def update_case(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('update_case() called')
get_pins_body = phantom.collect2(container=container, datapath=['get_pins:action_result.data.*.response_body'], action_results=results)
# get the necessary run_data
fuzzy_matched_access_points = json.loads(phantom.get_run_data(key='fuzzy_matched_access_points'))
live_case_id = int(phantom.get_run_data(key='live_case_id'))
# delete all the existing pins to prevent duplicates
for pin in get_pins_body[0][0]['data']:
phantom.delete_pin(int(pin['id']))
# add a pin for each ap that fuzzy-matched the greylist
for ap in fuzzy_matched_access_points:
if ap['is_escalated']:
phantom.pin(container=live_case_id, message=ap['signal_strength'], data=ap['mac_address'], pin_type="card_medium", pin_style="red")
phantom.add_artifact(
container=live_case_id,
raw_data={},
cef_data=ap,
label='wireless',
name='suspicious access point detection',
severity='high',
identifier=None,
artifact_type='network')
decision_1(container=container)
return
def pin_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('pin_5() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_3:condition_1:geolocate_ip_1:action_result.data.*.country_name'
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.pin(container=container,
data=filtered_results_item_1_0,
message="There was a hit on the following Country!",
pin_type="card",
pin_style="red",
name="Block Country List")
high_positives(container=container)
return
def pin_DNS_alert(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('pin_DNS_alert() called')
results_data_1 = phantom.collect2(
container=container,
datapath=['run_DNS_alert_query:action_result.data.*.query'],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
phantom.pin(container=container,
data=results_item_1_0,
message="Connection to Alerted DNS Address",
pin_type="card",
pin_style="red",
name=None)
return
def Prompt_timeout_api(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Prompt_timeout_api() called')
phantom.pin(container=container,
data="",
message="\"Awaiting Action\"",
pin_type="card",
pin_style="red",
name="Awaiting_Action_pin")
note_title = ""
note_content = ""
note_format = "markdown"
phantom.add_note(container=container,
note_type="general",
title=note_title,
content=note_content,
note_format=note_format)
phantom.comment(
container=container,
comment="“User failed to promote event within time limit.”")
phantom.set_status(container=container, status="Closed")
return
def pin_virustotal_response(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('pin_virustotal_response() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_7:condition_1:file_reputation_1:action_result.data.*.sha1'
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.pin(container=container,
data=filtered_results_item_1_0,
message="File Downloads VT Hit",
pin_type="card",
pin_style="",
name=None)
return
def pin_DNS_alert(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('pin_DNS_alert() called')
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.query', 'artifact:*.id'])
container_item_0 = [item[0] for item in container_data]
phantom.pin(container=container,
data=container_item_0,
message="Connection to Alerted DNS Address",
pin_type="card",
pin_style="red",
name=None)
return
def Banned_Country_Pin(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Banned_Country_Pin() called')
results_data_1 = phantom.collect2(
container=container,
datapath=['geolocate_ip_1:action_result.data.*.country_name'],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
phantom.pin(container=container,
data=results_item_1_0,
message="Banned country detected",
pin_type="card",
pin_style="red",
name=None)
High_positives(container=container)
return
def pin_7(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('pin_7() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_4:condition_1:list_connections_1:action_result.data.*.state"
])
#filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
filtered_results_item_1_0 = len(filtered_results_data_1)
phantom.pin(container=container,
data=filtered_results_item_1_0,
message="Number of CLOSED_WAIT connections",
pin_type="card",
pin_style="red",
name=None)
return
def pin_6(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('pin_6() called')
results_data_1 = phantom.collect2(
container=container,
datapath=[
'get_entity_2:action_result.parameter.entity_title',
'get_entity_2:action_result.data.*.*.ip.0'
],
action_results=results)
for item in results_data_1:
results_item_1_0 = "Entity: " + item[0]
results_item_1_1 = item[1]
phantom.pin(container=container,
data=results_item_1_1,
message=results_item_1_0,
pin_type="card",
pin_style="grey",
name=None)
return
def pin_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('pin_4() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_banned_countries:condition_1:geolocate_ip_1:action_result.data.*.country_name"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.pin(container=container,
data="",
message=filtered_results_item_1_0,
pin_type="card",
pin_style="red",
name=None)
decision_1(container=container)
return
def pin_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('pin_1() called')
formatted_data_1 = phantom.get_format_data(name='format_3')
phantom.pin(container=container, data=formatted_data_1, message="Encoded Powershell", pin_type="card", pin_style="red", name=None)
return
def Add_Pin_with_Service_Name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Add_Pin_with_Service_Name() called')
formatted_data_1 = phantom.get_format_data(name='Format_Service_Name')
phantom.pin(container=container, data=formatted_data_1, message="Service", pin_type="card", pin_style="red", name=None)
return
def Pin_Check_Login_Failures_Successes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Check_Login_Failures_Successes() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Login_Failures_Success')
phantom.pin(container=container, data=formatted_data_1, message="Check authentication activities through access control system", name="Login Failures Successes Detected")
return
def pin_suricata_alert(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('pin_suricata_alert() called')
formatted_data_1 = phantom.get_format_data(name='format_suricata_pin')
phantom.pin(container=container, data=formatted_data_1, message="Corelight UID with Surcata Alerts", name=None)
return
def Pin_OT_Asset_Info(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_OT_Asset_Info() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_OT_Asset_Info')
phantom.pin(container=container, data=formatted_data_1, message="Check Network Config", pin_type="card", pin_style="red", name="Check Network Config")
return
def Pin_Check_Network_Sessions(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Check_Network_Sessions() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Format_Network_Sessions')
