset_version bunit category city classification country description dns exposure ip location mac nt_host owner pci_domain priority requires_av should_timesync should_update site_id vlan zone zone_no"""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.dvc",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_OT_Asset_Search")

    Check_for_OT_Asset_Info(container=container)

    return
def Format_Add_Note(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_Add_Note() called')
    
    template = """**GUIDE** : Please verify that this is an OT asset as well as determine the potential risk and impact for the function and role of the asset in the operation.

|Hostname|IP|Type|Vendor|Model|Version|Status|Priority|Perdue Zone|Zone Info|Exposure|
|--|--|--|--|--|--|--|--|--|
|{1}|{20}|{2}|{3}|{4}|{5}|{6}|{7}|{8}|{9}|{10}|

|ID|Biz Unit|System|Site ID|Location|City|Country|Latitude|Longitude|
|--|--|--|--|--|--|--|--|--|--|
|{11}|{12}|{13}|{14}|{15}|{16}|{17}|{18}|{19}|"""

    # parameter list for template variable replacement
    parameters = [
        "Check_for_OT_Asset_Info:action_result.data.*.asset",
        "Check_for_OT_Asset_Info:action_result.data.*.nt_host",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_type",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_vendor",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_model",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_version",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_status",
        "Check_for_OT_Asset_Info:action_result.data.*.priority",
        "Check_for_OT_Asset_Info:action_result.data.*.zone_no",
        "Check_for_OT_Asset_Info:action_result.data.*.zone",
        "Check_for_OT_Asset_Info:action_result.data.*.exposure",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_id",
        "Check_for_OT_Asset_Info:action_result.data.*.bunit",
        "Check_for_OT_Asset_Info:action_result.data.*.asset_system",
        "Check_for_OT_Asset_Info:action_result.data.*.site_id",
        "Check_for_OT_Asset_Info:action_result.data.*.location",
        "Check_for_OT_Asset_Info:action_result.data.*.city",
        "Check_for_OT_Asset_Info:action_result.data.*.country",
        "Check_for_OT_Asset_Info:action_result.data.*.lat",
        "Check_for_OT_Asset_Info:action_result.data.*.long",
        "Check_for_OT_Asset_Info:action_result.data.*.ip",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Add_Note")

    add_note_22(container=container)

    return
Beispiel #21
0
def Add_Note_Format(action=None,
                    success=None,
                    container=None,
                    results=None,
                    handle=None,
                    filtered_artifacts=None,
                    filtered_results=None,
                    custom_function=None,
                    **kwargs):
    phantom.debug('Add_Note_Format() called')

    template = """**GUIDE** : Check for detected software vulnerability exists for the asset.  Some known vulnerabilities may exist, but look for any new vulnerability changes.

|nt_host|asset_id|asset_vendor|asset_type|asset_model|asset_name|type|category|vendor|version|priority|cve|
|--|--|--|--|--|--|--|--|--|--|--|--|
%%
|{0}|{1}|{2}|{3}|{4}|{5}|{6}|{7}|{8}|{9}|{10}|{11}|
%%"""

    # parameter list for template variable replacement
    parameters = [
        "Check_Software_Vulnerability:action_result.data.*.nt_host",
        "Check_Software_Vulnerability:action_result.data.*.asset_id",
        "Check_Software_Vulnerability:action_result.data.*.asset_vendor",
        "Check_Software_Vulnerability:action_result.data.*.asset_type",
        "Check_Software_Vulnerability:action_result.data.*.asset_model",
        "Check_Software_Vulnerability:action_result.data.*.asset_name",
        "Check_Software_Vulnerability:action_result.data.*.type",
        "Check_Software_Vulnerability:action_result.data.*.category",
        "Check_Software_Vulnerability:action_result.data.*.vendor",
        "Check_Software_Vulnerability:action_result.data.*.version",
        "Check_Software_Vulnerability:action_result.data.*.priority",
        "Check_Software_Vulnerability:action_result.data.*.cve",
    ]

    phantom.format(container=container,
                   template=template,
                   parameters=parameters,
                   name="Add_Note_Format")

    add_note_3(container=container)

    return
def Format_ES_notables(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_ES_notables() called')
    
    template = """index=notable earliest=-1d latest=now \"{0}\"
| rex field=dvc_asset_tag \"perdue:level(?<perdue_level>\\d+)\"
| search dvc=*
| eval time=strftime(_time,\"%Y-%m-%d %H:%M:%S\")
| table time, dvc, asset_type, perdue_level, asset_criticality, search_name"""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.dvc",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_ES_notables")

