def get_affected_ad_users(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('get_affected_ad_users() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'get_affected_ad_users' call formatted_data_1 = phantom.get_format_data(name='convert_to_list__as_list') parameters = [] # build parameters list for 'get_affected_ad_users' call for formatted_part_1 in formatted_data_1: parameters.append({ 'username': formatted_part_1, 'fields': "sAMAccountName,pwdLastSet,userAccountControl,mail", 'attribute': "mail", }) phantom.act("get user attributes", parameters=parameters, app={"name": 'LDAP'}, callback=get_active_ad_users, name="get_affected_ad_users") return
def Search_OT_Asset(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Search_OT_Asset() called') # collect data for 'Search_OT_Asset' call formatted_data_1 = phantom.get_format_data(name='Format_Asset_Lookup') parameters = [] # build parameters list for 'Search_OT_Asset' call parameters.append({ 'query': formatted_data_1, 'command': "", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['splunk es - ot sec'], callback=Format_Audit_Endpoint_Process, name="Search_OT_Asset") return
def check_priv_auth_activity(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('check_priv_auth_activity() called') # collect data for 'check_priv_auth_activity' call formatted_data_1 = phantom.get_format_data(name='format_priv_auth_search') parameters = [] # build parameters list for 'check_priv_auth_activity' call parameters.append({ 'query': formatted_data_1, 'command': "", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['splunk es - ot sec'], callback=filter_1, name="check_priv_auth_activity") return
def run_query_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('run_query_1() called') # collect data for 'run_query_1' call formatted_data_1 = phantom.get_format_data(name='Query_String') parameters = [] # build parameters list for 'run_query_1' call parameters.append({ 'query': formatted_data_1, 'display': "", }) phantom.act(action="run query", parameters=parameters, assets=['essplunk100'], callback=Container_Comment_String, name="run_query_1") return
def send_email_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('send_email_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'send_email_1' call formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'send_email_1' call parameters.append({ 'body': formatted_data_1, 'from': "", 'attachments': "", 'to': "*****@*****.**", 'cc': "", 'bcc': "", 'headers': "", 'subject': "Test Container Note", }) phantom.act("send email", parameters=parameters, assets=['smtp'], name="send_email_1") return
def Summery_save_object(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Summery_save_object() called') id_value = container.get('id', None) formatted_data_1 = phantom.get_format_data(name='Summery_File_reputation') ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... container_id = container['id'] pb_info = phantom.get_playbook_info() playbook_name = pb_info[0].get('name', None) phantom.save_object(key=playbook_name, value={'feedback': formatted_data_1}, auto_delete=True, container_id=container_id) ################################################################################ ## Custom Code End ################################################################################ return
def run_query_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('run_query_1() called') # collect data for 'run_query_1' call formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'run_query_1' call parameters.append({ 'command': "savedsearch", 'query': formatted_data_1, 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['esa100'], callback=format_2, name="run_query_1") return
def query_user_rights(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('query_user_rights() called') # collect data for 'query_user_rights' call formatted_data_1 = phantom.get_format_data(name='user_rights_mod') parameters = [] # build parameters list for 'query_user_rights' call parameters.append({ 'query': formatted_data_1, 'display': "", }) phantom.act("run query", parameters=parameters, assets=['splunk'], callback=join_add_comment_2, name="query_user_rights") return
def send_message_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('send_message_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'send_message_2' call formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'send_message_2' call parameters.append({ 'destination': "#personal-monitor", 'message': formatted_data_1, }) phantom.act("send message", parameters=parameters, assets=['slack'], callback=execute_program_2, name="send_message_2") return
def query_user_identity_info(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('query_user_identity_info() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'query_user_identity_info' call formatted_data_1 = phantom.get_format_data( name='format_user_identity_info') parameters = [] # build parameters list for 'query_user_identity_info' call parameters.append({ 'query': formatted_data_1, 'display': "", }) phantom.act("run query", parameters=parameters, assets=['splunk'], callback=join_add_comment_2, name="query_user_identity_info") return
def query_endpoint_auth_logs(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('query_endpoint_auth_logs() called') # collect data for 'query_endpoint_auth_logs' call formatted_data_1 = phantom.get_format_data( name='format_endpoint_auth_logs') parameters = [] # build parameters list for 'query_endpoint_auth_logs' call parameters.append({ 'query': formatted_data_1, 'display': "", }) phantom.act("run query", parameters=parameters, assets=['splunk'], callback=query_endpoint_auth_logs_callback, name="query_endpoint_auth_logs") return
