def list_projects(container, filtered_artifacts=None, filtered_results=None):
parameters = []
phantom.act("list projects", parameters=parameters, assets=['jira'], callback=decision_1, name="list_projects")
return
def block_ip_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
# collect data for 'block_ip_1' call
container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.sourceAddress', 'artifact:*.id'])
parameters = []
# build parameters list for 'block_ip_1' call
for container_item in container_data:
if container_item[0]:
parameters.append({
'smartflow': "default-smartflow",
'service': "default-service",
'application': "WWT-API",
'source': container_item[0],
'host': "default-host",
'action': "deny",
# context (artifact id) is added to associate results with the artifact
'context': {'artifact_id': container_item[1]},
})
if parameters:
phantom.act("block ip", parameters=parameters, assets=['a10 lightning controller'], name="block_ip_1")
else:
phantom.error("'block_ip_1' will not be executed due to lack of parameters")
return
def list_tickets_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('create ticket', parameters=[{ "short_description" : "Zeus, Multiple action need to be taken", "description" : "Investigative actions to check for the presence of Zeus"}], assets=["servicenow"], callback=create_ticket_cb)
return
def on_finish(email, summary):
setupkey = 'setup_data' + str(email['current_rule_run_id'])
collectkey = 'collect_data' + str(email['current_rule_run_id'])
email_to, email_from, smtp_asset = phantom.get_data(setupkey, clear_data=True)
container_url = phantom.get_base_url() + 'container/' + str(email['id'])
# calling get_summary to find out if we actually had anything we acted on
getsummary = phantom.get_summary()
#phantom.debug('Get summary: {}'.format(getsummary))
#
if len(getsummary['result']) > 0: # we have processed at least one item in on_start
collected_results, collected_vault_items, container_owner = phantom.get_data(collectkey, clear_data=True)
# finalize the vault item info and add to email
for vaultid in collected_vault_items.keys():
vaultinfo = phantom.get_vault_item_info(vaultid)
for app_run_id, datavalues in collected_results.iteritems():
#phantom.debug('iterate collected results: \napprunid: {}\n\ndatavals: {}'.format(app_run_id, datavalues))
if datavalues['detonate_summary']['target'] == vaultid:
collected_results[app_run_id]['vault_info'] = vaultinfo
if len(collected_results) < (len(getsummary['result'])-2): # subtracting actions that arent counted as detonations
collected_results['message'] = "Unexpected: Collected Results: {} is less than actions run: {}".format(len(collected_results), (len(getsummary['result'])-2))
# send summary email
email_subject = "Results: Ingest file detonatation"
email_body = '\nPhantom Container ID: {} - Owner: {}\nURL: {}\nReturned results by app_run_id:\n{}'.format(email['id'], container_owner, container_url, pprint.pformat(collected_results, indent=4))
phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb)
phantom.debug("Summary: " + pprint.pformat(summary, indent=4))
else: # no artifacts run on
phantom.debug('No artifacts, sending abort email.')
