def update_workbook_tasks(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("update_workbook_tasks() called")
################################################################################
# Custom code to determine which task this playbook occurs in, complete that task,
# and set the status of the next task in the workbook (within the same phase)
# to "In Progress".
################################################################################
################################################################################
## Custom Code Start
################################################################################
# Get current repo and playbook name
current_scm = phantom.get_playbook_info()[0]['repo_name']
current_playbook = phantom.get_playbook_info()[0]['name']
task_order = None
# Iterate through tasks on the current container
for task in phantom.get_tasks(container=container):
playbooks = task.get('data').get('suggestions').get('playbooks')
if playbooks:
for playbook in playbooks:
# Check if the current container tasks contain a reference to this playbook.
# If so, this is the task phase you want to mark as current
if playbook['playbook'] == current_playbook and playbook['scm'] == current_scm:
task_order = task['data']['order']
status = task['data']['status']
url = phantom.build_phantom_rest_url('workflow_task') + '/{}'.format(task['data']['id'])
# If status is not started (statud id 0), move to in progress (status id 2) before moving to complete (status id 1)
if status == 0:
data = {'status': 2}
phantom.requests.post(url, data=json.dumps(data), verify=False)
data = {'status': 1}
phantom.set_phase(container=container, phase=task['data']['phase'])
phantom.requests.post(url, data=json.dumps(data), verify=False)
# Iterate through the other tasks on the current container if a task was updated as indicated by the presence of "task_order"
if task_order:
for task in phantom.get_tasks(container=container):
# If another task matches the updated task's order + 1, then update it as well
if task['data']['order'] == task_order + 1:
data = {'status': 2}
url = phantom.build_phantom_rest_url('workflow_task') + '/{}'.format(task['data']['id'])
phantom.requests.post(url, data=json.dumps(data), verify=False)
################################################################################
## Custom Code End
################################################################################
return
def get_playbook_id(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_playbook_id() called')
input_parameter_0 = ""
get_playbook_id__parent_pb_run_id = None
################################################################################
## Custom Code Start
################################################################################
get_playbook_id__parent_pb_run_id = int(
phantom.get_playbook_info()[0]['parent_playbook_run_id'])
phantom.debug(
'parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id))
# Used for Testing
# get_playbook_id__parent_pb_run_id = 2479
# phantom.debug('Testing parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='get_playbook_id:parent_pb_run_id',
value=json.dumps(get_playbook_id__parent_pb_run_id))
check_parent_playbook_id(container=container)
return
def Summery_save_object(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Summery_save_object() called')
id_value = container.get('id', None)
formatted_data_1 = phantom.get_format_data(name='Summery_IP_reputation')
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
phantom.save_object(key=playbook_name,
value={'feedback': formatted_data_1},
auto_delete=True,
container_id=container_id)
################################################################################
## Custom Code End
################################################################################
return
def Format_End_Marker(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Format_End_Marker() called')
playbook_info = phantom.get_playbook_info()
guid = phantom.get_data(playbook_info[0]['id'], clear_data=False)
phantom.debug(guid)
template = "eventcreate /id 999 /D \"ended test for {0} guid=%s\" /T INFORMATION /L application" % guid
# parameter list for template variable replacement
parameters = [
"Run_Start_Marker:action_result.parameter.ip_hostname",
]
phantom.format(container=container,
template=template,
parameters=parameters,
name="Format_End_Marker")
Run_End_Marker(container=container)
return
def Format_Start_Marker(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_1() called')
playbook_info = phantom.get_playbook_info()
guid = phantom.get_data(playbook_info[0]['id'], clear_data=False)
template = "eventcreate /id 999 /D \"started test on {0} guid=%s\" /T INFORMATION /L application" % guid
# parameter list for template variable replacement
parameters = ["artifact:*.cef.destinationAddress"]
phantom.format(container=container,
template=template,
parameters=parameters,
name="Format_Start_Marker")
Run_Start_Marker(container=container)
return
