def parse_remote_ip_addrs(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('parse_remote_ip_addrs() called')
filtered_artifacts_data_1 = phantom.collect2(container=container, datapath=['filtered-data:filter_finding_artifact:condition_1:artifact:*.cef.ProductFields'])
filtered_artifacts_item_1_0 = [item[0] for item in filtered_artifacts_data_1]
parse_remote_ip_addrs__ip_addresses = None
################################################################################
## Custom Code Start
################################################################################
parse_remote_ip_addrs__ip_addresses = []
product_fields = filtered_artifacts_item_1_0[0]
for key in product_fields.keys():
if 'remoteIpDetails/ipAddressV4' in key:
parse_remote_ip_addrs__ip_addresses.append(product_fields[key])
phantom.debug("remote ip addresses from finding:\n{}".format(parse_remote_ip_addrs__ip_addresses))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='parse_remote_ip_addrs:ip_addresses', value=json.dumps(parse_remote_ip_addrs__ip_addresses))
finding_format_ip(container=container)
return
def filter_ip_addresses(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('filter_ip_addresses() called')
results_data_1 = phantom.collect2(container=container, datapath=['list_connections_1:action_result.data.*.connections.*.remote_ip'], action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
filter_ip_addresses__connection_ip_addresses = None
################################################################################
## Custom Code Start
################################################################################
filter_ip_addresses__connection_ip_addresses = []
internal_cidr = "172.31.0.0/16"
for ip in results_item_1_0:
phantom.debug("checking ip {} against internal CIDR: {}".format(ip, internal_cidr))
if phantom.address_in_network(ip, internal_cidr):
phantom.debug("skipping ip {} because it matches the internal CIDR".format(ip))
continue
filter_ip_addresses__connection_ip_addresses.append(ip)
# this block outputs all the non-internal ip addresses:
phantom.debug("connection ip list:\n{}".format(filter_ip_addresses__connection_ip_addresses))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='filter_ip_addresses:connection_ip_addresses', value=json.dumps(filter_ip_addresses__connection_ip_addresses))
connection_format_ip(container=container)
return
def check_whitelist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('check_whitelist() called')
parsed_access_points = json.loads(phantom.get_run_data(key='parsed_access_points'))
success, message, whitelist = phantom.get_list(list_name='Example Company WiFi ESSID Whitelist')
whitelist_filtered_access_points = [
ap for ap in parsed_access_points
if (
# all ESSIDs that aren't in the whitelist are suspicious
[ap["ESSID"]] not in whitelist
or
# all non-WPA2 access points are suspicious
'WPA2' not in ap['security_protocol']
)
]
message = 'out of the {} access points identified by the scan, {} matched the whitelist and are being ignored'.format(len(parsed_access_points), len(parsed_access_points) - len(whitelist_filtered_access_points))
phantom.debug(message)
live_comment(message)
phantom.save_run_data(value=json.dumps(whitelist_filtered_access_points), key='whitelist_filtered_access_points')
check_greylist()
return
def PopulateLookback(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('PopulateLookback() called')
container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.startTime', 'artifact:*.id'])
container_item_0 = [item[0] for item in container_data]
PopulateLookback__lookback = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
if container_item_0[0] is None:
PopulateLookback__lookback = 7
else:
PopulateLookback__lookback = container_item_0[0]
phantom.debug(PopulateLookback__lookback)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='PopulateLookback:lookback', value=json.dumps(PopulateLookback__lookback))
Artifact_Cleanup(container=container)
return
def get_playbook_id(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_playbook_id() called')
input_parameter_0 = ""
get_playbook_id__parent_pb_run_id = None
################################################################################
## Custom Code Start
################################################################################
get_playbook_id__parent_pb_run_id = int(
phantom.get_playbook_info()[0]['parent_playbook_run_id'])
phantom.debug(
'parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id))
# Used for Testing
# get_playbook_id__parent_pb_run_id = 2479
# phantom.debug('Testing parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='get_playbook_id:parent_pb_run_id',
value=json.dumps(get_playbook_id__parent_pb_run_id))
check_parent_playbook_id(container=container)
return
def Parsed_Proofpoint_URL(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Parsed_Proofpoint_URL() called')
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.requestURL', 'artifact:*.id'])
container_item_0 = [item[0] for item in container_data]
Parsed_Proofpoint_URL__url_parsed = None
################################################################################