def fetch_es_assets(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("fetch_es_assets() called") # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) es_assets__as_list = phantom.get_format_data(name="es_assets__as_list") parameters = [] if es_assets__as_list is not None: parameters.append({ "query": es_assets__as_list, "command": "| inputlookup", }) ################################################################################ ## Custom Code Start ################################################################################ parameters = [] phantom.debug(es_assets__as_list) for formatted_item in es_assets__as_list: parameters.append({ "query": formatted_item, "command": "| inputlookup", }) ################################################################################ ## Custom Code End ################################################################################ phantom.act("run query", parameters=parameters, name="fetch_es_assets", assets=["splunk"]) return
def run_get_children_of_java(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("run_get_children_of_java() called") # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) get_children_of_java__as_list = phantom.get_format_data(name="get_children_of_java__as_list") parameters = [] if get_children_of_java__as_list is not None: parameters.append({ "query": get_children_of_java__as_list, "command": "tstats", }) ################################################################################ ## Custom Code Start ################################################################################ parameters = [] phantom.debug(get_children_of_java__as_list) for formatted_item in get_children_of_java__as_list: parameters.append({ "query": formatted_item, "command": "| tstats", }) ################################################################################ ## Custom Code End ################################################################################ phantom.act("run query", parameters=parameters, name="run_get_children_of_java", assets=["splunk"]) return
def add_work_note_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('add_work_note_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'add_work_note_2' call results_data_1 = phantom.collect2(container=container, datapath=['get_data_5:action_result.data.*.response_body.data.*.data', 'get_data_5:action_result.parameter.context.artifact_id'], action_results=results) formatted_data_1 = phantom.get_format_data(name='format_16') parameters = [] # build parameters list for 'add_work_note_2' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'id': results_item_1[0], 'is_sys_id': "", 'work_note': formatted_data_1, 'table_name': "incident", # context (artifact id) is added to associate results with the artifact 'context': {'artifact_id': results_item_1[1]}, }) phantom.act(action="add work note", parameters=parameters, assets=['servicenow'], callback=restart_Service, name="add_work_note_2") return
def update_maintenance_window_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('update_maintenance_window_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'update_maintenance_window_1' call formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'update_maintenance_window_1' call parameters.append({ 'maintenance_window_id': formatted_data_1, 'title': "", 'relative_start_time': "", 'relative_end_time': 60, 'start_time': "", 'end_time': "", 'object_type': "", 'object_ids': "", 'comment': "Phantom: end maintenance window in 60 seconds", }) phantom.act(action="update maintenance window", parameters=parameters, assets=['splunk itsi'], callback=add_episode_comment_1, name="update_maintenance_window_1") return
def create_ticket_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_ticket_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'create_ticket_2' call formatted_data_1 = phantom.get_format_data(name='format_4') parameters = [] # build parameters list for 'create_ticket_2' call parameters.append({ 'short_description': "Lost/Stolen Mobile Device", 'table': "", 'vault_id': "", 'description': formatted_data_1, 'fields': "", }) phantom.act("create ticket", parameters=parameters, assets=['servicenow'], callback=join_set_status_1, name="create_ticket_2") return
def task_close(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("task_close() called") id_value = container.get("id", None) format_task_close = phantom.get_format_data(name="format_task_close") parameters = [] parameters.append({ "owner": None, "status": "complete", "container": id_value, "task_name": "Render Verdict", "note_title": "[Auto-Generated] Response Verdict Summary", "note_content": format_task_close, }) ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ phantom.custom_function(custom_function="community/workbook_task_update", parameters=parameters, name="task_close") return
def update_event(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("update_event() called") # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) ################################################################################ # Update all notables with a link back to the parent case. ################################################################################ filtered_artifact_0_data_event_id_filter = phantom.collect2(container=container, datapath=["filtered-data:event_id_filter:condition_1:artifact:*.cef.event_id"], scope="all") es_format = phantom.get_format_data(name="es_format") parameters = [] # build parameters list for 'update_event' call for filtered_artifact_0_item_event_id_filter in filtered_artifact_0_data_event_id_filter: if filtered_artifact_0_item_event_id_filter[0] is not None: parameters.append({ "comment": es_format, "event_ids": filtered_artifact_0_item_event_id_filter[0], }) ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ phantom.act("update event", parameters=parameters, name="update_event", assets=["splunk"]) return