email_subject = "Results: No artifacts to run, aborting"
email_body = '\nPhantom Container ID: {}\nURL: {} \nSummary:\n{}'.format(email['id'],container_url,summary)
phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb)
return
def add_domains_to_block_list():
parameters = [{'domain': 'yahoo.com', 'disable_safeguards': True}, {'domain': 'msn.com', 'disable_safeguards': True}]
phantom.act('block domain', parameters=parameters, assets=['opendns_umbrella'], callback=block_domains_cb)
return
def list_firewall_rules_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('list srps', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=list_srps_cb)
return
def list_processes_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('get process file', parameters=[{ "name" : "notepad.exe", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=get_process_file_cb)
return
def list_sessions_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('logoff user', parameters=[{ "username" : "CORP\\User1", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=logoff_user_cb)
return
def delete_srp1_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('block path', parameters=[{ "path" : "infostealer*", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=block_path_cb)
return
def delete_srp_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('block ip', parameters=[{ "protocol" : "tcp", "remote_port" : "22", "ip_hostname" : "10.17.1.44", "rule_name" : "ph_block_rule_AAB123", "dir" : "out", "remote_ip" : "192.94.73.9" }], assets=["domainctrl1"], callback=block_ip_cb)
return
def list_tickets_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('create ticket', parameters=[{ "subject" : "Zeus Incident.", "text" : "Please look into this", "priority" : "3" }], assets=["rt"], callback=create_ticket_cb)
return
def block_ip_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('block application', parameters=[{ "application" : "junos-http", "from_zone" : "trust", "to_zone" : "untrust" }], assets=["junipersrx"], callback=block_application_cb)
return
def get_config_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('block ip', parameters=[{ "src" : "any", "direction" : "in", "dest" : "10.10.10.2", "access-list" : "inside_access_in", "interface" : "inside" }], assets=["ciscoasa"], callback=block_ip_cb)
return
def get_version_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('get config', parameters=[{ }], assets=["ciscoasa"], callback=get_config_cb)
return
def detonate_file_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('detonate url', parameters=[{ "url" : "www.phantomcyber.com" }], assets=["anubis"], callback=detonate_url_cb)
return
def set_system_attribute_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('get user attributes', parameters=[{ "username" : "jason_malware" }], assets=["domainctrl1"], callback=get_user_attributes_cb)
return
def get_user_attributes_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('get system attributes', parameters=[{ "hostname" : "winxpprox87" }], assets=["domainctrl1"], callback=get_system_attributes_cb)
return
def disable_user_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('enable user', parameters=[{ "username" : "jason_malware" }], assets=["domainctrl1"], callback=enable_user_cb)
return
def detonate_file_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('detonate url', parameters=[{'url': 'www.phantomcyber.com'}], assets=['cuckoo'], callback=detonate_url_cb)
return
def enable_user_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('change system ou', parameters=[{ "ou" : "staging", "hostname" : "winxpprox87" }], assets=["domainctrl1"], callback=change_system_ou1_cb)
return
def block_ip_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('delete firewall rule', parameters=[{ "rule_name" : "ph_block_rule_AAB123", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=delete_firewall_rule_cb)
return
def change_system_ou_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('set system attribute', parameters=[{ "attribute_value" : "admin,Office,NYC", "hostname" : "winxpprox87", "attribute_name" : "extensionattribute1" }], assets=["domainctrl1"], callback=set_system_attribute_cb)
return
def logoff_user_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('reboot system', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=reboot_system_cb)
return
def snapshot_vm_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('list connections', parameters=[{ "vault_id" : results[0]['action_results'][0]['summary']['vault_id'] }], assets=["volatility"], callback=list_connections_cb)
return
def block_hash_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('delete srp', parameters=[{ "guid" : results[0]['action_results'][0]['data'][0]['guid'], "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=delete_srp1_cb)
return
def list_processes_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('get process file', parameters=[{ "profile" : results[0]['action_results'][0]['summary']['vol_profile_used'], "vault_id" : results[0]['action_results'][0]['parameter']['vault_id'], "pid" : "2667" }], assets=["volatility"], callback=get_process_file_cb)
return
def get_process_dump_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('terminate process', parameters=[{ "name" : "chrome.exe", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=terminate_process_cb)
return
def get_browser_history_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('list mrus', parameters=[{ "profile" : results[0]['action_results'][0]['summary']['vol_profile_used'], "vault_id" : results[0]['action_results'][0]['parameter']['vault_id'] }], assets=["volatility"], callback=list_mrus_cb)
return
def list_connections_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('list processes', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=list_processes_cb)
return
def list_srps_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('deactivate partition', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=deactivate_partition_cb)
