def on_finish(email, summary):
setupkey = 'setup_data' + str(email['current_rule_run_id'])
collectkey = 'collect_data' + str(email['current_rule_run_id'])
email_to, email_from, smtp_asset = phantom.get_data(setupkey, clear_data=True)
container_url = phantom.get_base_url() + 'container/' + str(email['id'])
# calling get_summary to find out if we actually had anything we acted on
getsummary = phantom.get_summary()
#phantom.debug('Get summary: {}'.format(getsummary))
#
if len(getsummary['result']) > 0: # we have processed at least one item in on_start
collected_results, collected_vault_items, container_owner = phantom.get_data(collectkey, clear_data=True)
# finalize the vault item info and add to email
for vaultid in collected_vault_items.keys():
vaultinfo = phantom.get_vault_item_info(vaultid)
for app_run_id, datavalues in collected_results.iteritems():
#phantom.debug('iterate collected results: \napprunid: {}\n\ndatavals: {}'.format(app_run_id, datavalues))
if datavalues['detonate_summary']['target'] == vaultid:
collected_results[app_run_id]['vault_info'] = vaultinfo
if len(collected_results) < (len(getsummary['result'])-2): # subtracting actions that arent counted as detonations
collected_results['message'] = "Unexpected: Collected Results: {} is less than actions run: {}".format(len(collected_results), (len(getsummary['result'])-2))
# send summary email
email_subject = "Results: Ingest file detonatation"
email_body = '\nPhantom Container ID: {} - Owner: {}\nURL: {}\nReturned results by app_run_id:\n{}'.format(email['id'], container_owner, container_url, pprint.pformat(collected_results, indent=4))
phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb)
phantom.debug("Summary: " + pprint.pformat(summary, indent=4))
else: # no artifacts run on
phantom.debug('No artifacts, sending abort email.')
email_subject = "Results: No artifacts to run, aborting"
email_body = '\nPhantom Container ID: {}\nURL: {} \nSummary:\n{}'.format(email['id'],container_url,summary)
phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb)
return
def on_finish(container, summary):
# This function is called after all actions are completed.
# Summary and/or action results can be collected here.
summary_json = phantom.get_summary()
summary_results = summary_json['result']
for result in summary_results:
action_run_id = result['id']
action_results = phantom.get_action_results(action_run_id=action_run_id)
return
def on_finish(container, summary):
# This function is called after all actions are completed.
# Summary and/or action results can be collected here.
summary_json = phantom.get_summary()
summary_results = summary_json['result']
for result in summary_results:
action_run_id = result['id']
action_results = phantom.get_action_results(
action_run_id=action_run_id)
return
def on_finish(container, summary):
phantom.debug('on_finish() called')
# This function is called after all actions are completed.
# summary of all the action and/or all detals of actions
# can be collected here.
summary_json = phantom.get_summary()
if 'result' in summary_json:
for action_result in summary_json['result']:
if 'action_run_id' in action_result:
action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
phantom.debug(action_results)
return
def format_custom_note(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("format_custom_note() called")
################################################################################
# Format a dynamic summary note from playbook.get_summary()
################################################################################
format_custom_note__output = None
################################################################################
## Custom Code Start
################################################################################
format_custom_note__output = ""
playbook_summary = phantom.get_summary()
if 'result' in playbook_summary.keys() and playbook_summary['result']:
for result_item in playbook_summary['result']:
format_custom_note__output += f"#### Action - {result_item['name']}: {result_item['message']}\n"
# Generate app run summary for each action
if 'app_runs' in result_item.keys() and result_item['app_runs']:
for app_run_item in result_item['app_runs']:
format_custom_note__output += f"- app_run_id: {app_run_item['app_run_id']}\n"
for k, v in app_run_item['parameter'].items():
if k != 'context':
format_custom_note__output += f" - {k}: {v}\n"
format_custom_note__output += f"- summary: {app_run_item['summary']}\n"
format_custom_note__output += "\n"
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key="format_custom_note:output",
value=json.dumps(format_custom_note__output))
summary_note(container=container)
return
def on_finish(container, summary):
phantom.debug('on_finish() called')
# This function is called after all actions are completed.
# summary of all the action and/or all detals of actions
# can be collected here.
lat_long = phantom.collect2(container=container, datapath=['geolocate_ip_1:action_result.data.*.latitude', 'geolocate_ip_1:action_result.data.*.longitude'])
malicious_urls = phantom.collect2(container=container, datapath=['ip_reputation_1:action_result.data.*.detected_urls.*.url'])
phantom.error("=== LAT/LONG ===")
phantom.debug(lat_long)
phantom.error("=== MALICIOUS URLS ===")
for i in malicious_urls:
phantom.debug(i)
summary_json = phantom.get_summary()
if 'result' in summary_json:
for action_result in summary_json['result']:
if 'action_run_id' in action_result:
action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
phantom.debug(action_results)
return