Python condition Exemples, phantom.rules.condition Python Exemples

Exemple #1

0

Afficher le fichier

def decision_4(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_4() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "file_reputation:action_result.parameter.hash", "not in",
                "custom_list:Prior Hashes"
            ],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        add_hash_to_seen_list(action=action,
                              success=success,
                              container=container,
                              results=results,
                              handle=handle)
        return

    return

Exemple #2

0

Afficher le fichier

def positive_threshold_exceeded(action=None,
                                success=None,
                                container=None,
                                results=None,
                                handle=None,
                                filtered_artifacts=None,
                                filtered_results=None):
    phantom.debug('positive_threshold_exceeded() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["file_reputation:action_result.summary.positives", ">", 10],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        Filter_out_non_IPs(action=action,
                           success=success,
                           container=container,
                           results=results,
                           handle=handle)
        return

    # call connected blocks for 'else' condition 2
    add_comment_4(action=action,
                  success=success,
                  container=container,
                  results=results,
                  handle=handle)

    return

Exemple #3

0

Afficher le fichier

def Filter_out_non_IPs(action=None,
                       success=None,
                       container=None,
                       results=None,
                       handle=None,
                       filtered_artifacts=None,
                       filtered_results=None):
    phantom.debug('Filter_out_non_IPs() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["artifact:*.cef.destinationAddress", "!=", ""],
        ],
        name="Filter_out_non_IPs:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        Notify_IT(action=action,
                  success=success,
                  container=container,
                  results=results,
                  handle=handle,
                  filtered_artifacts=matched_artifacts_1,
                  filtered_results=matched_results_1)

    return

Exemple #4

0

Afficher le fichier

def decision_3(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_3() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["Notify_IT:action_result.summary.responses.0", "==", "Yes"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        Store_Country_Name(action=action,
                           success=success,
                           container=container,
                           results=results,
                           handle=handle)
        return

    # call connected blocks for 'else' condition 2
    pin_7(action=action,
          success=success,
          container=container,
          results=results,
          handle=handle)

    return

Exemple #5

0

Afficher le fichier

Fichier : crowdstrike_malware_triage.py Projet : splunk/security_content

def filter_main_artifact(action=None,
                         success=None,
                         container=None,
                         results=None,
                         handle=None,
                         filtered_artifacts=None,
                         filtered_results=None,
                         custom_function=None,
                         **kwargs):
    phantom.debug('filter_main_artifact() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.label", "==", "event"],
        ],
        name="filter_main_artifact:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        get_indicator_2(action=action,
                        success=success,
                        container=container,
                        results=results,
                        handle=handle,
                        custom_function=custom_function,
                        filtered_artifacts=matched_artifacts_1,
                        filtered_results=matched_results_1)

    return

Exemple #6

0

Afficher le fichier

def decision_3(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_3() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["artifact:*.cef.category", "==", "lateral"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        suspend_vm_1(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle)
        return

    return

Exemple #7

0

Afficher le fichier

def decision_2(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_2() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["virtual", "in", "artifact:*.cef.cs1"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        snapshot_vm_1(action=action,
                      success=success,
                      container=container,
                      results=results,
                      handle=handle)
        return

    # call connected blocks for 'else' condition 2
    block_ip(action=action,
             success=success,
             container=container,
             results=results,
             handle=handle)

    return

Exemple #8

0

Afficher le fichier

Fichier : customer_firewall_request_handle_artifact.py Projet : eramitsharma82/phantom

def filter_2(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_2() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.label", "==", "customer_request"],
        ],
        name="filter_2:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        filter_1(action=action,
                 success=success,
                 container=container,
                 results=results,
                 handle=handle,
                 filtered_artifacts=matched_artifacts_1,
                 filtered_results=matched_results_1)

    return

Exemple #9

0

Afficher le fichier

def zscaler_category_filter(action=None,
                            success=None,
                            container=None,
                            results=None,
                            handle=None,
                            filtered_artifacts=None,
                            filtered_results=None):
    phantom.debug('zscaler_category_filter() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "lookup_url_2:action_result.data.*.urlClassificationsWithSecurityAlert",
                "!=", ""
            ],
        ],
        name="zscaler_category_filter:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        block_url_2(action=action,
                    success=success,
                    container=container,
                    results=results,
                    handle=handle,
                    filtered_artifacts=matched_artifacts_1,
                    filtered_results=matched_results_1)

