def set_severity_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('set_severity_5() called') phantom.set_severity(container, "low") set_status_6(container=container) return
def HUD_red_and_severity_medium(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('HUD_red_and_severity_medium() called') formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_YES__as_list') phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="red", name=None) phantom.set_severity(container=container, severity="Medium") join_Summery_XSpamStatus(container=container) return
def set_severity_9(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('set_severity_9() called') phantom.set_severity(container, "high") return
def set_severity_13(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('set_severity_13() called') phantom.set_severity(container, "medium") pin_16(container=container) return
def set_severity_12(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('set_severity_12() called') phantom.set_severity(container, "high") promote_to_case_14(container=container) return
def escalate_alert(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('escalate_alert() called') phantom.set_sensitivity(container, "red") phantom.set_severity(container, "high") return
def set_container_low(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('set_container_low() called') phantom.set_severity(container=container, severity="Low") return
def escalate_severity_to_high(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('escalate_severity_to_high() called') phantom.set_severity(container=container, severity="High") return
def set_status_set_severity_set_sensitivity_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('set_status_set_severity_set_sensitivity_1() called') phantom.set_status(container=container, status="Closed") phantom.set_severity(container=container, severity="Low") phantom.set_sensitivity(container=container, sensitivity="green") return
def resolve_container(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('resolve_container() called') # Closing out the container phantom.set_severity(container, "low") my_add_tags(tags=["automation"]) # Updating required fields resolution_data = {"Resolution": "Trivial True Positive"} custom_fields = {"custom_fields": resolution_data} phantom.update(container, custom_fields) phantom.set_status(container, "closed") return
def on_start(incident): # lets do geo lookup of attacker IPs phantom.debug(incident['name'] + 'has severity: ' + incident['sensitivity']) phantom.debug(incident['name'] + 'has sensitivity: ' + incident['severity']) phantom.debug(' ------------------ USER NAMES --------------------------------- ') params = [] victims = list(set(phantom.collect(incident, 'artifact:*.cef.sourceUserName', scope='all'))) victims.extend(list(set(phantom.collect(incident, 'artifact:*.cef.destinationUserName', scope='all')))) if len(victims) > 0: exec_victims = [] execs = phantom.datastore_get("executives") if execs is not None: exec_victims = [exec_info[0] for exec_info in execs if exec_info[0] in victims] if len(exec_victims) > 0: phantom.debug('Execs impacted by this incident: '+str(exec_victims)) phantom.set_sensitivity(incident, 'amber') phantom.set_severity(incident, 'high') return
def on_start(incident): # lets do geo lookup of attacker IPs phantom.debug(incident['name'] + 'has severity: ' + incident['sensitivity']) phantom.debug(incident['name'] + 'has sensitivity: ' + incident['severity']) phantom.debug( ' ------------------ USER NAMES --------------------------------- ') params = [] victims = list( set( phantom.collect(incident, 'artifact:*.cef.sourceUserName', scope='all'))) victims.extend( list( set( phantom.collect(incident, 'artifact:*.cef.destinationUserName', scope='all')))) if len(victims) > 0: exec_victims = [] execs = phantom.datastore_get("executives") if execs is not None: exec_victims = [ exec_info[0] for exec_info in execs if exec_info[0] in victims ] if len(exec_victims) > 0: phantom.debug('Execs impacted by this incident: ' + str(exec_victims)) phantom.set_sensitivity(incident, 'amber') phantom.set_severity(incident, 'high') return
def deescalate(container): phantom.set_severity(container, "low") phantom.close(container)
def escalate(container): phantom.set_severity(container, "high")