def playbook_log4j_respond_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_log4j_respond_1() called")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
# call playbook "community/log4j_respond", returns the playbook_run_id
playbook_run_id = phantom.playbook("community/log4j_respond",
container=container)
return
def playbook_local_ec2_instance_isolation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('playbook_local_ec2_instance_isolation_1() called')
# call playbook "local/ec2_instance_isolation", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/ec2_instance_isolation", container=container)
return
def risk_notable_preprocess(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("risk_notable_preprocess() called")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
# call playbook "community/risk_notable_preprocess", returns the playbook_run_id
playbook_run_id = phantom.playbook("community/risk_notable_preprocess",
container=container,
name="risk_notable_preprocess",
callback=risk_notable_import_data)
return
def playbook_soar_Sorsnce_Domain_Recon_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('playbook_soar_Sorsnce_Domain_Recon_1() called')
# call playbook "soar/Sorsnce_Domain_Recon", returns the playbook_run_id
playbook_run_id = phantom.playbook("soar/Sorsnce_Domain_Recon", container=container, name="playbook_soar_Sorsnce_Domain_Recon_1")
return
def playbook_conf2020_conf2020_End_Maintenance_Windows_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('playbook_conf2020_conf2020_End_Maintenance_Windows_1() called')
# call playbook "conf2020/End Maintenance Windows", returns the playbook_run_id
playbook_run_id = phantom.playbook(playbook="conf2020/End Maintenance Windows", container=container, name="playbook_conf2020_conf2020_End_Maintenance_Windows_1", callback=format_snow_ticket_id_request)
return
def decide_and_launch_playbook(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("decide_and_launch_playbook() called")
################################################################################
# Process user responses and determine which playbook should be launched.
################################################################################
select_response_plan_result_data = phantom.collect2(container=container, datapath=["select_response_plan:action_result.summary.responses.0"], action_results=results)
select_response_plan_summary_responses_0 = [item[0] for item in select_response_plan_result_data]
################################################################################
## Custom Code Start
################################################################################
# Lunch the playbook that the analyst chose.
playbook_run_id = phantom.playbook(playbook=select_response_plan_summary_responses_0[0], container=container)
################################################################################
## Custom Code End
################################################################################
decision_5(container=container)
return
def playbook_conf2020_conf2020_add_Maintenance_Windows_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('playbook_conf2020_conf2020_add_Maintenance_Windows_2() called')
# call playbook "conf2020/add Maintenance Windows", returns the playbook_run_id
playbook_run_id = phantom.playbook(playbook="conf2020/add Maintenance Windows", container=container, name="playbook_conf2020_conf2020_add_Maintenance_Windows_2", callback=execute_program_3)
return
def playbook_local_local_eh_phishing_generate_drilldowns_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('playbook_local_local_eh_phishing_generate_drilldowns_1() called')
# call playbook "local/eh_phishing_generate_drilldowns", returns the playbook_run_id
playbook_run_id = phantom.playbook(playbook="local/eh_phishing_generate_drilldowns", container=container)
return
def playbook_local_Triage_Peers_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('playbook_local_Triage_Peers_1() called')
# call playbook "local/Triage Peers", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/Triage Peers", container=container)
return
def launch_reset_playbook(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('launch_reset_playbook() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:get_active_ad_users:condition_1:get_affected_ad_users:action_result.data.*.samaccountname"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
################################################################################
## Custom Code Start
################################################################################
for r in filtered_results_item_1_0:
phantom.debug("[DEBUG]: account = {}".format(r))
phantom.add_artifact(container=container,
raw_data={'compromisedUserName': r},
cef_data={'compromisedUserName': r},
label='compromised_account',
name='compromised account ' + r,
identifier=None,
artifact_type='user name',
severity='high',
run_automation=True)
