def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("add_comment_2() called")
format_3 = phantom.get_format_data(name="format_3")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.comment(container=container, comment=format_3)
update_event_1(container=container)
return
def Prompt_timeout_api(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Prompt_timeout_api() called')
phantom.pin(container=container,
data="",
message="\"Awaiting Action\"",
pin_type="card",
pin_style="red",
name="Awaiting_Action_pin")
note_title = ""
note_content = ""
note_format = "markdown"
phantom.add_note(container=container,
note_type="general",
title=note_title,
content=note_content,
note_format=note_format)
phantom.comment(
container=container,
comment="“User failed to promote event within time limit.”")
phantom.set_status(container=container, status="Closed")
return
def add_comment_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('add_comment_3() called')
phantom.comment(container=container, comment="Extracting Email IOCs and conducting reputation lookups")
cf_local_extract_vault_id_1(container=container)
return
def Add_comment_and_update_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Add_comment_and_update_list() called')
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.fileHash'
])
filtered_artifacts_item_1_0 = [
item[0] for item in filtered_artifacts_data_1
]
phantom.comment(container=container, comment="Comment filehash not seen")
phantom.add_list("Prior Hashes", filtered_artifacts_item_1_0)
return
def add_comment_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('add_comment_1() called')
formatted_data_1 = phantom.get_format_data(name='format_4')
phantom.comment(container=container, comment=formatted_data_1)
return
def pin_add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('pin_add_comment_2() called')
phantom.pin(container=container, data="", message="Awaiting Action", pin_type="card", pin_style="red", name=None)
phantom.comment(container=container, comment="User failed to promote event within time limit")
return
def display_results(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('display_results() called')
formatted_data_1 = phantom.get_format_data(name='format_associated_data')
phantom.comment(container=container, comment=formatted_data_1)
return
def add_comment_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_comment_1() called')
formatted_data_1 = phantom.get_format_data(name='Container_Comment_String')
phantom.comment(container=container, comment=formatted_data_1)
Notable_Comment_String(container=container)
return
def add_comment_set_status_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_comment_set_status_1() called')
formatted_data_1 = phantom.get_format_data(name='format_1')
phantom.comment(container=container, comment=formatted_data_1)
phantom.set_status(container=container, status="Closed")
return
def add_comment_add_note_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('add_comment_add_note_3() called')
phantom.comment(container=container, comment="No recipients have been found receiving this email")
note_title = "No Recipients Found"
note_content = "No recipients have been found to have received this email."
note_format = "markdown"
phantom.add_note(container=container, note_type="general", title=note_title, content=note_content, note_format=note_format)
return
def add_comment_set_status_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_comment_set_status_3() called')
results_data_1 = phantom.collect2(container=container, datapath=['Notify_IT:action_result.summary.responses.1'], action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
phantom.comment(container=container, comment=results_item_1_0)
phantom.set_status(container=container, status="Closed")
return
def add_comment_add_note_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('add_comment_add_note_2() called')
formatted_data_1 = phantom.get_format_data(name='format_5')
phantom.comment(container=container, comment=formatted_data_1)
note_title = "Recipients of Email"
note_content = formatted_data_1
note_format = "markdown"
phantom.add_note(container=container, note_type="general", title=note_title, content=note_content, note_format=note_format)
return
def no_block_add_comment(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('no_block_add_comment() called')
phantom.comment(
container=container,
comment="Analyst chose not to continue with blocking IP and domain")
return
def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_comment_2() called')
formatted_data_1 = phantom.get_format_data(name='check_internal_addresses')
phantom.comment(container=container, comment=formatted_data_1)
return
def add_comment_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_comment_1() called')
phantom.comment(
container=container,
comment="prompted Phantom user decided not to shutdown the system")
return
def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_comment_2() called')
phantom.comment(container=container, comment="nein")
return
def add_comment_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_comment_1() called')
phantom.comment(container=container,
comment="Threat level found to be low")
pin_2(container=container)
return
def add_comment_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_comment_3() called')
phantom.comment(container=container,
comment="Entity has already been recorded")
return
def add_comment_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_comment_1() called')
formatted_data_1 = phantom.get_format_data(name='Threat_level_low')
phantom.comment(container=container, comment=formatted_data_1)
pin_2(container=container)
return
def add_comment_9(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_comment_9() called')
phantom.comment(container=container, comment="Approver request timeout")
add_work_note_4(container=container)
return
def ignore_if_no_sha256(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('ignore_if_no_sha256() called')
phantom.comment(
container=container,
comment="Ignoring alert because no SHA256 file hash was found")
return
def Risk_threshold_is_below(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Risk_threshold_is_below() called')
formatted_data_1 = phantom.get_format_data(name='Compose_comment__as_list')
phantom.comment(container=container, comment=formatted_data_1)
return
def Request_was_denied(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Request_was_denied() called')
phantom.comment(container=container,
comment="Approver: Request was denied")
add_work_note_3(container=container)
return
def comment_no_quarantine_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('comment_no_quarantine_2() called')
phantom.comment(
container=container,
comment="The analyst decided not to quarantine the endpoint.")
return
def add_comment_7(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_comment_7() called')
DedupeListEntries__new_list = json.loads(
phantom.get_run_data(key='DedupeListEntries:new_list'))
phantom.comment(container=container, comment=DedupeListEntries__new_list)
return
def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_comment_2() called')
phantom.comment(
container=container,
comment=
"Container has no owner detected. Please adjust owner and try again.")
return
def Add_comment_Low_risk(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Add_comment_Low_risk() called')
formatted_data_1 = phantom.get_format_data(
name='Format_Origin_country_Name_comment__as_list')
phantom.comment(container=container, comment=formatted_data_1)
return
def Comment_hash_seen(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Comment_hash_seen() called')
formatted_data_1 = phantom.get_format_data(
name='Filehash_already_seen_format__as_list')
phantom.comment(container=container, comment=formatted_data_1)
return
def deduplicate_inputs(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('deduplicate_inputs() called')
container_data = phantom.collect2(container=container,
datapath=[
'artifact:*.cef.destinationAddress',
'artifact:*.cef.dest_domain',
'artifact:*.id'
])
container_item_0 = [item[0] for item in container_data]
container_item_1 = [item[1] for item in container_data]
deduplicate_inputs__ip = None
deduplicate_inputs__domain = None
################################################################################
## Custom Code Start
################################################################################
deduplicate_inputs__ip = container_item_0[0]
deduplicate_inputs__domain = container_item_1[0]
if not deduplicate_inputs__ip or not deduplicate_inputs__domain:
failure_message = "stopping the playbook because either the IP address or domain name was missing from the event"
phantom.comment(container=container, comment=failure_message)
phantom.error(failure_message)
exit(1)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='deduplicate_inputs:ip',
value=json.dumps(deduplicate_inputs__ip))
phantom.save_run_data(key='deduplicate_inputs:domain',
value=json.dumps(deduplicate_inputs__domain))
ip_intelligence_1(container=container)
domain_intelligence_1(container=container)
return
def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_comment_2() called')
phantom.comment(
container=container,
comment="finished splunk searches, starting WinRM investigation")
list_sessions_1(container=container)
list_connections_1(container=container)
list_logged_on_users(container=container)
list_processes_1(container=container)
return