def Summery_save_object(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Summery_save_object() called')
id_value = container.get('id', None)
formatted_data_1 = phantom.get_format_data(name='Summery_IP_reputation')
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
phantom.save_object(key=playbook_name,
value={'feedback': formatted_data_1},
auto_delete=True,
container_id=container_id)
################################################################################
## Custom Code End
################################################################################
return
def save_object_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('save_object_data() called')
input_parameter_0 = "my_key"
I_have_some_data__my_data = json.loads(
phantom.get_run_data(key='I_have_some_data:my_data'))
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
phantom.save_object(key=input_parameter_0,
value={'value': "'" + I_have_some_data__my_data + "'"},
auto_delete=True,
container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
get_object_data(container=container)
return
def Save_Data_in_Object(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Save_Data_in_Object() called')
id_value = container.get('id', None)
results_data_1 = phantom.collect2(
container=container,
datapath=['URL_reputation:action_result.message'],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
phantom.save_object(key="IOCs_URL",
value={'value': results_data_1},
auto_delete=True,
container_id=container_id)
################################################################################
## Custom Code End
################################################################################
return
def format_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ticket = phantom.collect(results,
"action_result.summary.created_ticket_id")
artifacts_data_1 = phantom.collect2(container=container,
datapath=['artifact:*.cef.src'])
if ticket:
ticket = ticket[0]
phantom.debug('Ticket {}'.format(ticket))
for artifacts_item_1 in artifacts_data_1:
if artifacts_item_1:
if phantom.valid_ip(artifacts_item_1[0]):
addr = phantom.get_object(key=str(artifacts_item_1[0]),
playbook_name=playbook_name)
if addr:
addr[0]['value']['ticket'] = ticket
#phantom.debug('Saving object {} of type {} with key {}'.format(addr[0], type(addr[0]['value']), artifacts_item_1[0]))
phantom.save_object(key=str(artifacts_item_1[0]),
value=addr[0]['value'],
auto_delete=False,
playbook_name=playbook_name)
template = """Ticket
id: {0} number: {1}"""
# parameter list for template variable replacement
parameters = [
"create_ticket_1:action_result.summary.created_ticket_id",
"create_ticket_1:action_result.data.*.number",
]
phantom.format(container=container,
template=template,
parameters=parameters,
name="format_1")
return
def Store_Country_Name(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Store_Country_Name() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:Filter_Banned_Countries:condition_1:geolocate_ip_1:action_result.data.*.country_name"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
# clean up input parameter
url = ''
for item in filtered_results_data_1:
if item[0]:
url = item[0]
# store country name into object db
phantom.save_object(key="country_name_Email_Notify",
value={'value': "'" + url + "'"},
auto_delete=True,
container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
Promote_to_Case(container=container)
return
def Save_result_in_object(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Save_result_in_object() called')
id_value = container.get('id', None)
formatted_data_1 = phantom.get_format_data(name='Summary')
Save_result_in_object__save_object_output = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
phantom.save_object(key="key1",
value={'value': formatted_data_1},
auto_delete=True,
container_id=container_id)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(
key='Save_result_in_object:save_object_output',
value=json.dumps(Save_result_in_object__save_object_output))
return
def decision_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('decision_2() called')
action = ''
pb_info = phantom.get_playbook_info()
name_value = container.get('name', None)
playbook_name = pb_info[0].get('name', None)
container_id = container['id']
if not pb_info:
return
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=['filtered-data:filter_2:condition_1:artifact:*.cef'])
phantom.debug('TOTAL number of cef.src artifacts is count: {}'.format(
len(filtered_artifacts_data_1)))
# local_tz = timezone('America/New_York')
start = (container['start_time']
)[:-3] # start = (container['start_time']).strip('+00')
start_time = datetime.strptime(
start, '%Y-%m-%d %H:%M:%S.%f') # format 2017-10-17 11:32:00.839350
# start_time = local_tz.localize(start_time)
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
item_1 = filtered_artifacts_item_1[0]['src']
phantom.debug('ITEM to be processed: {}'.format(item_1))
if item_1:
addr = phantom.get_object(key=str(item_1),
playbook_name=playbook_name)
if not addr:
phantom.debug('SAVE NEW count: {} {} {} '.format(
1, start_time.strftime("%c"), start_time.strftime("%c")))
phantom.save_object(key=str(item_1),
value={
'count': 1,
'start': start_time.strftime("%c"),
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': '',
'ignore': False
},
auto_delete=False,
playbook_name=playbook_name)
else:
count = addr[0]['value']['count'] + 1
ignore = addr[0]['value']['ignore']
ticket = addr[0]['value']['ticket']
saved_start = addr[0]['value']['start']
saved_start_time = datetime.strptime(
saved_start, '%a %b %d %H:%M:%S %Y'
) # format Mon Oct 16 11:46:30 2017 or '%Y-%m-%d %H:%M:%S.%f'
# saved_start_time = local_tz.localize(start_time)
delta = abs((start_time -
saved_start_time)).total_seconds() # .seconds
phantom.debug(
'DECISION start_time {} - saved_start_time {} = {}s '.
format(start_time, saved_start_time, delta))
if ignore and (delta > REPEAT):
phantom.debug(
'IGNORE {} start_time {} - saved_start_time {} = {}s '.
format(ignore, start_time, saved_start_time, delta))
ignore = False
saved_start = start_time.strftime("%c")
if not ignore:
if (ticket == '') and (delta > WINDOW):
saved_start = start_time.strftime("%c")
count = 0
phantom.debug(
'RESET time/co ticket {} delta {}s {} <- {}'.
format(ticket, delta, saved_start,
start_time.strftime("%c")))
elif (count > LIMIT) and (delta < WINDOW):
count = 0
saved_start = start_time.strftime("%c")
raw = {}
cef = {}
cef['cs3'] = filtered_artifacts_item_1[0]['cs3']
if (ticket == ''):
phantom.debug(
'OPENED {} opened {} {}s ago '.format(
item_1, saved_start_time, delta))
cef['cn1'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='create',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
else:
phantom.debug(
'REOPEN {} reopen {} {}s ago '.format(
ticket, saved_start_time, delta))
cef['cn2'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='update',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
ignore = True
phantom.debug(
'SAVE OLD count: {0} ticket: {1} {2} {3} {4}s'.format(
count, ticket, saved_start,
start_time.strftime("%c"), delta))
phantom.save_object(key=str(item_1),
value={
'count': count,
'start': saved_start,
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': ticket,
'ignore': ignore
},
auto_delete=False,
playbook_name=playbook_name)
# check for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "create"],
])
# call connected blocks if condition 1 matched
if matched_artifacts_1 or matched_results_1:
create_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
# check for 'elif' condition 2
matched_artifacts_2, matched_results_2 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "update"],
])
# call connected blocks if condition 2 matched
if matched_artifacts_2 or matched_results_2:
update_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return