# calling the playbook here is necessary because artifacts are not evaluated while
# this code block runs. Consequently, all artifacts are fired as a list instead of
# individually without this next call to playbook().
phantom.playbook(playbook='local/activedirectory_reset_password',
container=container,
show_debug=True)
################################################################################
## Custom Code End
################################################################################
return
def playbook_local_soc_fork_customer_request_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_local_soc_fork_customer_request_1() called')
# ----- start of added code -----
import csv
# get container id
container_id = container.get('id', None)
# use the container id to get information about any files in the vault
vault_info = phantom.vault_info(container_id=container_id)
# filter info returned to find the path where the file is stored in the vault
file_path = vault_info[2][0]["path"]
phantom.debug('vault file path: {}'.format(file_path))
# read the .csv file, file and add artifacts with the label "customer_request" to container
raw_data = {}
reader = None
try:
with open(file_path, 'r') as f:
reader = csv.DictReader(f)
for cef_data in reader:
cef_data_keys = cef_data.keys()
if 'action' in cef_data_keys and (
'sourceAddress' in cef_data_keys
or 'destinationAddress' in cef_data_keys):
phantom.debug('adding artifact: {}'.format(cef_data))
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw_data,
cef_data=cef_data,
label='customer_request',
name='Parsed CSV Artifact',
severity='high',
identifier=None,
artifact_type='network')
if not success:
phantom.error(
"Adding Artifact failed: {}".format(message))
except Exception as e:
phantom.error("Exception Occurred: {}".format(e.args[1]))
return
# ----- end of added code -----
# call playbook "local/soc_fork_customer_request", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/soc_fork_customer_request",
container)
return
def Check_hash(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Check_hash() called')
# call playbook "phantom_playbook_course/Log File Hashes", returns the playbook_run_id
playbook_run_id = phantom.playbook(
"phantom_playbook_course/Log File Hashes", container=container)
return
def playbook_local_Log_File_Hashes_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_local_Log_File_Hashes_1() called')
# call playbook "local/Log File Hashes", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/Log File Hashes",
container=container)
return
def Promote_To_Case(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Promote_To_Case() called')
# call playbook "local/Case Promotion Lab", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/Case Promotion Lab",
container=container)
return
def playbook_local_Test_AD_to_Slack_notification_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_local_Test_AD_to_Slack_notification_1() called')
# call playbook "local/Test - AD to Slack notification", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/Test - AD to Slack notification",
container=container)
return
def playbook_community_rootkit_remediate_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_community_rootkit_remediate_1() called')
# call playbook "community/rootkit_remediate", returns the playbook_run_id
playbook_run_id = phantom.playbook("community/rootkit_remediate",
container)
return
def playbook_internal_host_ssh_log4j_respond_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_internal_host_ssh_log4j_respond_2() called")
filtered_artifact_0_data_if_hosts_exist = phantom.collect2(
container=container,
datapath=[
"filtered-data:if_hosts_exist:condition_1:artifact:*.cef.deviceHostname",
"filtered-data:if_hosts_exist:condition_1:artifact:*.cef.filePath"
],
scope="all")
filtered_artifact_0__cef_devicehostname = [
item[0] for item in filtered_artifact_0_data_if_hosts_exist
]
filtered_artifact_0__cef_filepath = [
item[1] for item in filtered_artifact_0_data_if_hosts_exist
]
inputs = {
"ip_or_hostname": filtered_artifact_0__cef_devicehostname,
"filepath": filtered_artifact_0__cef_filepath,
}
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
# call playbook "community/internal_host_ssh_log4j_respond", returns the playbook_run_id
playbook_run_id = phantom.playbook(
"community/internal_host_ssh_log4j_respond",
container=container,
inputs=inputs)
return
def playbook_internal_host_winrm_investigate_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_internal_host_winrm_investigate_1() called")
filtered_artifact_0_data_os_filter = phantom.collect2(
container=container,
datapath=[
"filtered-data:os_filter:condition_2:artifact:*.cef.deviceHostname"
],
scope="all")
filtered_artifact_0__cef_devicehostname = [
item[0] for item in filtered_artifact_0_data_os_filter
]
ip_or_hostname_combined_value = phantom.concatenate(
filtered_artifact_0__cef_devicehostname, dedup=True)
inputs = {