    return

Exemple #10

0

Afficher le fichier

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_1() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.label", "==", "data_exfiltration"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        get_device_info_1(action=action,
                          success=success,
                          container=container,
                          results=results,
                          handle=handle)
        return

    return

Exemple #11

0

Afficher le fichier

def filter_1(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_1() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["file_reputation_1:action_result.summary.positives", ">", 10],
        ],
        name="filter_1:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        filter_2(action=action,
                 success=success,
                 container=container,
                 results=results,
                 handle=handle,
                 filtered_artifacts=matched_artifacts_1,
                 filtered_results=matched_results_1)

    return

Exemple #12

0

Afficher le fichier

def threat_score_thresholds(action=None,
                            success=None,
                            container=None,
                            results=None,
                            handle=None,
                            filtered_artifacts=None,
                            filtered_results=None):
    phantom.debug('threat_score_thresholds() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["ip_reputation_1:action_result.data.*.threatscore", ">", "1"],
            ["ip_reputation_1:action_result.data.*.confidence", ">", "1"],
        ],
        logical_operator='and',
        name="threat_score_thresholds:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        linking_filter(action=action,
                       success=success,
                       container=container,
                       results=results,
                       handle=handle,
                       filtered_artifacts=matched_artifacts_1,
                       filtered_results=matched_results_1)

    return

Exemple #13

0

Afficher le fichier

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["DW_VT:action_result.summary.positives", ">", 0],
        ])

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        send_email_1(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle,
                     filtered_artifacts=matched_artifacts_1,
                     filtered_results=matched_results_1)

    return

Exemple #14

0

Afficher le fichier

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_1() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["url_reputation_2:action_result.summary.positives", ">", "4"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        format_splunk_query(action=action,
                            success=success,
                            container=container,
                            results=results,
                            handle=handle)
        return

    return

Exemple #15

0

Afficher le fichier

def decision_5(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_5() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "run_query_1:action_result.data.*.policy_action", "==",
                "Allowed"
            ],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        filter_1(action=action,
                 success=success,
                 container=container,
                 results=results,
                 handle=handle)
        lookup_url_2(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle)
        return

    return

Exemple #16

0

Afficher le fichier

def decision_7(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_7() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["prompt_1:action_result.summary.response", "==", "Yes"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        quarantine_exec_device(action=action,
                               success=success,
                               container=container,
                               results=results,
                               handle=handle)
        return

    return

Exemple #17

0

Afficher le fichier

def decision_4(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_4() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "playbook_tutorial_prompt:action_result.summary.response",
                "==", "Yes"
            ],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        add_to_blocklist(action=action,
                         success=success,
                         container=container,
                         results=results,
                         handle=handle)
        return

    return

Exemple #18

0

Afficher le fichier

def decision_3(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_3() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "filtered-data:filter_2:condition_1:artifact:*.cef.destinationAddress",
                "not in", "custom_list:test_machines"
            ],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        set_severity_2(action=action,
                       success=success,
                       container=container,
                       results=results,
                       handle=handle)
        return

    return

Exemple #19

0

Afficher le fichier

def filter_3(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_3() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "filtered-data:filter_2:condition_1:artifact:*.cef.destinationAddress",
                "not in", "custom_list:blocked_ips"
            ],
        ],
        name="filter_3:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        playbook_tutorial_prompt(action=action,
                                 success=success,
                                 container=container,
                                 results=results,
                                 handle=handle,
                                 filtered_artifacts=matched_artifacts_1,
                                 filtered_results=matched_results_1)

    return

Exemple #20

0

Afficher le fichier

Fichier : alert_deescalation_for_test_machines.py Projet : eramitsharma82/phantom

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_1() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.sourceAddress", "!=", ""],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        decision_3(action=action,
                   success=success,
                   container=container,
                   results=results,
                   handle=handle)
        return

    # call connected blocks for 'else' condition 2

    return

Exemple #21

0

Afficher le fichier

def filter_3(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_3() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "run_query_1:action_result.data.*.User", "==",
                "filtered-data:filter_1:condition_2:get_user_attributes_1:action_result.parameter.username"
            ],
        ],
        name="filter_3:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        quarantine_regular_device(action=action,
                                  success=success,
                                  container=container,
                                  results=results,
                                  handle=handle,
                                  filtered_artifacts=matched_artifacts_1,
                                  filtered_results=matched_results_1)

    return

Exemple #22

0

Afficher le fichier

Fichier : vectra_basic_block_host.py Projet : eramitsharma82/phantom

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_1() called')

    source_data_identifier_value = container.get('source_data_identifier',
                                                 None)
    source_data_identifier_value = container.get('source_data_identifier',
                                                 None)