phantom.pin(container=container, data=formatted_data_1, message="Check for allowed hosts/users for the asset", name="Check for allowed hosts/users for the asset")
return
def Pin_Zone_Level(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Zone_Level() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Zone_Level')
phantom.pin(container=container, data=formatted_data_1, message="Verify Asset Zone, Level, Location", name="Asset Zone and Level")
return
def Pin_Check_Network_New_Outbound_URL(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Check_Network_New_Outbound_URL() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Network_New_Outbound_URL')
phantom.pin(container=container, data=formatted_data_1, message="Check Network New Outbound", name="Check Network New Outbound")
return
def Pin_Check_Limit_HW_USB_Activity(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Check_Limit_HW_USB_Activity() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Limit_HW_USB_Activity')
phantom.pin(container=container, data=formatted_data_1, message="Check Limit HW USB Activity", name="Check Limit HW USB Activity")
return
def pin_add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('pin_add_comment_2() called')
phantom.pin(container=container, data="", message="Awaiting Action", pin_type="card", pin_style="red", name=None)
phantom.comment(container=container, comment="User failed to promote event within time limit")
return
def Pin_ES_Notables_Detected(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_ES_Notables_Detected() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_ES_Notables')
phantom.pin(container=container, data=formatted_data_1, message="Check all detected ES notables", name="Check all detected ES notables")
return
def Pin_Check_Software_Sandbox_Status(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Pin_Check_Software_Sandbox_Status() called')
formatted_data_1 = phantom.get_format_data(name='Format_Pin_Software_Sandbox_Status')
phantom.pin(container=container, data=formatted_data_1, message="Check Software Sandbox Status", name="Check Software Sandbox Status")
return
def pin_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('pin_1() called')
formatted_data_1 = phantom.get_format_data(name='format_1')
phantom.pin(container=container, data=formatted_data_1, message="Suspicious File Hash", pin_type="card", pin_style="red", name=None)
join_cf_community_noop_2(container=container)
return
def HUD_gray(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('HUD_gray() called')
formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_NO')
phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="grey", name=None)
join_Summery_XSpamStatus(container=container)
return
def pin_7(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('pin_7() called')
formatted_data_1 = phantom.get_format_data(name='format_20')
formatted_data_2 = phantom.get_format_data(name='format_21')
phantom.pin(container=container, data=formatted_data_1, message=formatted_data_2, name=None)
format_22(container=container)
return
def pin_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('pin_2() called')
results_data_1 = phantom.collect2(container=container, datapath=['ip_reputation_1:action_result.summary.detected_urls'], action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
phantom.pin(container=container, data=results_item_1_0, message="malicious urls", pin_type="card", pin_style="red", name="malicious urls")
return
def Calculate_Domain_Age(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Calculate_Domain_Age() called')
results_data_1 = phantom.collect2(
container=container,
datapath=[
'whois_domain_1:action_result.data.*.creation_date',
'whois_domain_1:action_result.parameter.domain'
],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
results_item_1_1 = [item[1] for item in results_data_1]
Calculate_Domain_Age__domain_age = None
################################################################################
## Custom Code Start
################################################################################
#phantom.debug(results_item_1_0)
#phantom.debug(results_item_1_1)
from datetime import datetime, timedelta
all_domains_age = []
for idx, val in enumerate(results_item_1_0):
#Convert string to datetime object
datetime_object = datetime.strptime(val[0], "%Y-%m-%dT%H:%M:%S")
domain_age = datetime.strptime("2019-08-02T21:49:40",
"%Y-%m-%dT%H:%M:%S") - datetime_object
if domain_age.days < 15:
phantom.pin(container=container,
message="Domain is less than 15 days old",
data=results_item_1_1[idx],
pin_type="card_medium",
pin_style="red")
else:
pass
#all_domains_age.append(domain_age)
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Calculate_Domain_Age:domain_age',
value=json.dumps(Calculate_Domain_Age__domain_age))
return
def HUD_red_and_severity_medium(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('HUD_red_and_severity_medium() called')
formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_YES__as_list')
phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="red", name=None)
phantom.set_severity(container=container, severity="Medium")
join_Summery_XSpamStatus(container=container)
return
def Add_HUD_high_red(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Add_HUD_high_red() called')
formatted_data_1 = phantom.get_format_data(name='Text_high_HUD')
formatted_data_2 = phantom.get_format_data(name='Text_URL')
phantom.pin(container=container, data=formatted_data_1, message=formatted_data_2, name=None)
phantom.add_tags(container=container, tags="suspicious")
get_screenshot_2(container=container)
return
def pin_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
import random
phantom.debug('pin_2() called')
# collect data for 'pin_to_hud_6' call
dest_username = filter(
lambda x: x[0],
phantom.collect2(container=container,
datapath=['artifact:*.cef.destinationUserName']))
sorc_username = filter(
lambda x: x[0],
phantom.collect2(container=container,
datapath=['artifact:*.cef.sourceUserName']))
styles = set(["white", "red", "purple"])
pin_name = pin_name_mangle("pin_2", container)
pin_id = phantom.get_data(pin_name)
if not pin_id:
ret_val, message, pin_id = phantom.pin(
container=container,
message="Affected Users",
data=str(len(dest_username) + len(sorc_username)),
pin_type="card_medium",
pin_style="purple")
phantom.debug("new pin_2")
else:
# Delete and remake this one, for the sake of demonstration
ret_val, message = phantom.delete_pin(pin_id)
ret_val, message, pin_id = phantom.pin(
container=container,
message="Affected Users",
data=str(len(dest_username) + len(sorc_username)),
pin_type="card_medium",
pin_style=random.sample(styles, 1)[0])
if ret_val:
phantom.save_data(pin_id, pin_name)
# set container properties for:
update_data = {}
phantom.update(container, update_data)
return