return
def create_detect_indicator(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('create_detect_indicator() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'create_detect_indicator' call
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_main_artifact:condition_1:artifact:*.cef.fileHashSha256',
'filtered-data:filter_main_artifact:condition_1:artifact:*.id'
])
parameters = []
# build parameters list for 'create_detect_indicator' call
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
if filtered_artifacts_item_1[0]:
parameters.append({
'ioc': filtered_artifacts_item_1[0],
'policy': "detect",
'source': "",
'expiration': "",
'description': "",
'share_level': "red",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': filtered_artifacts_item_1[1]
},
})
phantom.act(action="upload indicator",
parameters=parameters,
assets=['crowdstrike_oauth'],
name="create_detect_indicator")
return
def no_op_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
# handle passes count from the previous get_case_note_count
phantom.debug('no_op_2() called')
parameters = []
# build parameters list for 'no_op_2' call
parameters.append({
'sleep_seconds': 10,
})
#
if handle != 3:
phantom.act("no op", parameters=parameters, assets=['local phantom'], callback=get_case_note_count, name="no_op_2", parent_action=action)
else:
prompt_1(container=container)
return
def delete_srp_cb(action, success, incident, results, handle):
if not success:
return
phantom.act('block ip',
parameters=[{
"protocol": "tcp",
"remote_port": "22",
"ip_hostname": "10.17.1.44",
"rule_name": "ph_block_rule_AAB123",
"dir": "out",
"remote_ip": "192.94.73.9"
}],
assets=["domainctrl1"],
callback=block_ip_cb)
return
def run_query_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('run_query_1() called')
# collect data for 'run_query_1' call
formatted_data_1 = phantom.get_format_data(name='format_1__as_list')
parameters = []
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
parameters.append({
'query': formatted_part_1,
'display': "",
})
phantom.act(action="run query", parameters=parameters, assets=['esa100'], callback=format_2, name="run_query_1")
return
def get_data_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('get_data_1() called')
# collect data for 'get_data_1' call
formatted_data_1 = phantom.get_format_data(name='format_2')
parameters = []
# build parameters list for 'get_data_1' call
parameters.append({
'location': formatted_data_1,
'verify_certificate': False,
'headers': "",
})
phantom.act("get data", parameters=parameters, assets=['local'], callback=custom_function_2, name="get_data_1")
return
def Query_user(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('Query_user() called')
# collect data for 'Query_user' call
formatted_data_1 = phantom.get_format_data(name='Format_user_query')
parameters = []
# build parameters list for 'Query_user' call
parameters.append({
'location': formatted_data_1,
'verify_certificate': False,
'headers': "",
})
phantom.act("get data", parameters=parameters, assets=['local'], callback=extract_email_address, name="Query_user")
return
def list_vms_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('list_vms_1() called')
parameters = []
phantom.act("list vms",
parameters=parameters,
assets=['vmwarevsphere'],
callback=filter_1,
name="list_vms_1")
return
def get_parent_playbook_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('get_parent_playbook_data() called')
# collect data for 'get_parent_playbook_data' call
formatted_data_1 = phantom.get_format_data(name='playbook_run_data_url')
parameters = []
# build parameters list for 'get_parent_playbook_data' call
parameters.append({
'headers': "",
'location': formatted_data_1,
'verify_certificate': False,
})
phantom.act("get data", parameters=parameters, assets=['phantom_rest'], callback=playbook_message_format, name="get_parent_playbook_data")
return
def list_channels_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('list_channels_1() called')
parameters = []
phantom.act("list channels",
parameters=parameters,
assets=['slack_splunk'],
callback=custom_function_2,
name="list_channels_1")
return
def get_service_pin(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('get_service_pin() called')
# collect data for 'get_service_pin' call
formatted_data_1 = phantom.get_format_data(name='format_9')
parameters = []
# build parameters list for 'get_service_pin' call
parameters.append({
'headers': "",
'location': formatted_data_1,
'verify_certificate': False,
})
phantom.act(action="get data", parameters=parameters, assets=['http'], callback=decision_4, name="get_service_pin")
return
def list_endpoints_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('list_endpoints_1() called')
parameters = []
phantom.act("list endpoints",
parameters=parameters,
assets=['carbonblack'],
callback=filter_1,
name="list_endpoints_1")
return
def send_deny_email_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('send_deny_email_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'send_deny_email_2' call
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_2:condition_1:artifact:*.cef.fromEmail',
'filtered-data:filter_2:condition_1:artifact:*.id'
])
formatted_data_1 = phantom.get_format_data(name='format_deny_email')
parameters = []
# build parameters list for 'send_deny_email_2' call
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
if filtered_artifacts_item_1[0]:
parameters.append({
'body': formatted_data_1,
'to': filtered_artifacts_item_1[0],
'from': "*****@*****.**",
'attachments': "",
'subject': "Request Denied",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': filtered_artifacts_item_1[1]
},
})
phantom.act("send email",
parameters=parameters,
assets=['smtp'],
callback=join_update_ticket_denied,
name="send_deny_email_2")
return
def hunt_file_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
assets = get_specific_assets("hunt file", ["Carbon Black"])
if (not assets):
phantom.debug("Carbon Black::hunt file not found returning.")