## Custom Code Start
################################################################################
test = container_item_0[0]
query = urlparse.urlparse(test).query
param = urlparse.parse_qs(query)
u = (param['u'][0].replace('-', '%').replace('_', '/'))
Parsed_Proofpoint_URL__url_parsed = urllib.unquote(u)
phantom.debug(Parsed_Proofpoint_URL__url_parsed)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Parsed_Proofpoint_URL:url_parsed',
value=json.dumps(Parsed_Proofpoint_URL__url_parsed))
url_reputation_1(container=container)
return
def XSpamStatus_tests(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('XSpamStatus_tests() called')
filtered_artifacts_data_1 = phantom.collect2(container=container, datapath=['filtered-data:Filter_1_IF_Email_Artifact:condition_1:artifact:*.cef.emailHeaders.X-Spam-Status'])
filtered_artifacts_item_1_0 = [item[0] for item in filtered_artifacts_data_1]
XSpamStatus_tests__XSpamStatus_tests = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
import re
for item in filtered_artifacts_item_1_0:
if item:
stripped_XSpamStatus_tests = re.findall(r'^.*tests=(([^\s]+))',item)
XSpamStatus_tests__XSpamStatus_tests = stripped_XSpamStatus_tests[0]
phantom.debug(message="XSpamStatus_tests: {}".format(XSpamStatus_tests__XSpamStatus_tests))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='XSpamStatus_tests:XSpamStatus_tests', value=json.dumps(XSpamStatus_tests__XSpamStatus_tests))
XSpamStatus_tests_performed(container=container)
return
def join_format_prompt(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_format_prompt() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_format_prompt_called'):
return
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['get_process_details']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_format_prompt_called',
value='format_prompt')
# call connected block "format_prompt"
format_prompt(container=container, handle=handle)
return
def get_container_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_container_data() called')
input_parameter_0 = "my_data_2"
get_container_data__container_data = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
get_container_data__container_data = phantom.get_container(
container['id'])['data'][input_parameter_0]
phantom.debug('=========================')
phantom.debug(get_container_data__container_data)
phantom.debug('=========================')
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='get_container_data:container_data',
value=json.dumps(get_container_data__container_data))
return
def I_have_some_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('I_have_some_data() called')
input_parameter_0 = ""
I_have_some_data__my_data = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
I_have_some_data__my_data = "hello world"
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='I_have_some_data:my_data',
value=json.dumps(I_have_some_data__my_data))
save_object_data(container=container)
return
def join_set_status_set_severity_set_sensitivity_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_set_status_set_severity_set_sensitivity_1() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(
key='join_set_status_set_severity_set_sensitivity_1_called'):
return
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['update_ticket_3']):
# save the state that the joined function has now been called
phantom.save_run_data(
key='join_set_status_set_severity_set_sensitivity_1_called',
value='set_status_set_severity_set_sensitivity_1')
# call connected block "set_status_set_severity_set_sensitivity_1"
set_status_set_severity_set_sensitivity_1(container=container,
handle=handle)
return
def custom_function_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('custom_function_2() called')
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.sourceUserName', 'artifact:*.id'])
container_item_0 = [item[0] for item in container_data]
custom_function_2__outputs = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
outputs = "{}".format(container_item_0[0])
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='custom_function_2:outputs',
value=json.dumps(custom_function_2__outputs))
format_2(container=container)
return
def get_object_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_object_data() called')
input_parameter_0 = "my_key"
get_object_data__value = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
data = phantom.get_object(key=input_parameter_0,
container_id=container['id'])
get_object_data__value = data[0]['value']['value']
# clear object db
phantom.clear_object(key=input_parameter_0, container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='get_object_data:value',
value=json.dumps(get_object_data__value))
I_want_the_data(container=container)
return
def check_greylist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('check_greylist() called')
edit_distance_threshold = 5
success, message, potentials = phantom.get_list(list_name='Potential Rogue Access Point ESSIDs')
whitelist_filtered_access_points = json.loads(phantom.get_run_data(key='whitelist_filtered_access_points'))
scanned_ESSIDs = [ap['ESSID'] for ap in whitelist_filtered_access_points]
