def join_send_deny_email_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_send_deny_email_2() called') # if the joined function has already been called, do nothing if phantom.get_run_data(key='join_send_deny_email_2_called'): return # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done( ['virustotal_url_reputation', 'webpulse_url_reputation']): # save the state that the joined function has now been called phantom.save_run_data(key='join_send_deny_email_2_called', value='send_deny_email_2') # call connected block "send_deny_email_2" send_deny_email_2(container=container, handle=handle) return
def join_playbook_email_body(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_playbook_email_body() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'get_app_run_data', 'get_playbook_action_runs' ]): # call connected block "playbook_email_body" playbook_email_body(container=container, handle=handle) return
def join_send_message_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_send_message_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'list_channels_1' ]): # call connected block "send_message_2" send_message_2(container=container, handle=handle) return
def join_decision_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_decision_3() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'ip_reputation', 'file_reputation' ]): # call connected block "decision_3" decision_3(container=container, handle=handle) return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_filter_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'file_reputation_SHA1', 'file_reputation_MD5', 'file_reputation_SHA256', 'file_reputation_SHA512' ]): # call connected block "filter_2" filter_2(container=container, handle=handle) return
def join_get_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_get_ticket_1() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'create_ticket_1' ]): # call connected block "get_ticket_1" get_ticket_1(container=container, handle=handle) return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_filter_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'logoff_user_1', 'shutdown_system_1', 'disable_user_1', 'block_hash_3' ]): # call connected block "filter_2" filter_2(container=container, handle=handle) return
def join_send_email_safe(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_send_email_safe() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'ip_reputation_1', 'domain_reputation_2' ]): # call connected block "send_email_safe" send_email_safe(container=container, handle=handle) return
def join_collect_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_collect_data() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'execute_program_1', 'find_case' ]): # call connected block "collect_data" collect_data(container=container, handle=handle) return
def join_send_email_bad_domain(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_send_email_bad_domain() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'run_query_2', 'whois_domain_1', 'hunt_domain_1' ]): # call connected block "send_email_bad_domain" send_email_bad_domain(container=container, handle=handle) return
def join_isolate_ec2_instance_approval(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_isolate_ec2_instance_approval() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'create_ticket_1', 'send_message_1' ]): # call connected block "isolate_ec2_instance_approval" isolate_ec2_instance_approval(container=container, handle=handle) return
def join_deescalate_alert(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_deescalate_alert() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['Add_to_test_machine_list']): # call connected block "deescalate_alert" deescalate_alert(container=container, handle=handle) return
def join_filter_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_filter_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['detonate_file_3', 'get_report_1']): # call connected block "filter_2" filter_2(container=container, handle=handle) return
def join_filter_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_filter_4() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['ip_reputation_1', 'geolocate_ip_1']): # call connected block "filter_4" filter_4(container=container, handle=handle) return
def join_format_ticket(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_ticket() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['list_connections_1', 'get_system_info_1']): # call connected block "format_ticket" format_ticket(container=container, handle=handle) return
def join_format_prompt_question(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_prompt_question() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['ip_intelligence_1', 'domain_intelligence_1']): # call connected block "format_prompt_question" format_prompt_question(container=container, handle=handle) return
def join_Filter_Banned_Countries(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_Filter_Banned_Countries() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done( ['file_reputation_1', 'geolocate_ip_1', 'domain_reputation_2']): # call connected block "Filter_Banned_Countries" Filter_Banned_Countries(container=container, handle=handle) return
def join_Initial_filtering(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_Initial_filtering() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done( ['file_reputation_6', 'lookup_domain_1', 'url_reputation_1']): # call connected block "Initial_filtering" Initial_filtering(container=container, handle=handle) return
def join_format_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_5() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done( ['ssh_raw_user_plist', 'ssh_parse_user_plist', 'nmap_scan_5900']): # call connected block "format_5" format_5(container=container, handle=handle) return
def join_format_results(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_results() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'lookup_certificate_1', 'ip_reputation_2', 'domain_reputation_1', 'domain_reputation_2' ]): # call connected block "format_results" format_results(container=container, handle=handle) return
def join_format_analyst_message(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_analyst_message() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'run_dns_search', 'run_web_search', 'url_reputation', 'ip_reputation' ]): # call connected block "format_analyst_message" format_analyst_message(container=container, handle=handle) return
def join_set_status_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_set_status_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'endpoint_infection_ticket_approval', 'add_list_item', 'create_reinfected_ticket' ]): # call connected block "set_status_2" set_status_2(container=container, handle=handle) return
def join_account_lockout_endpoint_shutdown(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_account_lockout_endpoint_shutdown() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'list_processes_1', 'list_logged_on_users', 'list_connections_1', 'list_sessions_1' ]): # call connected block "account_lockout_endpoint_shutdown" account_lockout_endpoint_shutdown(container=container, handle=handle) return
def join_format_short_description(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_format_short_description() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'quarantine_device_2', 'get_system_info_1', 'get_file_1', 'get_user_attributes_1', 'file_reputation_1', 'block_hash_1' ]): # call connected block "format_short_description" format_short_description(container=container, handle=handle) return
def join_set_status_6(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_set_status_6() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'geolocate_ip_1', 'domain_reputation_1', 'file_reputation', 'Notify_IT' ]): # call connected block "set_status_6" set_status_6(container=container, handle=handle) return
def join_summarize_results(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_summarize_results() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'whois_ip_dst', 'whois_ip_src', 'whois_sourceAddress', 'whois_destAddress', 'whois_source_ip', 'whois_dest_ip', 'whois_url_ip' ]): # call connected block "summarize_results" summarize_results(container=container, handle=handle) return
def join_synthesize_enrichment(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_synthesize_enrichment() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'lookup_url_1', 'virustotal_file_reputation', 'reversinglabs_file_rep', 'google_url_reputation', 'domain_reputation_1', 'ip_reputation', 'deepsight_url_reputation' ]): # call connected block "synthesize_enrichment" synthesize_enrichment(container=container, handle=handle) return
def join_add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_add_comment_2() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'query_endpoint_risk_mod', 'query_notable_info', 'query_user_identity_info', 'query_user_risk_mod', 'query_endpoint_rights', 'query_user_rights' ]): # call connected block "add_comment_2" add_comment_2(container=container, handle=handle) return
def join_Send_email_if_related_entities_are_found(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_Send_email_if_related_entities_are_found() called') # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done([ 'search_splunk_for_ips', 'search_splunk_for_domains', 'search_splunk_for_files', 'search_splunk_for_vulns' ]): # call connected block "Send_email_if_related_entities_are_found" Send_email_if_related_entities_are_found(container=container, handle=handle) return
def join_prompt_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('join_prompt_1() called') # if the joined function has already been called, do nothing if phantom.get_run_data(key='join_prompt_1_called'): return # check if all connected incoming actions are done i.e. have succeeded or failed if phantom.actions_done(['domain_reputation_2', 'domain_reputation_1']): # save the state that the joined function has now been called phantom.save_run_data(key='join_prompt_1_called', value='prompt_1') # call connected block "prompt_1" prompt_1(container=container, handle=handle) return