def decision_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("decision_2() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["related_events:action_result.summary.responses.0", "==", "Merge All"]
])
# call connected blocks if condition 1 matched
if found_match_1:
merge_all(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'elif' condition 2
found_match_2 = phantom.decision(
container=container,
conditions=[
["related_events:action_result.summary.responses.0", "==", "Merge Individually"]
])
# call connected blocks if condition 2 matched
if found_match_2:
custom_format(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'else' condition 3
format_end_note(action=action, success=success, container=container, results=results, handle=handle)
return
def playbook_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("playbook_decision() called")
################################################################################
# Determine if any response playbooks were found.
################################################################################
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["list_response_playbooks:custom_function_result.data.*.full_name", "!=", ""]
])
# call connected blocks if condition 1 matched
if found_match_1:
select_response_plan(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'elif' condition 2
found_match_2 = phantom.decision(
container=container,
conditions=[
["workbook_list:custom_function_result.data.*.name", "==", "Risk Investigation"]
])
# call connected blocks if condition 2 matched
if found_match_2:
workbook_task_update(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'else' condition 3
add_error_note(action=action, success=success, container=container, results=results, handle=handle)
return
def note_decision_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("note_decision_1() called")
################################################################################
# Determine if a note was left by the previous playbook and if the Risk Investigation
# workbook should be used.
################################################################################
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
logical_operator="and",
conditions=[[
"risk_notable_import_data:playbook_output:note_title", "!=", ""
], ["risk_notable_import_data:playbook_output:note_content", "!=", ""],
[
"workbook_list:custom_function_result.data.*.name",
"==", "Risk Investigation"
]])
# call connected blocks if condition 1 matched
if found_match_1:
update_preprocess_task(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
# check for 'elif' condition 2
found_match_2 = phantom.decision(
container=container,
logical_operator="and",
conditions=[[
"risk_notable_import_data:playbook_output:note_title", "!=", ""
], ["risk_notable_import_data:playbook_output:note_content", "!=",
""]])
# call connected blocks if condition 2 matched
if found_match_2:
add_import_data_note_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
def risk_rule_decision(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("risk_rule_decision() called")
################################################################################
# Only proceeds if an artifact with the label "risk_rule" is not present.
################################################################################
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[["artifact:*.label", "==", "risk_rule"]],
scope="all")
# call connected blocks if condition 1 matched
if found_match_1:
return
# check for 'else' condition 2
workbook_list(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
def indicators_decision(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("indicators_decision() called")
################################################################################
# Determine if any suspect indicators were found.
################################################################################
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[[
"get_suspect_indicators:custom_function_result.data.*.indicator_value",
"!=", ""
]])
# call connected blocks if condition 1 matched
if found_match_1:
custom_format(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
def decision_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_4() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["trace_email_1:action_result.summary.emails_found", ">", 0],
])
# call connected blocks if condition 1 matched
if matched:
filter_3(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_7(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('decision_7() called')
tags_value = container.get('tags', None)
tags_value = container.get('tags', None)
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["service_restart_in_progress", "in", tags_value],
["itsi_service_restart_successful", "in", tags_value],
],
logical_operator='or')
# call connected blocks if condition 1 matched
if matched:
join_add_tag_5(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)
return
# call connected blocks for 'else' condition 2
format_15(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)
return
def decision_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_1() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["file_reputation_4:action_result.summary.positives", ">", 1],
])
# call connected blocks if condition 1 matched
if matched:
Score(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
# call connected blocks for 'else' condition 2
return
def decision_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_2() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
conditions=[
["service_restart_in_progress", "in", "artifact:*.tags"],
])
# call connected blocks if condition 1 matched
if matched:
filter_1(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
# call connected blocks for 'else' condition 2
return
def decision_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("decision_3() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[[
"get_indicators_status:custom_function_result.data.*.indicator_value",
"!=", ""
]])
# call connected blocks if condition 1 matched
if found_match_1:
format_note(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
def decision_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_1() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
conditions=[
["Percent Error Count", "in", "artifact:*.name"],
])
# call connected blocks if condition 1 matched
if matched:
format_1(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_3() called')
# check for 'if' condition 1
matched = phantom.decision(container=container,
action_results=results,
conditions=[
["artifact:*.cef.alert_level", "!=", ""],
])
# call connected blocks if condition 1 matched
if matched:
filter_1(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
# call connected blocks for 'else' condition 2
return
def indicator_and_playbook_decision(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("indicator_and_playbook_decision() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
logical_operator="and",
conditions=
[[
"list_block_playbooks:custom_function_result.data.*.full_name",
"!=", ""
],
[
"get_marked_indicators:custom_function_result.data.*.indicator_value",
"!=", ""
]])
# call connected blocks if condition 1 matched
if found_match_1:
decide_and_launch_playbooks(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
def status_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("status_decision() called")