# compare each ESSID against each potential evil twin and escalate those with a sufficiently small edit distance
matches = 0
for ap in whitelist_filtered_access_points:
ap['is_escalated'] = False
ap['matched_rule'] = None
for potential in potentials:
if edit_distance(ap['ESSID'], potential[0]) < edit_distance_threshold:
ap['is_escalated'] = True
ap['matched_rule'] = potential
matches += 1
break
message = '{} out of {} access points fuzzy-matched "Potential Rogue Access Point ESSIDs"'.format(
matches, len(whitelist_filtered_access_points))
phantom.debug(message)
live_comment(message)
phantom.save_run_data(value=json.dumps(whitelist_filtered_access_points), key='fuzzy_matched_access_points')
get_pins()
return
def playbook_message_format(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_message_format() called')
results_data_1 = phantom.collect2(
container=container,
datapath=[
'get_parent_playbook_data:action_result.data.*.response_body.message'
],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
playbook_message_format__message = None
################################################################################
## Custom Code Start
################################################################################
# get playbook error message data
playbook_message_format__message = json.loads(
results_item_1_0[0])['message']
#phantom.debug('Playbook error message: {}'.format(playbook_message_format__message))
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='playbook_message_format:message',
value=json.dumps(playbook_message_format__message))
playbook_action_run_url(container=container)
return
def Get_Country_Name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('Get_Country_Name() called')
input_parameter_0 = ""
Get_Country_Name__countryName = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
data = phantom.get_object(key='country_name_Email_Notify', container_id=container['id'])
Get_Country_Name__countryName = data[0]['value']['value']
# clear object db
phantom.clear_object(key='country_name_Email_Notify',container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Get_Country_Name:countryName', value=json.dumps(Get_Country_Name__countryName))
format_1(container=container)
return
def join_send_deny_email_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('join_send_deny_email_2() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_send_deny_email_2_called'):
return
# check if all connected incoming actions are done i.e. have succeeded or failed
if phantom.actions_done(
['virustotal_url_reputation', 'webpulse_url_reputation']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_send_deny_email_2_called',
value='send_deny_email_2')
# call connected block "send_deny_email_2"
send_deny_email_2(container=container, handle=handle)
return
def get_effective_user(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("get_effective_user() called")
################################################################################
# Find the user and user type that launched this playbook.
################################################################################
get_effective_user__user_id = None
get_effective_user__user_type = None
################################################################################
## Custom Code Start
################################################################################
effective_user_id = phantom.get_effective_user()
url = phantom.build_phantom_rest_url('ph_user', effective_user_id)
response_json = phantom.requests.get(url, verify=False).json()
get_effective_user__user_type = response_json['type']
get_effective_user__user_id = effective_user_id
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key="get_effective_user:user_id", value=json.dumps(get_effective_user__user_id))
phantom.save_run_data(key="get_effective_user:user_type", value=json.dumps(get_effective_user__user_type))
user_decision(container=container)
return
def XSpamStatus_score(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('XSpamStatus_score() called')
filtered_artifacts_data_1 = phantom.collect2(container=container, datapath=['filtered-data:Filter_1_IF_Email_Artifact:condition_1:artifact:*.cef.emailHeaders.X-Spam-Status'])
filtered_artifacts_item_1_0 = [item[0] for item in filtered_artifacts_data_1]
XSpamStatus_score__XSpamStatus_score = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
import re
for item in filtered_artifacts_item_1_0:
if item:
stripped_XSpamStatus_score = re.findall(r'^.*score=([0-9]*\.[0-9]*)',item)
XSpamStatus_score__XSpamStatus_score = stripped_XSpamStatus_score[0]
phantom.debug(message="stripped_XSpamStatus_score: {}".format(XSpamStatus_score__XSpamStatus_score))
XSpamStatus_score__XSpamStatus_score = float(XSpamStatus_score__XSpamStatus_score)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='XSpamStatus_score:XSpamStatus_score', value=json.dumps(XSpamStatus_score__XSpamStatus_score))
join_score_less_than_required(container=container)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = container['owner']
message = """The following items were identified as malicious. Please review the evidence and decide which items you would like to take action on (Yes/No)."""