# collect data for 'hunt_file_1' call
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.fileHash', 'artifact:*.id'])
parameters = []
# build parameters list for 'hunt_file_1' call
for container_item in container_data:
if container_item[0]:
parameters.append({
'hash': container_item[0],
'range': "",
'type': "binary",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': container_item[1]
},
})
if parameters:
phantom.act("hunt file",
parameters=parameters,
assets=assets,
name="hunt_file_1",
callback=filter_4)
else:
phantom.error(
"'hunt_file_1' will not be executed due to lack of parameters")
return
def no_shutdown_comment(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('no_shutdown_comment() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'no_shutdown_comment' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'query_notable_history:action_result.data.0.event_id',
'query_notable_history:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'no_shutdown_comment' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'event_ids': results_item_1[0],
'owner': "",
'status': "",
'urgency': "",
'comment':
"An analyst decided not to shut down the affected Windows machine so no action was taken.",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act("update event",
parameters=parameters,
assets=['splunk'],
name="no_shutdown_comment")
return
def add_to_IP_blocklist(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_to_IP_blocklist() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'add_to_IP_blocklist' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'block_ip_1:action_result.parameter.ip',
'block_ip_1:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'add_to_IP_blocklist' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'list': "custom_list:ip_address_blocklist",
'create': True,
'new_row': results_item_1[0],
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act(action="add listitem",
parameters=parameters,
assets=['phantom'],
name="add_to_IP_blocklist",
parent_action=action)
return
def send_email_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('send_email_3() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'send_email_3' call
inputs_data_1 = phantom.collect2(
container=container,
datapath=[
'allow_url_1:artifact:*.cef.fromEmail', 'allow_url_1:artifact:*.id'
],
action_results=results)
parameters = []
# build parameters list for 'send_email_3' call
for inputs_item_1 in inputs_data_1:
if inputs_item_1[0]:
parameters.append({
'body': "The URL has been unblocked for 24 hours",
'to': inputs_item_1[0],
'from': "*****@*****.**",
'attachments': "",
'subject': "Unblock Request Accepted",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': inputs_item_1[1]
},
})
phantom.act("send email",
parameters=parameters,
assets=['smtp'],
callback=join_set_status_4,
name="send_email_3",
parent_action=action)
return
def create_ticket_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'create_ticket_2' call
disabled_users = set(phantom.collect2(datapath='disable_user_1:action_result.parameter.username'))
blocked_hashes = set(phantom.collect2(datapath='block_hash_3:action_result.parameter.hash'))
loggedoff_users = set(phantom.collect2(datapath='logoff_user_1:action_result.parameter.username'))
shutdown_systems = set(phantom.collect2(datapath='shutdown_system_1:action_result.parameter.ip_hostname'))
file_reputation = phantom.collect2(datapath=['file_reputation_1:filtered-action_result.parameter.hash',
'file_reputation_1:filtered-action_result.summary.positives'])
detected_users = set(phantom.collect2(datapath='hunt_file_2:action_result.data.*.process.results.*.username'))
detected_systems = set(phantom.collect2(datapath='hunt_file_2:action_result.data.*.process.results.*.hostname'))
title = "Virus Detected on {0} devices".format(len(detected_systems))
description = "Hashes sumbitted with detections:\n{0}\n\n".format(", ".join(["{0} ({1})".format(*fr) for fr in file_reputation]))
description += "File was found on {0} devices:\n{1}\n\n".format(len(detected_systems), ', '.join(detected_systems))
description += "This impacts at least {0} users:\n{1}\n\n".format(len(detected_users), ', '.join(detected_users))
if len(blocked_hashes):
description += "{0} hashes were submitted for blocking:\n{1}\n\n".format(len(blocked_hashes), ", ".join(blocked_hashes))
if len(loggedoff_users):
description += "{0} users were forced to logoff:\n{1}\n\n".format(len(loggedoff_users), ", ".join(loggedoff_users))
if len(disabled_users):
description += "{0} user accounts were disabled:\n{1}\n\n".format(len(disabled_users), ", ".join(disabled_users))
if len(shutdown_systems):
description += "{0} systems were shutdown:\n{1}\n\n".format(len(shutdown_systems), ", ".join(shutdown_systems))