def Check_Login_Failures_Successes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Check_Login_Failures_Successes() called') # collect data for 'Check_Login_Failures_Successes' call formatted_data_1 = phantom.get_format_data( name='Format_Login_Failures_Successes') parameters = [] # build parameters list for 'Check_Login_Failures_Successes' call parameters.append({ 'query': formatted_data_1, 'command': "", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['splunk es - ot sec'], callback=Filter_Login_Result, name="Check_Login_Failures_Successes") return
def workbook_task_update_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("workbook_task_update_4() called") id_value = container.get("id", None) merge_individual_format = phantom.get_format_data(name="merge_individual_format") parameters = [] parameters.append({ "owner": None, "status": None, "container": id_value, "task_name": "Investigate", "note_title": "[Auto-Generated] Related Events Merged", "note_content": merge_individual_format, }) ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ phantom.custom_function(custom_function="community/workbook_task_update", parameters=parameters, name="workbook_task_update_4") return
def run_query_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('run_query_2() called') # collect data for 'run_query_2' call formatted_data_1 = phantom.get_format_data(name='format_proxy_query') parameters = [] # build parameters list for 'run_query_2' call parameters.append({ 'query': formatted_data_1, 'display': "client_ip, policy_action, MD5, User", }) phantom.act("run query", parameters=parameters, assets=['splunk_es'], callback=get_user_attributes_1, name="run_query_2") return
def create_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_ticket_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'create_ticket_1' call formatted_data_1 = phantom.get_format_data(name='format_ticket') parameters = [] # build parameters list for 'create_ticket_1' call parameters.append({ 'short_description': "Forced updates for wannacry prevention", 'table': "", 'vault_id': "", 'description': formatted_data_1, 'fields': "", }) phantom.act("create ticket", parameters=parameters, assets=['servicenow'], callback=execute_win_update, name="create_ticket_1") return
def fetch_risk_rules(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('fetch_risk_rules() called') # collect data for 'fetch_risk_rules' call formatted_data_1 = phantom.get_format_data(name='format_splunk_query') parameters = [] # build parameters list for 'fetch_risk_rules' call parameters.append({ 'query': formatted_data_1, 'command': "search", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['es-rba'], callback=cf_rba_master_parse_risk_results_1, name="fetch_risk_rules") return
def get_service_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('get_service_data() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'get_service_data' call formatted_data_1 = phantom.get_format_data(name='check_service_HUD') parameters = [] # build parameters list for 'get_service_data' call parameters.append({ 'headers': "", 'location': formatted_data_1, 'verify_certificate': False, }) phantom.act(action="get data", parameters=parameters, assets=['http'], callback=decision_1, name="get_service_data") return
def build_ip_lookup(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('build_ip_lookup() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'build_ip_lookup' call formatted_data_1 = phantom.get_format_data(name='format_related_ip_lookup') parameters = [] # build parameters list for 'build_ip_lookup' call parameters.append({ 'query': formatted_data_1, 'display': "", }) phantom.act("run query", parameters=parameters, assets=['splunk'], callback=search_splunk_for_ips, name="build_ip_lookup") return
def get_entity_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('get_entity_data() called') # collect data for 'get_entity_data' call formatted_data_1 = phantom.get_format_data(name='Check_entity_HUD') parameters = [] # build parameters list for 'get_entity_data' call parameters.append({ 'headers': "", 'location': formatted_data_1, 'verify_certificate': False, }) phantom.act(action="get data", parameters=parameters, assets=['http'], callback=check_service_HUD, name="get_entity_data") return
def Check_Audit_Endpoint_Process(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Check_Audit_Endpoint_Process() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'Check_Audit_Endpoint_Process' call formatted_data_1 = phantom.get_format_data( name='Format_Audit_Endpoint_Process') parameters = [] # build parameters list for 'Check_Audit_Endpoint_Process' call parameters.append({ 'query': formatted_data_1, 'command': "", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['splunk es - ot sec'], callback=filter_1, name="Check_Audit_Endpoint_Process") return
def post_data_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('post_data_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'post_data_1' call formatted_data_1 = phantom.get_format_data(name='format_4') parameters = [] # build parameters list for 'post_data_1' call parameters.append({ 'location': formatted_data_1, 'body': "", 'headers': "", 'verify_certificate': "", }) phantom.act(action="post data", parameters=parameters, assets=['http'], name="post_data_1") return
def send_email_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('send_email_1() called') # collect data for 'send_email_1' call formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'send_email_1' call parameters.append({ 'from': "*****@*****.**", 'to': "*****@*****.**", 'cc': "", 'bcc': "", 'subject': "New Case Created", 'body': formatted_data_1, 'attachments': "", 'headers': "", }) phantom.act("send email", parameters=parameters, assets=['smtp'], name="send_email_1") return
def add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("add_comment_2() called") format_3 = phantom.get_format_data(name="format_3") ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ phantom.comment(container=container, comment=format_3) update_event_1(container=container) return