threat_object = [
item[0] for item in phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.threat_object'
])
]
threat_object_type = [
item[0] for item in phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.threat_object_type'
])
]
# dynamic response builder
response_types = []
pairings = []
for thr_obj, thr_obj_type in zip(threat_object, threat_object_type):
if thr_obj:
response_types.append({
"prompt": "Block {}".format(thr_obj),
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
})
pairings.append({thr_obj_type: thr_obj})
phantom.save_run_data(value=json.dumps(pairings),
key='pairings',
auto=True)
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
response_types=response_types,
callback=get_run_data)
return
def format_note(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("format_note() called")
################################################################################
# Combine the TruSTAR results into a note to pass up to the parent playbook. Build
# a markdown table of results with links to TruSTAR queries and select fields
# from the reputation information for each indicator.
################################################################################
indicator_reputation_result_data = phantom.collect2(container=container, datapath=["indicator_reputation:action_result.parameter.indicator_value","indicator_reputation:action_result.data.*.observable.type","indicator_reputation:action_result.data.*.priorityScore","indicator_reputation:action_result.data.*.submissionTags","indicator_reputation:action_result.data.*.attributes","indicator_reputation:action_result.data.*.safelisted","indicator_reputation:action_result.data.*.scoreContexts.*.sourceName"], action_results=results)
indicator_reputation_parameter_indicator_value = [item[0] for item in indicator_reputation_result_data]
indicator_reputation_result_item_1 = [item[1] for item in indicator_reputation_result_data]
indicator_reputation_result_item_2 = [item[2] for item in indicator_reputation_result_data]
indicator_reputation_result_item_3 = [item[3] for item in indicator_reputation_result_data]
indicator_reputation_result_item_4 = [item[4] for item in indicator_reputation_result_data]
indicator_reputation_result_item_5 = [item[5] for item in indicator_reputation_result_data]
indicator_reputation_result_item_6 = [item[6] for item in indicator_reputation_result_data]
input_parameter_0 = ""
input_parameter_1 = ""
format_note__note_content = None
################################################################################
## Custom Code Start
################################################################################
import urllib.parse
note = """
| Indicator | Type | Priority Score | Submission Tags | Attributes | Safe Listed? | Sources |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
"""
for item in indicator_reputation_result_data:
if item[1]:
# for the first column, use the indicator as the text and the trustar query as the href
trustar_link = 'https://station.trustar.co/browse/search?q={}'.format(urllib.parse.quote(item[0]))
indicator_markdown = '[{}]({})'.format(item[0], trustar_link)
indicator_type = item[1]
priority = item[2]
submission_tags = json.dumps(item[3]).replace('[', '').replace(']', '')
attributes = json.dumps(item[4]).replace('{', '').replace('}', '').replace('[', '').replace(']', '')
safe_listed = item[5]
sources = item[6]
note += "|{}|{}|{}|{}|{}|{}|{}|\n".format(indicator_markdown, indicator_type, priority, submission_tags, attributes, safe_listed, sources)
else:
note += "|{}|Not found in TruSTAR||||||\n".format(item[0])
format_note__note_content = note