parameters = []
# build parameters list for 'create_ticket_2' call
parameters.append({
'short_description': title,
'description': description,
'fields': "",
})
if parameters:
phantom.act("create ticket", parameters=parameters, assets=['servicenow'], name="create_ticket_2", parent_action=action)
else:
phantom.error("'create_ticket_2' will not be executed due to lack of parameters")
return
def create_ticket_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_5() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'create_ticket_5' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'get_report_2:action_result.parameter.threat_id',
'get_report_2:action_result.parameter.context.artifact_id'
],
action_results=results)
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'create_ticket_5' call
for results_item_1 in results_data_1:
parameters.append({
'short_description': results_item_1[0],
'table': "incident",
'vault_id': "",
'description': formatted_data_1,
'fields': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
callback=create_ticket_5_callback,
name="create_ticket_5")
return
def run_asset_query(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("run_asset_query() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
################################################################################
# Search for any matches to hosts in the asset table in Splunk.
################################################################################
format_asset_query = phantom.get_format_data(name="format_asset_query")
parameters = []
if format_asset_query is not None:
parameters.append({
"query": format_asset_query,
"command": "| inputlookup",
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("run query",
parameters=parameters,
name="run_asset_query",
assets=["splunk"],
callback=join_results_decision)
return
def detonate_file_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('detonate_file_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'detonate_file_1' call
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_8:condition_1:artifact:*.cef.vaultId',
'filtered-data:filter_8:condition_1:artifact:*.id'
])
parameters = []
# build parameters list for 'detonate_file_1' call
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
if filtered_artifacts_item_1[0]:
parameters.append({
'file_name': "",
'vault_id': filtered_artifacts_item_1[0],
'force_analysis': "",
'vm': "",
'private': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': filtered_artifacts_item_1[1]
},
})
phantom.act("detonate file",
parameters=parameters,
assets=['threatgrid'],
callback=filter_5,
name="detonate_file_1",
parent_action=action)
return
def update_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('update_ticket_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'update_ticket_1' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'create_ticket_1:action_result.summary.created_ticket_id',
'create_ticket_1:action_result.parameter.context.artifact_id'
],
action_results=results)
formatted_data_1 = phantom.get_format_data(name='format_2')
parameters = []
# build parameters list for 'update_ticket_1' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'table': "",
'vault_id': "",
'id': results_item_1[0],
'fields': formatted_data_1,
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act("update ticket",
parameters=parameters,
assets=['servicenow'],
callback=compromised_email_password_reset,
name="update_ticket_1")
return
def get_file_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('get_file_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'get_file_2' call
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_1:condition_1:file_reputation_1:action_result.parameter.hash",
"filtered-data:filter_1:condition_1:file_reputation_1:action_result.parameter.context.artifact_id"
])
parameters = []
# build parameters list for 'get_file_2' call
for filtered_results_item_1 in filtered_results_data_1:
parameters.append({
'hash': filtered_results_item_1[0],
'ph_0': "",
'offset': "",
'get_count': "",
'sensor_id': "",
'file_source': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': filtered_results_item_1[1]
},
})
phantom.act(action="get file",
parameters=parameters,
assets=['carbonblack'],
name="get_file_2")
return
def update_event_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('update_event_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'update_event_1' call
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.eventId', 'artifact:*.id'])
formatted_data_1 = phantom.get_format_data(name='format_comment')
parameters = []
# build parameters list for 'update_event_1' call
for container_item in container_data:
if container_item[0]:
parameters.append({
'owner': "",
'status': "in progress",
'comment': formatted_data_1,
'urgency': "",
'event_ids': container_item[0],
'integer_status': "",
'wait_for_confirmation': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': container_item[1]
},
})
phantom.act(action="update event",
parameters=parameters,
assets=['esaabb100'],
name="update_event_1")
return
def ip_reputation_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('ip_reputation_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'ip_reputation_2' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'geolocate_ip:action_result.parameter.ip',
'geolocate_ip:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'ip_reputation_2' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'ip': results_item_1[0],
'ph': "",
'from': "",
'to': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act("ip reputation",
parameters=parameters,
assets=['passivetotal'],
callback=join_format_results,
name="ip_reputation_2",
parent_action=action)
return
def detonate_file_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('detonate_file_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'detonate_file_1' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'get_file_1:action_result.summary.vault_id',
'get_file_1:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'detonate_file_1' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'vault_id': results_item_1[0],
'file_name': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act(action="detonate file",
parameters=parameters,
assets=['wildfire'],
callback=filter_1,
name="detonate_file_1",
parent_action=action)
return
def block_ip_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('block_ip_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'block_ip_2' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'list_connections_1:action_result.data.*.ip_addr',
'list_connections_1:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'block_ip_2' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'ip': results_item_1[0],
'vsys': "",
'is_source_address': "",
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act(action="block ip",
parameters=parameters,
assets=['pan'],
name="block_ip_2",
parent_action=action)
return
def Format_ART_Command(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_command_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'format_command_1' call
container_data = phantom.collect2(container=container,
datapath=[
'artifact:*.cef.os',
'artifact:*.cef.act',
'artifact:*.cef.input_arguments',
'artifact:*.id'
])
parameters = []
# build parameters list for 'format_command_1' call
for container_item in container_data:
if container_item[0] and container_item[1]:
phantom.debug(container_item[1])
parameters.append({
'supported_os': container_item[0],
'attack_id': container_item[1],
'input_arguments': container_item[2],
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': container_item[3]
},
})
phantom.act("format command",
parameters=parameters,
app={"name": 'Atomic Red Team'},
callback=filter_1,
name="Format_ART_Command",
parent_action=action)
return
def block_ip_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('block_ip_5() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'block_ip_5' call
inputs_data_1 = phantom.collect2(
container=container,
datapath=[
'block_hash_3:artifact:*.cef.sourceAddress',
'block_hash_3:artifact:*.cef.destinationAddress',
'block_hash_3:artifact:*.id'
],
action_results=results)
parameters = []
# build parameters list for 'block_ip_5' call
for inputs_item_1 in inputs_data_1:
parameters.append({
'protocol': "",
'remote_port': "",
'ip_hostname': inputs_item_1[0],
'rule_name': "",
'dir': "out",
'remote_ip': inputs_item_1[1],
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': inputs_item_1[2]
},
})
phantom.act("block ip",
parameters=parameters,
assets=['domainctrl1'],
name="block_ip_5")
return
def create_ticket_cb(action, success, incident, results, handle):
if not success:
return
phantom.debug("results: {0}".format(json.dumps(results)))
data = results[0]['action_results'][0]['data']
id = data[0]['id']
phantom.act('get ticket',
parameters=[{
"id": id
}],
assets=["jira"],
callback=get_ticket_cb)
return
def run_file_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('run_file_query() called')
# collect data for 'run_file_query' call
formatted_data_1 = phantom.get_format_data(name='format_file_query')
parameters = []
# build parameters list for 'run_file_query' call
parameters.append({
'query': formatted_data_1,
'command': "search",
'display': "",
'parse_only': "",
})
phantom.act(action="run query", parameters=parameters, assets=['splunk-demo'], name="run_file_query")
return
