def join_set_status_set_severity_set_sensitivity_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_set_status_set_severity_set_sensitivity_1() called') # if the joined function has already been called, do nothing if phantom.get_run_data( key='join_set_status_set_severity_set_sensitivity_1_called'): return # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['update_ticket_3']): # save the state that the joined function has now been called phantom.save_run_data( key='join_set_status_set_severity_set_sensitivity_1_called', value='set_status_set_severity_set_sensitivity_1') # call connected block "set_status_set_severity_set_sensitivity_1" set_status_set_severity_set_sensitivity_1(container=container, handle=handle) return
def playbook_wait(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_wait() called") decide_and_launch_playbooks__names = json.loads( phantom.get_run_data(key="decide_and_launch_playbooks:names")) ################################################################################ ## Custom Code Start ################################################################################ if phantom.completed(playbook_names=decide_and_launch_playbooks__names): # call connected block "indicators_not_blocked" get_indicators_status(container=container) # return early to avoid calling connected block too soon return ################################################################################ ## Custom Code End ################################################################################ get_indicators_status(container=container) return
def playbook_wait(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_wait() called") ################################################################################ # Custom code block operating as a join function for dynamic playbook calls. ################################################################################ decide_and_launch_playbooks__names = json.loads( phantom.get_run_data(key="decide_and_launch_playbooks:names")) ################################################################################ ## Custom Code Start ################################################################################ if phantom.completed(playbook_names=decide_and_launch_playbooks__names): process_notes(container=container) # return early to avoid moving to next block return ################################################################################ ## Custom Code End ################################################################################ process_notes(container=container) return
def join_format_prompt(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_format_prompt() called') # if the joined function has already been called, do nothing if phantom.get_run_data(key='join_format_prompt_called'): return # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['get_process_details']): # save the state that the joined function has now been called phantom.save_run_data(key='join_format_prompt_called', value='format_prompt') # call connected block "format_prompt" format_prompt(container=container, handle=handle) return
def join_merge_individual_format(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_merge_individual_format() called") if phantom.completed(custom_function_names=["merge_selected"], action_names=["event_details"]): # call connected block "merge_individual_format" merge_individual_format(container=container, handle=handle) return
def join_get_info_service_path(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_get_info_service_path() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['get_service_pin']): # call connected block "get_info_service_path" get_info_service_path(container=container, handle=handle) return
def join_format_for_emailer(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_format_for_emailer() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['hunt_file_1', 'hunt_file_2']): # call connected block "format_for_emailer" format_for_emailer(container=container, handle=handle) return
def join_format_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_format_3() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['run_query_2', 'run_query_1'], custom_function_names=['cf_local_create_current_epoch_time_1']): # call connected block "format_3" format_3(container=container, handle=handle) return
def join_url_reputation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_url_reputation_1() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['unshorten_url_1']): # call connected block "url_reputation_1" url_reputation_1(container=container, handle=handle) return
def join_add_tag_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_add_tag_5() called') # if the joined function has already been called, do nothing if phantom.get_run_data(key='join_add_tag_5_called'): return # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['add_tag_service_restart_in_progress', 'get_pin_info_path']): # save the state that the joined function has now been called phantom.save_run_data(key='join_add_tag_5_called', value='add_tag_5') # call connected block "add_tag_5" add_tag_5(container=container, handle=handle) return
def join_collect_type_host(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_collect_type_host() called") if phantom.completed(custom_function_names=["collect_type_user"], action_names=["run_identity_query"]): # call connected block "collect_type_host" collect_type_host(container=container, handle=handle) return
def join_filter_inactive_accounts(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_filter_inactive_accounts() called") if phantom.completed(action_names=["list_all_accounts"], custom_function_names=["calculate_start_time"]): # call connected block "filter_inactive_accounts" filter_inactive_accounts(container=container, handle=handle) return
def join_Set_staus_OPEN(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_Set_staus_OPEN() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=['add_tag_notable_to_artifakt']): # call connected block "Set_staus_OPEN" Set_staus_OPEN(container=container, handle=handle) return
def join_SOC_email_format_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_SOC_email_format_2() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(playbook_names=['playbook_Main_Hunt_file_1'], action_names=['create_ticket_1']): # call connected block "SOC_email_format_2" SOC_email_format_2(container=container, handle=handle) return