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key="format_note:note_content", value=json.dumps(format_note__note_content))
return
def join_Summery_XSpamStatus_Score(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_Summery_XSpamStatus_Score() called')
# no callbacks to check, call connected block "Summery_XSpamStatus_Score"
phantom.save_run_data(key='join_Summery_XSpamStatus_Score_called', value='Summery_XSpamStatus_Score', auto=True)
Summery_XSpamStatus_Score(container=container, handle=handle)
return
def join_score_less_than_required(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_score_less_than_required() called')
# no callbacks to check, call connected block "score_less_than_required"
phantom.save_run_data(key='join_score_less_than_required_called', value='score_less_than_required', auto=True)
score_less_than_required(container=container, handle=handle)
return
def Calculate_Domain_Age(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Calculate_Domain_Age() called')
results_data_1 = phantom.collect2(
container=container,
datapath=[
'whois_domain_1:action_result.data.*.creation_date',
'whois_domain_1:action_result.parameter.domain'
],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
results_item_1_1 = [item[1] for item in results_data_1]
Calculate_Domain_Age__domain_age = None
################################################################################
## Custom Code Start
################################################################################
#phantom.debug(results_item_1_0)
#phantom.debug(results_item_1_1)
from datetime import datetime, timedelta
all_domains_age = []
for idx, val in enumerate(results_item_1_0):
#Convert string to datetime object
datetime_object = datetime.strptime(val[0], "%Y-%m-%dT%H:%M:%S")
domain_age = datetime.strptime("2019-08-02T21:49:40",
"%Y-%m-%dT%H:%M:%S") - datetime_object
if domain_age.days < 15:
phantom.pin(container=container,
message="Domain is less than 15 days old",
data=results_item_1_1[idx],
pin_type="card_medium",
pin_style="red")
else:
pass
#all_domains_age.append(domain_age)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Calculate_Domain_Age:domain_age',
value=json.dumps(Calculate_Domain_Age__domain_age))
return
def format_generator(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_generator() called')
input_parameter_0 = ""
format_generator__generator = None
################################################################################
## Custom Code Start
################################################################################
now_plus_minute = int(datetime.utcnow().strftime('%s')) + 60
format_generator__generator = {
"description":
"A cronjob-style Generator to kick off the track_active_directory_admin_users Playbook",
"name": "track_active_directory_admin_users_generator",
"product_name": "Generator",
"product_vendor": "Generic",
"type": "generic",
"tags": ["track_active_directory_admin_users"],
"configuration": {
"create_containers": "1",
"create_artifacts": "1",
"artifact_count_override": True,
"container_tag": "track_active_directory_admin_users",
"randomize_container_status": False,
"container_prefix": "Track Active Directory Admin Users",
"max_cef_per_artifact": "0",
"min_cef_per_artifact": "0",
"ingest": {
"interval_mins": "60",
"poll": True,
"container_label": "report",
"start_time_epoch_utc": None
}
}
}
format_generator__generator = json.dumps(format_generator__generator)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='format_generator:generator',
value=json.dumps(format_generator__generator))
create_generator(container=container)
return
def process_notes(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("process_notes() called")
