def join_send_deny_email_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_send_deny_email_2() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_send_deny_email_2_called'):
return
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(
['virustotal_url_reputation', 'webpulse_url_reputation']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_send_deny_email_2_called',
value='send_deny_email_2')
# call connected block "send_deny_email_2"
send_deny_email_2(container=container, handle=handle)
return
def join_playbook_email_body(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_playbook_email_body() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'get_app_run_data', 'get_playbook_action_runs' ]):
# call connected block "playbook_email_body"
playbook_email_body(container=container, handle=handle)
return
def join_send_message_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_send_message_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'list_channels_1' ]):
# call connected block "send_message_2"
send_message_2(container=container, handle=handle)
return
def join_decision_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_decision_3() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'ip_reputation', 'file_reputation' ]):
# call connected block "decision_3"
decision_3(container=container, handle=handle)
return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_filter_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'file_reputation_SHA1', 'file_reputation_MD5', 'file_reputation_SHA256', 'file_reputation_SHA512' ]):
# call connected block "filter_2"
filter_2(container=container, handle=handle)
return
def join_get_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_get_ticket_1() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'create_ticket_1' ]):
# call connected block "get_ticket_1"
get_ticket_1(container=container, handle=handle)
return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_filter_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'logoff_user_1', 'shutdown_system_1', 'disable_user_1', 'block_hash_3' ]):
# call connected block "filter_2"
filter_2(container=container, handle=handle)
return
def join_send_email_safe(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_send_email_safe() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'ip_reputation_1', 'domain_reputation_2' ]):
# call connected block "send_email_safe"
send_email_safe(container=container, handle=handle)
return
def join_collect_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_collect_data() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'execute_program_1', 'find_case' ]):
# call connected block "collect_data"
collect_data(container=container, handle=handle)
return
def join_send_email_bad_domain(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_send_email_bad_domain() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'run_query_2', 'whois_domain_1', 'hunt_domain_1' ]):
# call connected block "send_email_bad_domain"
send_email_bad_domain(container=container, handle=handle)
return
def join_isolate_ec2_instance_approval(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_isolate_ec2_instance_approval() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([ 'create_ticket_1', 'send_message_1' ]):
# call connected block "isolate_ec2_instance_approval"
isolate_ec2_instance_approval(container=container, handle=handle)
return
def join_deescalate_alert(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_deescalate_alert() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['Add_to_test_machine_list']):
# call connected block "deescalate_alert"
deescalate_alert(container=container, handle=handle)
return
def join_filter_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_filter_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['detonate_file_3', 'get_report_1']):
# call connected block "filter_2"
filter_2(container=container, handle=handle)
return
def join_filter_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_filter_4() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['ip_reputation_1', 'geolocate_ip_1']):
# call connected block "filter_4"
filter_4(container=container, handle=handle)
return
def join_format_ticket(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_ticket() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['list_connections_1', 'get_system_info_1']):
# call connected block "format_ticket"
format_ticket(container=container, handle=handle)
return
def join_format_prompt_question(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_prompt_question() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['ip_intelligence_1', 'domain_intelligence_1']):
# call connected block "format_prompt_question"
format_prompt_question(container=container, handle=handle)
return
def join_Filter_Banned_Countries(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_Filter_Banned_Countries() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(
['file_reputation_1', 'geolocate_ip_1', 'domain_reputation_2']):
# call connected block "Filter_Banned_Countries"
Filter_Banned_Countries(container=container, handle=handle)
return
def join_Initial_filtering(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_Initial_filtering() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(
['file_reputation_6', 'lookup_domain_1', 'url_reputation_1']):
# call connected block "Initial_filtering"
Initial_filtering(container=container, handle=handle)
return
def join_format_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_5() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(
['ssh_raw_user_plist', 'ssh_parse_user_plist', 'nmap_scan_5900']):
# call connected block "format_5"
format_5(container=container, handle=handle)
return
def join_format_results(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_results() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'lookup_certificate_1', 'ip_reputation_2', 'domain_reputation_1',
'domain_reputation_2'
]):
# call connected block "format_results"
format_results(container=container, handle=handle)
return
def join_format_analyst_message(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_analyst_message() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'run_dns_search', 'run_web_search', 'url_reputation',
'ip_reputation'
]):
# call connected block "format_analyst_message"
format_analyst_message(container=container, handle=handle)
return
def join_set_status_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_set_status_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'endpoint_infection_ticket_approval', 'add_list_item',
'create_reinfected_ticket'
]):
# call connected block "set_status_2"
set_status_2(container=container, handle=handle)
return
def join_account_lockout_endpoint_shutdown(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_account_lockout_endpoint_shutdown() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'list_processes_1', 'list_logged_on_users', 'list_connections_1',
'list_sessions_1'
]):
# call connected block "account_lockout_endpoint_shutdown"
account_lockout_endpoint_shutdown(container=container, handle=handle)
return
def join_format_short_description(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_format_short_description() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'quarantine_device_2', 'get_system_info_1', 'get_file_1',
'get_user_attributes_1', 'file_reputation_1', 'block_hash_1'
]):
# call connected block "format_short_description"
format_short_description(container=container, handle=handle)
return
def join_set_status_6(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_set_status_6() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'geolocate_ip_1', 'domain_reputation_1', 'file_reputation',
'Notify_IT'
]):
# call connected block "set_status_6"
set_status_6(container=container, handle=handle)
return
def join_summarize_results(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_summarize_results() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'whois_ip_dst', 'whois_ip_src', 'whois_sourceAddress',
'whois_destAddress', 'whois_source_ip', 'whois_dest_ip',
'whois_url_ip'
]):
# call connected block "summarize_results"
summarize_results(container=container, handle=handle)
return
def join_synthesize_enrichment(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_synthesize_enrichment() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'lookup_url_1', 'virustotal_file_reputation',
'reversinglabs_file_rep', 'google_url_reputation',
'domain_reputation_1', 'ip_reputation', 'deepsight_url_reputation'
]):
# call connected block "synthesize_enrichment"
synthesize_enrichment(container=container, handle=handle)
return
def join_add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_add_comment_2() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'query_endpoint_risk_mod', 'query_notable_info',
'query_user_identity_info', 'query_user_risk_mod',
'query_endpoint_rights', 'query_user_rights'
]):
# call connected block "add_comment_2"
add_comment_2(container=container, handle=handle)
return
def join_Send_email_if_related_entities_are_found(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_Send_email_if_related_entities_are_found() called')
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done([
'search_splunk_for_ips', 'search_splunk_for_domains',
'search_splunk_for_files', 'search_splunk_for_vulns'
]):
# call connected block "Send_email_if_related_entities_are_found"
Send_email_if_related_entities_are_found(container=container,
handle=handle)
return
def join_prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_prompt_1() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_prompt_1_called'):
return
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(['domain_reputation_2', 'domain_reputation_1']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_prompt_1_called', value='prompt_1')
# call connected block "prompt_1"
prompt_1(container=container, handle=handle)
return