def Post_Start_Event_to_Splunk(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('post_data_1() called')
import platform
import uuid
# collect data for 'post_data_1' call
formatted_data_1 = phantom.get_format_data(name='format_3')
parameters = []
splunk_status_index_list = phantom.collect(
container, "artifact:*.cef.splunk_status_index")
if len(splunk_status_index_list) > 0:
splunk_status_index = str(splunk_status_index_list[0])
else:
splunk_status_index = "default"
splunk_status_source_type_list = phantom.collect(
container, "artifact:*.cef.splunk_status_source_type")
if len(splunk_status_source_type_list) > 0:
splunk_status_source_type = str(splunk_status_source_type_list[0])
else:
splunk_status_source_type = "advsim:atr"
try:
guid = phantom.collect(container, "artifact:*.cef.request")[0]
except:
guid = uuid.uuid4().hex
playbook_info = phantom.get_playbook_info()
phantom.save_data(guid, playbook_info[0]['id'])
source = playbook_info[0]['name']
data = {}
data['msg'] = formatted_data_1
data['guid'] = guid
data['playbook_info'] = playbook_info[0]
data_json = json.dumps(data)
# build parameters list for 'post_data_1' call
parameters.append({
'index': splunk_status_index,
'host': platform.node(),
'source_type': splunk_status_source_type,
'data': data_json,
'source': source,
})
phantom.act("post data",
parameters=parameters,
app={"name": 'Splunk'},
callback=decision_2,
name="Post_Start_Event_to_Splunk")
return
def create_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_1() called')
# collect data for 'create_ticket_1' call
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
parameters = []
desc_sufix = '''
Action Required:
Scan machine(s) with multiple Anti-Virus and Anti-Malware solutions
Suggestions:
- Microsoft Security Essentials
- Kaspersky TDSS Rootkit Killer
- Malware Bytes
- Symantec
Resolution:
Provide logs of scan results to Security Operations
Reboot affected host(s) as needed to fully clear quarantines malware
'''
# build parameters list for 'create_ticket_1' call
parameters.append({
'short_description':
"Issue: Possible botnet activity (" + str(results.count('\n') - 1) +
")", # str(results.count('\n')-1)
'description':
results + desc_sufix,
'table':
"incident",
'fields':
"{\"urgency\": \"1\", \"impact\": \"3\",\"comments\": \"Playbook name: %s\", \"assignment_group\": \"Help Desk\", \"company\": \"Company\", \"caller_id\": \"phantom\", \"u_affected_business_service\": \"Security\", \"u_symptom\": \"Infosec Incident\"}"
% playbook_name,
'vault_id':
"",
})
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
name="create_ticket_1",
callback=send_message_1)
return
def update_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('update_ticket_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ip = ''
artifacts_data_1 = phantom.collect2(
container=container,
datapath=['artifact:*.cef.cn2', 'artifact:*.cef.cs3'],
scope='all') # , 'artifact:*.id'
name_value = container.get('name', None)
for artifacts_item_1 in artifacts_data_1:
# phantom.debug('artifact_data_item {}'.format(artifacts_item_1))
if artifacts_item_1:
ip = artifacts_item_1[0]
if phantom.valid_ip(ip):
ip = str(ip)
addr = phantom.get_object(key=ip, playbook_name=playbook_name)
if addr:
ticket = addr[0]['value']['ticket']
# collect data for 'update_ticket_1' call
parameters = []
# build parameters list for 'update_ticket_1' call
update = "\"%s\"" % artifacts_item_1[
1] # or "\"{}\"".format(a)
parameters.append({
'id':
ticket,
'table':
"u_security_engineering_request",
'fields':
"{\"state\": \"1\", \"work_notes\": \"%s\" }" %
artifacts_item_1[1],
# 'fields': "{\"work_notes\": \"Updated\" }",
# 'fields': "{\"update\": {\"state\": \"open\", \"work_notes\": \"%s\"}}" % artifacts_item_1[1],
# 'fields': "{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Anything can go here\"}",
'vault_id':
"",
})
phantom.debug('update ticket {} for ip {}: {}'.format(
ticket, ip, update))
phantom.act("update ticket",
parameters=parameters,
assets=['servicenow'],
name="update_ticket_1")
return
def create_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_1() called')
ip = ''
artifacts_data_1 = phantom.collect2(
container=container,
datapath=['artifact:*.cef.cn1', 'artifact:*.cef.cs3'],
scope='all') # , 'artifact:*.id'
name_value = container.get('name', None)
# phantom.debug('artifact_data {}'.format(artifacts_data_1))
for artifacts_item_1 in artifacts_data_1:
# phantom.debug('artifact_data_item {}'.format(artifacts_item_1))
if artifacts_item_1:
ip = artifacts_item_1[0]
if phantom.valid_ip(ip):
ip = str(ip)
# collect data for 'create_ticket_1' call
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
parameters = []
# build parameters list for 'create_ticket_1' call
parameters.append({
'short_description':
artifacts_item_1[0] + ' -> ' + artifacts_item_1[1],
'description':
"Source IP address: " + ip,
'table':
"u_security_engineering_request", #
'fields':
"{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Playbook name: %s\"}"
% playbook_name,
'vault_id':
"",
})
phantom.debug('create ticket for ip {} '.format(ip))
