def on_start(incident):
# lets do VT lookup of file hashes in the artifacts of an incident
params = []
hashes = list(
set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all')))
if len(hashes) > 0:
for filehash in hashes:
params.append({'hash': filehash})
phantom.act("file reputation", parameters=params, callback=generic_cb)
# lets do geo lookup of attacker IPs
params = []
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) > 0:
for ip in attacker_ips:
params.append({'ip': ip})
key = phantom.save_data(str(params))
phantom.act("geolocate ip",
parameters=params,
callback=generic_cb,
handle=key)
return
def on_start(incident):
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) <= 0:
phantom.debug('No attacker IP in events')
else:
params = []
for ip in attacker_ips:
params.append({'ip': ip})
phantom.act("whois ip", parameters=params, callback=whois_cb)
return
def on_start(incident):
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) <= 0:
phantom.debug('No attacker IP in events')
else:
params = []
for ip in attacker_ips:
params.append({'ip':ip})
phantom.act("whois ip", parameters=params, callback=whois_cb)
return
def detonate_file_cb(action, success, incident, results, handle):
phantom.debug('ThreatGrid action to detonate file,'+(' SUCCEEDED' if success else ' FAILED'))
if not success:
return
score = results[0]['action_results'][0]['data'][0]['threat']['score']
phantom.debug('ThreatGrid threat score for this file: '+str(score))
if score > 60:
for mac_addr in phantom.collect(incident,'artifact:event.cef.sourceMacAddress'):
phantom.act('terminate session', parameters=[{'macaddress':mac_addr}], assets=['ciscoise'], callback=generic_cb)
for a_ip in phantom.attacker_ips(incident):
params = [{'src':'any','direction':'out','dest':a_ip,'interface':'outside','access-list':'inside_access_out'}]
phantom.act('block ip', parameters=params, assets=['ciscoasa'], callback=generic_cb)
for v_ip in phantom.victim_ips(incident):
phantom.act('terminate process', parameters=[{'name':'*infostealer*','ip_hostname':v_ip}], assets=['domainctrl1'], callback=terminate_process_cb)
def on_start(incident):
# lets do VT lookup of file hashes in the artifacts of an incident
params = []
hashes = list(set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all')))
if len(hashes) > 0:
for filehash in hashes:
params.append({'hash':filehash})
phantom.act("file reputation", parameters=params, callback=generic_cb, name='my_file_lookup_action')
# lets do geo lookup of attacker IPs
params = []
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) > 0:
for ip in attacker_ips:
params.append({'ip':ip})
phantom.act("geolocate ip", parameters=params, callback=generic_cb, handle=str(params))
return
def on_start(incident):
phantom.debug('---------- ANALYZING FILE HASHES ----------')
params = []
hashes = list(
set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all')))
if len(hashes) > 0:
for filehash in hashes:
params.append({'hash': filehash})
phantom.act("file reputation", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING ATTACKER IPs ----------')
params = []
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) > 0:
for ip in attacker_ips:
params.append({'ip': ip})
phantom.act("geolocate ip", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING VICTIM IPs ----------')
# lets do system info for infected machines
params = []
victim_ips = phantom.victim_ips(incident, scope='all')
if len(victim_ips) > 0:
for ip in victim_ips:
params.append({'ip_hostname': ip})
phantom.act("get system info", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING URLs ----------')
params = []
urls = list(
set(phantom.collect(incident, 'artifact:*.cef.requestURL',
scope='all')))
if len(urls) > 0:
for url in urls:
params.append({'domain': url})
phantom.act("whois domain", parameters=params, callback=generic_cb)
return
def detonate_file_cb(action, success, incident, results, handle):
phantom.debug('ThreatGrid action to detonate file,' +
(' SUCCEEDED' if success else ' FAILED'))
if not success:
return
score = results[0]['action_results'][0]['data'][0]['threat']['score']
phantom.debug('ThreatGrid threat score for this file: ' + str(score))
if score > 60:
for mac_addr in phantom.collect(incident,
'artifact:event.cef.sourceMacAddress'):
phantom.act('terminate session',
parameters=[{
'macaddress': mac_addr
}],
assets=['ciscoise'],
callback=generic_cb)
for a_ip in phantom.attacker_ips(incident):
params = [{
'src': 'any',
'direction': 'out',
'dest': a_ip,
'interface': 'outside',
'access-list': 'inside_access_out'
}]
phantom.act('block ip',
parameters=params,
assets=['ciscoasa'],
callback=generic_cb)
for v_ip in phantom.victim_ips(incident):
phantom.act('terminate process',
parameters=[{
'name': '*infostealer*',
'ip_hostname': v_ip
}],
assets=['domainctrl1'],
callback=terminate_process_cb)
def on_start(incident):
phantom.debug('---------- ANALYZING FILE HASHES ----------')
params = []
hashes = list(set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all')))
if len(hashes) > 0:
for filehash in hashes:
params.append({'hash':filehash})
phantom.act("file reputation", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING ATTACKER IPs ----------')
params = []
attacker_ips = phantom.attacker_ips(incident, scope='all')
if len(attacker_ips) > 0:
for ip in attacker_ips:
params.append({'ip':ip})
phantom.act("geolocate ip", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING VICTIM IPs ----------')
# lets do system info for infected machines
params = []
victim_ips = phantom.victim_ips(incident, scope='all')
if len(victim_ips) > 0:
for ip in victim_ips:
params.append({'ip_hostname':ip})
phantom.act("get system info", parameters=params, callback=generic_cb)
phantom.debug('---------- ANALYZING URLs ----------')
params = []
urls = list(set(phantom.collect(incident, 'artifact:*.cef.requestURL', scope='all')))
if len(urls) > 0:
for url in urls:
params.append({'domain':url})
phantom.act("whois domain", parameters=params, callback=generic_cb)
return