def update_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('update_ticket_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ip = ''
artifacts_data_1 = phantom.collect2(
container=container,
datapath=['artifact:*.cef.cn2', 'artifact:*.cef.cs3'],
scope='all') # , 'artifact:*.id'
name_value = container.get('name', None)
for artifacts_item_1 in artifacts_data_1:
# phantom.debug('artifact_data_item {}'.format(artifacts_item_1))
if artifacts_item_1:
ip = artifacts_item_1[0]
if phantom.valid_ip(ip):
ip = str(ip)
addr = phantom.get_object(key=ip, playbook_name=playbook_name)
if addr:
ticket = addr[0]['value']['ticket']
# collect data for 'update_ticket_1' call
parameters = []
# build parameters list for 'update_ticket_1' call
update = "\"%s\"" % artifacts_item_1[
1] # or "\"{}\"".format(a)
parameters.append({
'id':
ticket,
'table':
"u_security_engineering_request",
'fields':
"{\"state\": \"1\", \"work_notes\": \"%s\" }" %
artifacts_item_1[1],
# 'fields': "{\"work_notes\": \"Updated\" }",
# 'fields': "{\"update\": {\"state\": \"open\", \"work_notes\": \"%s\"}}" % artifacts_item_1[1],
# 'fields': "{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Anything can go here\"}",
'vault_id':
"",
})
phantom.debug('update ticket {} for ip {}: {}'.format(
ticket, ip, update))
phantom.act("update ticket",
parameters=parameters,
assets=['servicenow'],
name="update_ticket_1")
return
def create_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_1() called')
ip = ''
artifacts_data_1 = phantom.collect2(
container=container,
datapath=['artifact:*.cef.cn1', 'artifact:*.cef.cs3'],
scope='all') # , 'artifact:*.id'
name_value = container.get('name', None)
# phantom.debug('artifact_data {}'.format(artifacts_data_1))
for artifacts_item_1 in artifacts_data_1:
# phantom.debug('artifact_data_item {}'.format(artifacts_item_1))
if artifacts_item_1:
ip = artifacts_item_1[0]
if phantom.valid_ip(ip):
ip = str(ip)
# collect data for 'create_ticket_1' call
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
parameters = []
# build parameters list for 'create_ticket_1' call
parameters.append({
'short_description':
artifacts_item_1[0] + ' -> ' + artifacts_item_1[1],
'description':
"Source IP address: " + ip,
'table':
"u_security_engineering_request", #
'fields':
"{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Playbook name: %s\"}"
% playbook_name,
'vault_id':
"",
})
phantom.debug('create ticket for ip {} '.format(ip))
# if len(ip)>0:
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
name="create_ticket_1",
callback=format_1) # callback=get_ticket_id,
return
def format_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ticket = phantom.collect(results,
"action_result.summary.created_ticket_id")
artifacts_data_1 = phantom.collect2(container=container,
datapath=['artifact:*.cef.src'])
if ticket:
ticket = ticket[0]
phantom.debug('Ticket {}'.format(ticket))
for artifacts_item_1 in artifacts_data_1:
if artifacts_item_1:
if phantom.valid_ip(artifacts_item_1[0]):
addr = phantom.get_object(key=str(artifacts_item_1[0]),
playbook_name=playbook_name)
if addr:
addr[0]['value']['ticket'] = ticket
#phantom.debug('Saving object {} of type {} with key {}'.format(addr[0], type(addr[0]['value']), artifacts_item_1[0]))
phantom.save_object(key=str(artifacts_item_1[0]),
value=addr[0]['value'],
auto_delete=False,
playbook_name=playbook_name)
template = """Ticket
id: {0} number: {1}"""
# parameter list for template variable replacement
parameters = [
"create_ticket_1:action_result.summary.created_ticket_id",
"create_ticket_1:action_result.data.*.number",
]
phantom.format(container=container,
template=template,
parameters=parameters,
name="format_1")
return
def ip_reputation(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('ip_reputation() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'ip_reputation' call
results_data_1 = phantom.collect2(
container=container,
datapath=[
'get_report:action_result.data.*.results.NET.*.NET_Url.host',
'get_report:action_result.parameter.context.artifact_id'
],
action_results=results)
parameters = []
# build parameters list for 'ip_reputation' call
for results_item_1 in results_data_1:
if results_item_1[0] and phantom.valid_ip(results_item_1[0]):
parameters.append({
'ip': results_item_1[0],
# context (artifact id) is added to associate results with the artifact
'context': {
'artifact_id': results_item_1[1]
},
})
phantom.act("ip reputation",
parameters=parameters,
assets=['threatstream'],
callback=threatstream_ip_format,
name="ip_reputation",
parent_action=action)
return