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["vectra_block_request", "in", source_data_identifier_value],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        block_ip_2(action=action,
                   success=success,
                   container=container,
                   results=results,
                   handle=handle)
        return

    # check for 'elif' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        conditions=[
            ["vectra_unblock_request", "in", source_data_identifier_value],
        ])

    # call connected blocks if condition 2 matched
    if matched_artifacts_2 or matched_results_2:
        unblock_ip_2(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle)
        return

    return

Exemple #23

0

Afficher le fichier

Fichier : ransomware_investigate_and_contain.py Projet : splunk/security_content

def filter_1(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None,
             custom_function=None,
             **kwargs):
    phantom.debug('filter_1() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            [
                "detonate_file_1:action_result.summary.malware", "==",
                "ransomware"
            ],
        ],
        name="filter_1:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        block_ip_1(action=action,
                   success=success,
                   container=container,
                   results=results,
                   handle=handle,
                   custom_function=custom_function,
                   filtered_artifacts=matched_artifacts_1,
                   filtered_results=matched_results_1)
        hunt_file_1(action=action,
                    success=success,
                    container=container,
                    results=results,
                    handle=handle,
                    custom_function=custom_function,
                    filtered_artifacts=matched_artifacts_1,
                    filtered_results=matched_results_1)
        block_hash_4(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle,
                     custom_function=custom_function,
                     filtered_artifacts=matched_artifacts_1,
                     filtered_results=matched_results_1)
        block_hash_3(action=action,
                     success=success,
                     container=container,
                     results=results,
                     handle=handle,
                     custom_function=custom_function,
                     filtered_artifacts=matched_artifacts_1,
                     filtered_results=matched_results_1)

    return

Exemple #24

0

Afficher le fichier

def filter_1(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_1() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.fileName", "==", "A"],
        ],
        name="filter_1:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        custom_function_1(action=action,
                          success=success,
                          container=container,
                          results=results,
                          handle=handle,
                          filtered_artifacts=matched_artifacts_1,
                          filtered_results=matched_results_1)

    # collect filtered artifact ids for 'if' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.fileName", "==", "B"],
        ],
        name="filter_1:condition_2")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_2 or matched_results_2:
        custom_function_2(action=action,
                          success=success,
                          container=container,
                          results=results,
                          handle=handle,
                          filtered_artifacts=matched_artifacts_2,
                          filtered_results=matched_results_2)

    return

Exemple #25

0

Afficher le fichier

Fichier : symantec_proxysg_unblock_request.py Projet : eramitsharma82/phantom

def decision_2(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_2() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["prompt_1:action_result.summary.response", "==", "Yes"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        allow_url_1(action=action,
                    success=success,
                    container=container,
                    results=results,
                    handle=handle)
        return

    # check for 'elif' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["prompt_1:action_result.summary.response", "==", "No"],
        ])

    # call connected blocks if condition 2 matched
    if matched_artifacts_2 or matched_results_2:
        send_deny_email_1(action=action,
                          success=success,
                          container=container,
                          results=results,
                          handle=handle)
        return

    return

Exemple #26

0

Afficher le fichier

def filter_1(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None,
             custom_function=None,
             **kwargs):
    phantom.debug("filter_1() called")

    # collect filtered artifact ids and results for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[["artifact:*.cef.destinationAddress", "!=", ""]],
        name="filter_1:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        address_query(action=action,
                      success=success,
                      container=container,
                      results=results,
                      handle=handle,
                      filtered_artifacts=matched_artifacts_1,
                      filtered_results=matched_results_1)

    # collect filtered artifact ids and results for 'if' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        conditions=[["artifact:*.cef.destinationHostName", "!=", ""]],
        name="filter_1:condition_2")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_2 or matched_results_2:
        hostname_query(action=action,
                       success=success,
                       container=container,
                       results=results,
                       handle=handle,
                       filtered_artifacts=matched_artifacts_2,
                       filtered_results=matched_results_2)

    return

Exemple #27

0

Afficher le fichier

def decision_7(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_7() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["prompt_4:action_result.summary.responses.0", "==", "1"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        list_processes_3(action=action,
                         success=success,
                         container=container,
                         results=results,
                         handle=handle)
        return