def join_decision_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_decision_3() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed( custom_function_names=['whois_epoch', 'minus_thirty']): # call connected block "decision_3" decision_3(container=container, handle=handle) return
def join_format_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_format_5() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(custom_function_names=[ 'cf_community_list_drop_none_1', 'cf_local_url_encode_string_1' ]): # call connected block "format_5" format_5(container=container, handle=handle) return
def join_trace_email_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_trace_email_1() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(custom_function_names=[ 'cf_community_datetime_modify_1', 'cf_community_datetime_modify_2' ]): # call connected block "trace_email_1" trace_email_1(container=container, handle=handle) return
def join_filter_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_filter_3() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=[ 'geolocate_ip_1', 'domain_reputation_2', 'file_reputation_1' ]): # call connected block "filter_3" filter_3(container=container, handle=handle) return
def join_format_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_format_5() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(custom_function_names=[ 'cf_rba_master_decode_base64_1', 'cf_rba_master_decode_base64_2' ]): # call connected block "format_5" format_5(container=container, handle=handle) return
def join_cf_community_noop_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_cf_community_noop_4() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(playbook_names=[ 'playbook_rba_master_rba_master_RBA_Investigate_file_hash_1' ]): # call connected block "cf_community_noop_4" cf_community_noop_4(container=container, handle=handle) return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_filter_2() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=[ 'logoff_user_1', 'shutdown_system_1', 'disable_user_1', 'block_hash_3' ]): # call connected block "filter_2" filter_2(container=container, handle=handle) return
def join_decision_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_decision_5() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(custom_function_names=[ 'cf_community_noop_1', 'cf_community_noop_2', 'cf_community_noop_3', 'cf_community_noop_4' ]): # call connected block "decision_5" decision_5(container=container, handle=handle) return
def join_playbook_log4j_respond_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_playbook_log4j_respond_1() called") if phantom.completed(playbook_names=[ "playbook_internal_host_ssh_log4j_investigate_1", "playbook_internal_host_ssh_investigate_1", "playbook_internal_host_winrm_log4j_investigate_1", "playbook_internal_host_winrm_investigate_1" ]): # call connected block "playbook_log4j_respond_1" playbook_log4j_respond_1(container=container, handle=handle) return
def join_playbook_local_local_Message_Print_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): phantom.debug('join_playbook_local_local_Message_Print_1() called') # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed if phantom.completed(action_names=[ 'SRC_Public_Reverse_DNS', 'SRC_Private_Reverse_DNS', 'DST_Reverse_DNS', 'DST_Private_Reverse_DNS' ]): # call connected block "playbook_local_local_Message_Print_1" playbook_local_local_Message_Print_1(container=container, handle=handle) return
def add_notes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("add_notes() called") ################################################################################ # Add notes to the container if any were generated by playbooks from the previous # step. ################################################################################ launch_investigate_playbooks__playbooks_launched = json.loads(phantom.get_run_data(key="launch_investigate_playbooks:playbooks_launched")) input_parameter_0 = "" ################################################################################ ## Custom Code Start ################################################################################ playbooks_launched = launch_investigate_playbooks__playbooks_launched # return early if any of the launched playbooks are not completed if not phantom.completed(playbook_names=launch_investigate_playbooks__playbooks_launched): return playbook_outputs = [] for playbook_name in playbooks_launched: note_title = phantom.collect2(container=container, datapath=["{}:playbook_output:note_title".format(playbook_name)])[0][0] note_content = phantom.collect2(container=container, datapath=["{}:playbook_output:note_content".format(playbook_name)])[0][0] phantom.add_note(container=container, content=note_content, note_format="markdown", note_type="general", title=note_title) #phantom.add_note(container=container, content=note, note_format="markdown", note_type="general", title='trustar test note') ################################################################################ ## Custom Code End ################################################################################ threat_intel_indicator_review(container=container) return
def join_risk_notable_enrich(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_risk_notable_enrich() called") # if the joined function has already been called, do nothing if phantom.get_run_data(key="join_risk_notable_enrich_called"): return if phantom.completed(playbook_names=["risk_notable_import_data"]): # save the state that the joined function has now been called phantom.save_run_data(key="join_risk_notable_enrich_called", value="risk_notable_enrich") # call connected block "risk_notable_enrich" risk_notable_enrich(container=container, handle=handle) return
def join_merge_notes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("join_merge_notes() called") # if the joined function has already been called, do nothing if phantom.get_run_data(key="join_merge_notes_called"): return if phantom.completed(action_names=["protect_prompt"]): # save the state that the joined function has now been called phantom.save_run_data(key="join_merge_notes_called", value="merge_notes") # call connected block "merge_notes" merge_notes(container=container, handle=handle) return