################################################################################
# Access note_title and note_content from dynamically launched playbooks.
################################################################################
decide_and_launch_playbooks__names = json.loads(
phantom.get_run_data(key="decide_and_launch_playbooks:names"))
process_notes__note_title = None
process_notes__note_content = None
################################################################################
## Custom Code Start
################################################################################
process_notes__note_title = []
process_notes__note_content = []
for name in decide_and_launch_playbooks__names:
note_title = phantom.collect2(
container=container,
datapath=[f"{name}:playbook_output:note_title"])
note_content = phantom.collect2(
container=container,
datapath=[f"{name}:playbook_output:note_content"])
phantom.debug(note_title)
phantom.debug(note_content)
note_title = [item[0] for item in note_title]
note_content = [item[0] for item in note_content]
for title, content in zip(note_title, note_content):
process_notes__note_title.append(title)
process_notes__note_content.append(content)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key="process_notes:note_title",
value=json.dumps(process_notes__note_title))
phantom.save_run_data(key="process_notes:note_content",
value=json.dumps(process_notes__note_content))
return
def join_Format_End_Marker(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('join_Format_End_Marker() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_Format_End_Marker_called'):
return
# no callbacks to check, call connected block "Format_End_Marker"
phantom.save_run_data(key='join_Format_End_Marker_called', value='Format_End_Marker', auto=True)
Format_End_Marker(container=container, handle=handle)
return
def Summary_function_Fail(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Summary_function_Fail() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:Initial_filtering:condition_1:lookup_domain_1:action_result.parameter.domain"
])
filtered_results_data_2 = phantom.collect2(
container=container,
datapath=[
"filtered-data:Initial_filtering:condition_1:file_reputation_6:action_result.parameter.hash"
])
filtered_results_data_3 = phantom.collect2(
container=container,
datapath=[
"filtered-data:Initial_filtering:condition_1:url_reputation_1:action_result.parameter.url"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
filtered_results_item_2_0 = [item[0] for item in filtered_results_data_2]
filtered_results_item_3_0 = [item[0] for item in filtered_results_data_3]
Summary_function_Fail__total_failed_artifacts = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
phantom.debug(filtered_results_item_1_0)
phantom.debug(filtered_results_item_2_0)
phantom.debug(filtered_results_item_3_0)
Summary_function_Fail__total_failed_artifacts = len(
filtered_results_item_1_0) + len(filtered_results_item_2_0) + len(
filtered_results_item_3_0)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(
key='Summary_function_Fail:total_failed_artifacts',
value=json.dumps(Summary_function_Fail__total_failed_artifacts))
pin_3(container=container)
return
def parse_and_save_live_case(live_case_body):
phantom.debug('parsing the id of the live case to update')
phantom.debug(live_case_body)
live_case_id = live_case_body[0][0]['data'][0]['id']
phantom.debug('tracking wireless scans in the case with id {}'.format(live_case_id))
phantom.save_run_data(value=str(live_case_id), key='live_case_id')
live_case_owner = live_case_body[0][0]['data'][0]['owner_name']
phantom.debug('this case is owned by {}'.format(live_case_owner))
phantom.save_run_data(value=json.dumps(live_case_owner), key='live_case_owner')
return
def parse_and_save_iwlist(iwlist):
phantom.debug('parsing the iwlist data returned from the wireless scan')
iwlist = iwlist[0][0]
if not iwlist:
phantom.error("no results were received from the wifi sensor")
return
if 'Scan completed' not in iwlist.split('\n')[0]:
phantom.error("failed to parse the results of iwlist")
return
# disregard the first line
iwlist = iwlist.split('\n', 1)[1]
# split on the string that starts the results for each access point (iwlist calls them "Cells")
access_points = re.split(" Cell ", iwlist)
access_points = access_points[1:]
# parse out the mac address, ESSID, radio frequency, signal strength, and security protocol
for i, access_point in enumerate(access_points):
lines = access_point.split('\n')
access_points[i] = {}
if re.match('\d+ - Address: ', lines[0]):
access_points[i]['mac_address'] = lines[0].split(' - Address: ')[-1]
else:
phantom.error('failed to parse one of the access_points returned from iwlist')
return
for line in lines[1:]:
if re.match(' ESSID:"', line):
access_points[i]['ESSID'] = line.split('ESSID:')[-1].strip('"')
if re.match(' Frequency:\d', line):
access_points[i]['radio_frequency'] = line.split('Frequency:')[-1].strip()
if re.match(' Quality=\d', line):
access_points[i]['signal_strength'] = line.strip()
if re.match(' IE: IEEE 802.11i', line):
access_points[i]['security_protocol'] = line.split('IE:')[-1].strip()
# no string matching "IEEE 802.11i" means plaintext
if not access_points[i].get('security_protocol'):
access_points[i]['security_protocol'] = 'plaintext'
phantom.debug('parsed out the following wifi access points:')
phantom.debug(access_points)
phantom.save_run_data(value=json.dumps(access_points), key='parsed_access_points')
return