    # check for 'elif' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["prompt_4:action_result.summary.responses.0", "==", "2"],
        ])

    # call connected blocks if condition 2 matched
    if matched_artifacts_2 or matched_results_2:
        revert_vm_1(action=action,
                    success=success,
                    container=container,
                    results=results,
                    handle=handle)
        return

    return

Exemple #28

0

Afficher le fichier

def filter_2(action=None,
             success=None,
             container=None,
             results=None,
             handle=None,
             filtered_artifacts=None,
             filtered_results=None):
    phantom.debug('filter_2() called')

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.destinationAddress", "!=", ""],
        ],
        name="filter_2:condition_1")

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        hunt_ip_1(action=action,
                  success=success,
                  container=container,
                  results=results,
                  handle=handle,
                  filtered_artifacts=matched_artifacts_1,
                  filtered_results=matched_results_1)
        ip_reputation_1(action=action,
                        success=success,
                        container=container,
                        results=results,
                        handle=handle,
                        filtered_artifacts=matched_artifacts_1,
                        filtered_results=matched_results_1)
        geolocate_ip_1(action=action,
                       success=success,
                       container=container,
                       results=results,
                       handle=handle,
                       filtered_artifacts=matched_artifacts_1,
                       filtered_results=matched_results_1)
        whois_ip_1(action=action,
                   success=success,
                   container=container,
                   results=results,
                   handle=handle,
                   filtered_artifacts=matched_artifacts_1,
                   filtered_results=matched_results_1)
        get_pcap_1(action=action,
                   success=success,
                   container=container,
                   results=results,
                   handle=handle,
                   filtered_artifacts=matched_artifacts_1,
                   filtered_results=matched_results_1)

    return

Exemple #29

0

Afficher le fichier

def decision_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('decision_2() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["artifact:*.cef.os", "==", "windows"],
        ])

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        Format_Start_Marker(action=action, success=success, container=container, results=results, handle=handle)
        return

    # check for 'elif' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["artifact:*.cef.os", "==", "linux"],
        ])

    # call connected blocks if condition 2 matched
    if matched_artifacts_2 or matched_results_2:
        TODO_Run_Linux_Test(action=action, success=success, container=container, results=results, handle=handle)
        return

    # check for 'elif' condition 3
    matched_artifacts_3, matched_results_3 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["artifact:*.cef.os", "==", "macos"],
        ])

    # call connected blocks if condition 3 matched
    if matched_artifacts_3 or matched_results_3:
        TODO_Run_Mac_Test(action=action, success=success, container=container, results=results, handle=handle)
        return

    return

Exemple #30

0

Afficher le fichier

Fichier : Malware Peer Search Lab 4.py Projet : kshish/PhantomAdvancedImplementation

def decision_1(action=None,
               success=None,
               container=None,
               results=None,
               handle=None,
               filtered_artifacts=None,
               filtered_results=None):
    phantom.debug('decision_1() called')

    # check for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.destinationAddress", "==", ""],
            ["artifact:*.cef.destinationHostName", "==", ""],
        ],
        logical_operator='and')

    # call connected blocks if condition 1 matched
    if matched_artifacts_1 or matched_results_1:
        return

    # check for 'elif' condition 2
    matched_artifacts_2, matched_results_2 = phantom.condition(
        container=container,
        conditions=[
            ["artifact:*.cef.destinationAddress", "!=", ""],
            ["artifact:*.cef.destinationHostName", "!=", ""],
        ],
        logical_operator='and')

    # call connected blocks if condition 2 matched
    if matched_artifacts_2 or matched_results_2:
        return

    # call connected blocks for 'else' condition 3
    Query_String(action=action,
                 success=success,
                 container=container,
                 results=results,
                 handle=handle)

    return

Exemple #31

0

Afficher le fichier

Fichier : jiratest2.py Projet : phantomqa/eatest

def decision_1(action, success, container, results, handle, filtered_artifacts=None, filtered_results=None):

    # collect filtered artifact ids for 'if' condition 1
    matched_artifacts_1, matched_results_1 = phantom.condition(
        container=container,
        action_results=results,
        conditions=[
            ["list_projects:action_result.data.*.project_key", "==", "AP"],
        ])

    # call connected blocks if filtered artifacts or results
    if matched_artifacts_1 or matched_results_1:
        list_tickets(action, success, container, results, handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1)

    return