################################################################################
# Determine if the status of the container should be changed.
################################################################################
status_value = container.get("status", None)
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
[status_value, "==", "new"]
])
# call connected blocks if condition 1 matched
if found_match_1:
set_status_1(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'else' condition 2
join_update_workbook_tasks(action=action, success=success, container=container, results=results, handle=handle)
return
def decision_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_4() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["restart_service:action_result.status", "==", "success"],
])
# call connected blocks if condition 1 matched
if matched:
execute_program_2(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_7(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_7() called')
name_value = container.get('name', None)
# check for 'if' condition 1
matched = phantom.decision(
container=container,
conditions=[
[
"filtered-data:filter_1:condition_1:artifact:*.cef.risk_object",
"==", name_value
],
])
# call connected blocks if condition 1 matched
if matched:
format_2(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_11(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_11() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["service_restart_in_progress", "not in", "artifact:*.tags"],
])
# call connected blocks if condition 1 matched
if matched:
cf_community_list_deduplicate_2(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_1() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["prompt_1:action_result.summary.responses.0", "==", "Yes"],
])
# call connected blocks if condition 1 matched
if matched:
update_event_1(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def playbooks_decision(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbooks_decision() called")
################################################################################
# Determines if any playbooks were found by the "list investigate playbooks" utility.
################################################################################
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[[
"list_investigate_playbooks:custom_function_result.data.*.full_name",
"!=", ""
]])
# call connected blocks if condition 1 matched
if found_match_1:
indicator_collect(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
def decision_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_2() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
conditions=[
["artifact:*.cef.automation_flag", "==", True],
])
# call connected blocks if condition 1 matched
if matched:
filter_1(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_5() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["execute_program_2:action_result.status", "==", "success"],
])
# call connected blocks if condition 1 matched
if matched:
playbook_conf2020_conf2020_end_Maintenance_Windows_1(
action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_3() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["Count_VT_results:custom_function:vt_count", ">", 0],
])
# call connected blocks if condition 1 matched
if matched:
VT_Pin_Text(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_5() called')
# check for 'if' condition 1
matched = phantom.decision(container=container,
conditions=[
["artifact:*.cef.entity_key", "!=", ""],
["artifact:*.cef.entity_title", "!=", ""],
],
logical_operator='and')
# call connected blocks if condition 1 matched
if matched:
DedupeListEntries(action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
return
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('decision_1() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["url_reputation_1:action_result.data.*.positives", ">", 0],
["url_reputation_1:action_result.data.*.positives", "<", 5],
],
logical_operator='and')
# call connected blocks if condition 1 matched
if matched:
filter_4(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)
return
# check for 'elif' condition 2
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["url_reputation_1:action_result.data.*.positives", ">=", 5],
["url_reputation_1:action_result.data.*.positives", "<", 15],
],
logical_operator='and')
# call connected blocks if condition 2 matched
if matched:
filter_5(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)
return
# check for 'elif' condition 3
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["url_reputation_1:action_result.data.*.positives", ">=", 15],
])
# call connected blocks if condition 3 matched
if matched:
filter_3(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)
return
return
def decision_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('decision_3() called')
# check for 'if' condition 1
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["prompt_1:action_result.summary.responses.0", "==", "Yes"],
])
# call connected blocks if condition 1 matched
if matched:
playbook_conf2020_conf2020_add_Maintenance_Windows_1(
action=action,
success=success,
container=container,
results=results,
handle=handle,
custom_function=custom_function)
return
# check for 'elif' condition 2
matched = phantom.decision(
container=container,
action_results=results,
conditions=[
["prompt_1:action_result.summary.responses.0", "==", "No"],
])
# call connected blocks if condition 2 matched
if matched:
return
return
def related_events_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("related_events_decision() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["find_related_events:custom_function_result.data.*.container_id", "!=", ""]
])
# call connected blocks if condition 1 matched
if found_match_1:
format_prompt(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'elif' condition 2
found_match_2 = phantom.decision(
container=container,
logical_operator="and",
conditions=[
["find_related_events:custom_function_result.data.*.container_id", "==", ""],
["workbook_list:custom_function_result.data.*.name", "==", "Risk Investigation"]
])
# call connected blocks if condition 2 matched
if found_match_2:
workbook_task_update_1(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'elif' condition 3
found_match_3 = phantom.decision(
container=container,
conditions=[
["find_related_events:custom_function_result.data.*.container_id", "==", ""]
])
# call connected blocks if condition 3 matched
if found_match_3:
add_note_1(action=action, success=success, container=container, results=results, handle=handle)
return
return
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("decision_1() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["aws_disable_user_check:action_result.summary.responses.0", "==", "Yes"]
])
# call connected blocks if condition 1 matched
if found_match_1:
disable_user_1(action=action, success=success, container=container, results=results, handle=handle)
return
return
def user_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("user_decision() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["get_effective_user:custom_function:user_type", "!=", "automation"]
])
# call connected blocks if condition 1 matched
if found_match_1:
set_owner(action=action, success=success, container=container, results=results, handle=handle)
return
return
def decision_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("decision_5() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["workbook_list:custom_function_result.data.*.name", "==", "Risk Investigation"]
])
# call connected blocks if condition 1 matched
if found_match_1:
format_task_close(action=action, success=success, container=container, results=results, handle=handle)
return
return
def results_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("results_decision() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["run_risk_rule_query:action_result.summary.total_events", ">", 0]
])
# call connected blocks if condition 1 matched
if found_match_1:
parse_risk_results_1(action=action, success=success, container=container, results=results, handle=handle)
return
return