    Check_ES_Notables(container=container)

    return
def Format_Login_Failures_Successes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_Login_Failures_Successes() called')
    
    template = """| tstats `summariesonly` max(_time) as _time,values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where * (Authentication.action=\"failure\") Authentication.dest=\"{0}\" earliest=-1d latest=now by Authentication.src,Authentication.src_user,Authentication.dest,Authentication.user 
| `drop_dm_object_name(\"Authentication\")` 
| eval src_user=if(src_user==\"unknown\",null(),src_user) 
| fields _time,src,dest,src_user,user,action,app,count
| sort - count"""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.dvc",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Login_Failures_Successes")

    Check_Login_Failures_Successes(container=container)

    return
def Format_OT_Asset_Search(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_OT_Asset_Search() called')
    
    template = """| `reverse_asset_lookup(\"{0}\")`
| strcat asset_vendor \" : \" asset_model asset_vendor_model
| rex field=zone \"level[_]*(?<zone_no>\\d+)\"
| mvexpand zone_no
| table nt_host ip exposure zone_no dns location"""

    # parameter list for template variable replacement
    parameters = [
        "artifact:*.cef.dvc",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_OT_Asset_Search")

    Check_for_OT_Asset_Info(container=container)

    return
def XSpamStatus_tests_performed(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('XSpamStatus_tests_performed() called')
    
    template = """These tests could be done:
-------------------------------------------------------
{0}
-------------------------------------------------------
For more information please read: https://spamassassin.apache.org/old/tests_3_3_x.html"""

    # parameter list for template variable replacement
    parameters = [
        "XSpamStatus_tests:custom_function:XSpamStatus_tests",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="XSpamStatus_tests_performed")

    join_Summery(container=container)

    return
def Format_Pin_OT_Asset_Info(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_Pin_OT_Asset_Info() called')
    
    template = """HOST : {0} | IP : {1} | {2} | Zone {3}"""

    # parameter list for template variable replacement
    parameters = [
        "Check_for_OT_Asset_Info:action_result.data.*.nt_host",
        "Check_for_OT_Asset_Info:action_result.data.*.ip",
        "Check_for_OT_Asset_Info:action_result.data.*.exposure",
        "Check_for_OT_Asset_Info:action_result.data.*.zone_no",
        "Check_for_OT_Asset_Info:action_result.data.*.dns",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Pin_OT_Asset_Info")

    Pin_OT_Asset_Info(container=container)

    return
Beispiel #27
0
def format_suricata_pin(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('format_suricata_pin() called')
    
    template = """URI = {1}
SURI_id = {0}
alert.signature ={2}"""

    # parameter list for template variable replacement
    parameters = [
        "run_suricata_query:action_result.data.*.suri_id",
        "run_suricata_query:action_result.data.*.uri",
        "run_suricata_query:action_result.data.*.alert.signature",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_suricata_pin")

    pin_suricata_alert(container=container)

    return
def Format_Network_Sessions(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Format_Network_Sessions() called')
    
    template = """| tstats `summariesonly` max(_time) as _time,values(All_Traffic.action) as action,values(All_Traffic.src_port) as src_port,count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.src=\"{1}\" OR All_Traffic.dest=\"{0}\" ) NOT (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"22\" OR All_Traffic.dest_port=\"25\") NOT (All_Traffic.action=\"allow*\" OR All_Traffic.action=\"tear*\" ) by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port 
| `drop_dm_object_name(\"All_Traffic\")` 
| sort - count 
| fields _time,action,src,src_port,dest,transport,dest_port,count"""

    # parameter list for template variable replacement
    parameters = [
        "Search_OT_Asset:action_result.data.*.ip",
        "Search_OT_Asset:action_result.data.*.net_local",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_Network_Sessions")

    Check_Network_Sessions(container=container)

    return
Beispiel #29
0
def Format_End_Marker(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('Format_End_Marker() called')
    
    playbook_info = phantom.get_playbook_info()
    guid = phantom.get_data(playbook_info[0]['id'], clear_data=False)
    phantom.debug(guid)
        
    template = "eventcreate /id 999 /D \"ended test for {0} guid=%s\" /T INFORMATION /L application" % guid

    # parameter list for template variable replacement
    parameters = [
        "Run_Start_Marker:action_result.parameter.ip_hostname",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="Format_End_Marker")

    Run_End_Marker(container=container)

    return
Beispiel #30
0
def format_after(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('format_after() called')
    
    template = """%%
Security Group ID: {0}
Security Group Name: {1}
%%"""

    # parameter list for template variable replacement
    parameters = [
        "describe_instance_after:action_result.data.*.Reservations.*.Instances.*.NetworkInterfaces.*.Groups.*.GroupId",
        "describe_instance_after:action_result.data.*.Reservations.*.Instances.*.NetworkInterfaces.*.Groups.*.GroupName",
    ]

    phantom.format(container=container, template=template, parameters=parameters, name="format_after")

    format_comment(container=container)

    return