# if len(ip)>0:
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
name="create_ticket_1",
callback=format_1) # callback=get_ticket_id,
return
def format_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ticket = phantom.collect(results,
"action_result.summary.created_ticket_id")
artifacts_data_1 = phantom.collect2(container=container,
datapath=['artifact:*.cef.src'])
if ticket:
ticket = ticket[0]
phantom.debug('Ticket {}'.format(ticket))
for artifacts_item_1 in artifacts_data_1:
if artifacts_item_1:
if phantom.valid_ip(artifacts_item_1[0]):
addr = phantom.get_object(key=str(artifacts_item_1[0]),
playbook_name=playbook_name)
if addr:
addr[0]['value']['ticket'] = ticket
#phantom.debug('Saving object {} of type {} with key {}'.format(addr[0], type(addr[0]['value']), artifacts_item_1[0]))
phantom.save_object(key=str(artifacts_item_1[0]),
value=addr[0]['value'],
auto_delete=False,
playbook_name=playbook_name)
template = """Ticket
id: {0} number: {1}"""
# parameter list for template variable replacement
parameters = [
"create_ticket_1:action_result.summary.created_ticket_id",
"create_ticket_1:action_result.data.*.number",
]
phantom.format(container=container,
template=template,
parameters=parameters,
name="format_1")
return
def decision_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('decision_2() called')
action = ''
pb_info = phantom.get_playbook_info()
name_value = container.get('name', None)
playbook_name = pb_info[0].get('name', None)
container_id = container['id']
if not pb_info:
return
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=['filtered-data:filter_2:condition_1:artifact:*.cef'])
phantom.debug('TOTAL number of cef.src artifacts is count: {}'.format(
len(filtered_artifacts_data_1)))
# local_tz = timezone('America/New_York')
start = (container['start_time']
)[:-3] # start = (container['start_time']).strip('+00')
start_time = datetime.strptime(
start, '%Y-%m-%d %H:%M:%S.%f') # format 2017-10-17 11:32:00.839350
# start_time = local_tz.localize(start_time)
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
item_1 = filtered_artifacts_item_1[0]['src']
phantom.debug('ITEM to be processed: {}'.format(item_1))
if item_1:
addr = phantom.get_object(key=str(item_1),
playbook_name=playbook_name)
if not addr:
phantom.debug('SAVE NEW count: {} {} {} '.format(
1, start_time.strftime("%c"), start_time.strftime("%c")))
phantom.save_object(key=str(item_1),
value={
'count': 1,
'start': start_time.strftime("%c"),
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': '',
'ignore': False
},
auto_delete=False,
playbook_name=playbook_name)
else:
count = addr[0]['value']['count'] + 1
ignore = addr[0]['value']['ignore']
ticket = addr[0]['value']['ticket']
saved_start = addr[0]['value']['start']
saved_start_time = datetime.strptime(
saved_start, '%a %b %d %H:%M:%S %Y'
) # format Mon Oct 16 11:46:30 2017 or '%Y-%m-%d %H:%M:%S.%f'
# saved_start_time = local_tz.localize(start_time)
delta = abs((start_time -
saved_start_time)).total_seconds() # .seconds
phantom.debug(
'DECISION start_time {} - saved_start_time {} = {}s '.
format(start_time, saved_start_time, delta))
if ignore and (delta > REPEAT):
phantom.debug(
'IGNORE {} start_time {} - saved_start_time {} = {}s '.
format(ignore, start_time, saved_start_time, delta))
ignore = False
saved_start = start_time.strftime("%c")
if not ignore:
if (ticket == '') and (delta > WINDOW):
saved_start = start_time.strftime("%c")
count = 0
phantom.debug(
'RESET time/co ticket {} delta {}s {} <- {}'.
format(ticket, delta, saved_start,
start_time.strftime("%c")))
elif (count > LIMIT) and (delta < WINDOW):
count = 0
saved_start = start_time.strftime("%c")
raw = {}
cef = {}
cef['cs3'] = filtered_artifacts_item_1[0]['cs3']
if (ticket == ''):
phantom.debug(
'OPENED {} opened {} {}s ago '.format(
item_1, saved_start_time, delta))
cef['cn1'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='create',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
else:
phantom.debug(
'REOPEN {} reopen {} {}s ago '.format(
ticket, saved_start_time, delta))
cef['cn2'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='update',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
ignore = True
phantom.debug(
'SAVE OLD count: {0} ticket: {1} {2} {3} {4}s'.format(
count, ticket, saved_start,
start_time.strftime("%c"), delta))
phantom.save_object(key=str(item_1),
value={
'count': count,
'start': saved_start,
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': ticket,
'ignore': ignore
},
auto_delete=False,
playbook_name=playbook_name)
# check for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "create"],
])
# call connected blocks if condition 1 matched
if matched_artifacts_1 or matched_results_1:
create_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
# check for 'elif' condition 2
matched_artifacts_2, matched_results_2 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "update"],
])
# call connected blocks if condition 2 matched
if matched_artifacts_2 or matched_results_2:
update_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return