"ip_or_hostname": ip_or_hostname_combined_value,
}
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
# call playbook "community/internal_host_winrm_investigate", returns the playbook_run_id
playbook_run_id = phantom.playbook(
"community/internal_host_winrm_investigate",
container=container,
name="playbook_internal_host_winrm_investigate_1",
callback=join_playbook_log4j_respond_1,
inputs=inputs)
return
def playbook_r3d_GitHub_sleep_4_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_r3d_GitHub_sleep_4_4() called')
# call playbook "r3d--GitHub/sleep", returns the playbook_run_id
playbook_run_id = phantom.playbook("r3d--GitHub/sleep",
container=container,
name="playbook_r3d_GitHub_sleep_4_4",
callback=custom_function_1)
return
def playbook_local_eh_investigate_email_iocs_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_local_eh_investigate_email_iocs_1() called')
# call playbook "local/eh_investigate_email_iocs", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="local/eh_investigate_email_iocs", container=container)
return
def playbook_phantomPlaybooks_Log_File_Hashes_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_phantomPlaybooks_Log_File_Hashes_1() called')
# call playbook "phantomPlaybooks/Log File Hashes", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="phantomPlaybooks/Log File Hashes", container=container)
return
def playbook_rba_master_rba_master_RBA_Investigate_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_rba_master_rba_master_RBA_Investigate_1() called')
# call playbook "rba-master/RBA Investigate", returns the playbook_run_id
playbook_run_id = phantom.playbook(playbook="rba-master/RBA Investigate",
container=container)
return
def Promote_to_Case(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('Promote_to_Case() called')
# call playbook "phantom_playbook_course/Case Promotion Lab", returns the playbook_run_id
playbook_run_id = phantom.playbook(
"phantom_playbook_course/Case Promotion Lab",
container=container,
name="Promote_to_Case")
return
def playbook_local_Atomic_Registry_Run_Keys_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_local_Atomic_Registry_Run_Keys_1() called')
# call playbook "local/Atomic - Registry Run Keys", returns the playbook_run_id
playbook_run_id = phantom.playbook("local/Atomic - Registry Run Keys",
container)
run_script_2(container=container)
return
def playbook_internal_host_splunk_investigate_log4j_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_internal_host_splunk_investigate_log4j_2() called")
container_artifact_data = phantom.collect2(
container=container,
datapath=["artifact:*.cef.deviceHostname"],
scope="all")
container_artifact_cef_item_0 = [
item[0] for item in container_artifact_data
]
ip_or_hostname_combined_value = phantom.concatenate(
container_artifact_cef_item_0, dedup=True)
inputs = {
"ip_or_hostname": ip_or_hostname_combined_value,
}
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
# call playbook "community/internal_host_splunk_investigate_log4j", returns the playbook_run_id
playbook_run_id = phantom.playbook(
"community/internal_host_splunk_investigate_log4j",
container=container,
name="playbook_internal_host_splunk_investigate_log4j_2",
callback=os_filter,
inputs=inputs)
return
def Promote_to_Case(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Promote_to_Case() called')
# call playbook "phantomPlaybooks/Case Promotion Lab", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="phantomPlaybooks/Case Promotion Lab",
container=container,
name="Promote_to_Case")
return
def playbook_Main_Hunt_file_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_Main_Hunt_file_1() called')
# call playbook "Main/Hunt_file", returns the playbook_run_id
playbook_run_id = phantom.playbook(playbook="Main/Hunt_file",
container=container,
name="playbook_Main_Hunt_file_1",
callback=decision_2)
return
def playbook_P4R_final_version_IOCs_File_mobile_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_P4R_final_version_IOCs_File_mobile_1() called')
# call playbook "P4R_final_version/IOCs_File_mobile", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="P4R_final_version/IOCs_File_mobile",
container=container,
name="playbook_P4R_final_version_IOCs_File_mobile_1")
return
def playbook_local_local_Message_Print_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_local_local_Message_Print_1() called')
# call playbook "local/Message Print", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="local/Message Print",
container=container,
name="playbook_local_local_Message_Print_1")
return
def playbook_conf2020_conf2020_Close_SNOW_Ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('playbook_conf2020_conf2020_Close_SNOW_Ticket_1() called')
# call playbook "conf2020/Close SNOW Ticket", returns the playbook_run_id
playbook_run_id = phantom.playbook(
playbook="conf2020/Close SNOW Ticket",
container=container,
name="playbook_conf2020_conf2020_Close_SNOW_Ticket_1",
callback=set_status_1)
return
