def on_start(incident): # lets do VT lookup of file hashes in the artifacts of an incident params = [] hashes = list( set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all'))) if len(hashes) > 0: for filehash in hashes: params.append({'hash': filehash}) phantom.act("file reputation", parameters=params, callback=generic_cb) # lets do geo lookup of attacker IPs params = [] attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) > 0: for ip in attacker_ips: params.append({'ip': ip}) key = phantom.save_data(str(params)) phantom.act("geolocate ip", parameters=params, callback=generic_cb, handle=key) return
def on_start(incident): attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) <= 0: phantom.debug('No attacker IP in events') else: params = [] for ip in attacker_ips: params.append({'ip': ip}) phantom.act("whois ip", parameters=params, callback=whois_cb) return
def on_start(incident): attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) <= 0: phantom.debug('No attacker IP in events') else: params = [] for ip in attacker_ips: params.append({'ip':ip}) phantom.act("whois ip", parameters=params, callback=whois_cb) return
def detonate_file_cb(action, success, incident, results, handle): phantom.debug('ThreatGrid action to detonate file,'+(' SUCCEEDED' if success else ' FAILED')) if not success: return score = results[0]['action_results'][0]['data'][0]['threat']['score'] phantom.debug('ThreatGrid threat score for this file: '+str(score)) if score > 60: for mac_addr in phantom.collect(incident,'artifact:event.cef.sourceMacAddress'): phantom.act('terminate session', parameters=[{'macaddress':mac_addr}], assets=['ciscoise'], callback=generic_cb) for a_ip in phantom.attacker_ips(incident): params = [{'src':'any','direction':'out','dest':a_ip,'interface':'outside','access-list':'inside_access_out'}] phantom.act('block ip', parameters=params, assets=['ciscoasa'], callback=generic_cb) for v_ip in phantom.victim_ips(incident): phantom.act('terminate process', parameters=[{'name':'*infostealer*','ip_hostname':v_ip}], assets=['domainctrl1'], callback=terminate_process_cb)
def on_start(incident): # lets do VT lookup of file hashes in the artifacts of an incident params = [] hashes = list(set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all'))) if len(hashes) > 0: for filehash in hashes: params.append({'hash':filehash}) phantom.act("file reputation", parameters=params, callback=generic_cb, name='my_file_lookup_action') # lets do geo lookup of attacker IPs params = [] attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) > 0: for ip in attacker_ips: params.append({'ip':ip}) phantom.act("geolocate ip", parameters=params, callback=generic_cb, handle=str(params)) return
def on_start(incident): phantom.debug('---------- ANALYZING FILE HASHES ----------') params = [] hashes = list( set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all'))) if len(hashes) > 0: for filehash in hashes: params.append({'hash': filehash}) phantom.act("file reputation", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING ATTACKER IPs ----------') params = [] attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) > 0: for ip in attacker_ips: params.append({'ip': ip}) phantom.act("geolocate ip", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING VICTIM IPs ----------') # lets do system info for infected machines params = [] victim_ips = phantom.victim_ips(incident, scope='all') if len(victim_ips) > 0: for ip in victim_ips: params.append({'ip_hostname': ip}) phantom.act("get system info", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING URLs ----------') params = [] urls = list( set(phantom.collect(incident, 'artifact:*.cef.requestURL', scope='all'))) if len(urls) > 0: for url in urls: params.append({'domain': url}) phantom.act("whois domain", parameters=params, callback=generic_cb) return
def detonate_file_cb(action, success, incident, results, handle): phantom.debug('ThreatGrid action to detonate file,' + (' SUCCEEDED' if success else ' FAILED')) if not success: return score = results[0]['action_results'][0]['data'][0]['threat']['score'] phantom.debug('ThreatGrid threat score for this file: ' + str(score)) if score > 60: for mac_addr in phantom.collect(incident, 'artifact:event.cef.sourceMacAddress'): phantom.act('terminate session', parameters=[{ 'macaddress': mac_addr }], assets=['ciscoise'], callback=generic_cb) for a_ip in phantom.attacker_ips(incident): params = [{ 'src': 'any', 'direction': 'out', 'dest': a_ip, 'interface': 'outside', 'access-list': 'inside_access_out' }] phantom.act('block ip', parameters=params, assets=['ciscoasa'], callback=generic_cb) for v_ip in phantom.victim_ips(incident): phantom.act('terminate process', parameters=[{ 'name': '*infostealer*', 'ip_hostname': v_ip }], assets=['domainctrl1'], callback=terminate_process_cb)
def on_start(incident): phantom.debug('---------- ANALYZING FILE HASHES ----------') params = [] hashes = list(set(phantom.collect(incident, 'artifact:*.cef.fileHash', scope='all'))) if len(hashes) > 0: for filehash in hashes: params.append({'hash':filehash}) phantom.act("file reputation", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING ATTACKER IPs ----------') params = [] attacker_ips = phantom.attacker_ips(incident, scope='all') if len(attacker_ips) > 0: for ip in attacker_ips: params.append({'ip':ip}) phantom.act("geolocate ip", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING VICTIM IPs ----------') # lets do system info for infected machines params = [] victim_ips = phantom.victim_ips(incident, scope='all') if len(victim_ips) > 0: for ip in victim_ips: params.append({'ip_hostname':ip}) phantom.act("get system info", parameters=params, callback=generic_cb) phantom.debug('---------- ANALYZING URLs ----------') params = [] urls = list(set(phantom.collect(incident, 'artifact:*.cef.requestURL', scope='all'))) if len(urls) > 0: for url in urls: params.append({'domain':url}) phantom.act("whois domain", parameters=params, callback=generic_cb) return