def get_affected_ad_users(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_affected_ad_users() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'get_affected_ad_users' call
formatted_data_1 = phantom.get_format_data(name='convert_to_list__as_list')
parameters = []
# build parameters list for 'get_affected_ad_users' call
for formatted_part_1 in formatted_data_1:
parameters.append({
'username': formatted_part_1,
'fields': "sAMAccountName,pwdLastSet,userAccountControl,mail",
'attribute': "mail",
})
phantom.act("get user attributes",
parameters=parameters,
app={"name": 'LDAP'},
callback=get_active_ad_users,
name="get_affected_ad_users")
return
def Search_OT_Asset(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Search_OT_Asset() called')
# collect data for 'Search_OT_Asset' call
formatted_data_1 = phantom.get_format_data(name='Format_Asset_Lookup')
parameters = []
# build parameters list for 'Search_OT_Asset' call
parameters.append({
'query': formatted_data_1,
'command': "",
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['splunk es - ot sec'],
callback=Format_Audit_Endpoint_Process,
name="Search_OT_Asset")
return
def check_priv_auth_activity(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('check_priv_auth_activity() called')
# collect data for 'check_priv_auth_activity' call
formatted_data_1 = phantom.get_format_data(name='format_priv_auth_search')
parameters = []
# build parameters list for 'check_priv_auth_activity' call
parameters.append({
'query': formatted_data_1,
'command': "",
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['splunk es - ot sec'],
callback=filter_1,
name="check_priv_auth_activity")
return
def run_query_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('run_query_1() called')
# collect data for 'run_query_1' call
formatted_data_1 = phantom.get_format_data(name='Query_String')
parameters = []
# build parameters list for 'run_query_1' call
parameters.append({
'query': formatted_data_1,
'display': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['essplunk100'],
callback=Container_Comment_String,
name="run_query_1")
return
def send_email_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('send_email_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'send_email_1' call
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'send_email_1' call
parameters.append({
'body': formatted_data_1,
'from': "",
'attachments': "",
'to': "*****@*****.**",
'cc': "",
'bcc': "",
'headers': "",
'subject': "Test Container Note",
})
phantom.act("send email", parameters=parameters, assets=['smtp'], name="send_email_1")
return
def Summery_save_object(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Summery_save_object() called')
id_value = container.get('id', None)
formatted_data_1 = phantom.get_format_data(name='Summery_File_reputation')
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
pb_info = phantom.get_playbook_info()
playbook_name = pb_info[0].get('name', None)
phantom.save_object(key=playbook_name,
value={'feedback': formatted_data_1},
auto_delete=True,
container_id=container_id)
################################################################################
## Custom Code End
################################################################################
return
def run_query_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('run_query_1() called')
# collect data for 'run_query_1' call
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'run_query_1' call
parameters.append({
'command': "savedsearch",
'query': formatted_data_1,
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['esa100'],
callback=format_2,
name="run_query_1")
return
def query_user_rights(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('query_user_rights() called')
# collect data for 'query_user_rights' call
formatted_data_1 = phantom.get_format_data(name='user_rights_mod')
parameters = []
# build parameters list for 'query_user_rights' call
parameters.append({
'query': formatted_data_1,
'display': "",
})
phantom.act("run query",
parameters=parameters,
assets=['splunk'],
callback=join_add_comment_2,
name="query_user_rights")
return
def send_message_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('send_message_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'send_message_2' call
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'send_message_2' call
parameters.append({
'destination': "#personal-monitor",
'message': formatted_data_1,
})
phantom.act("send message",
parameters=parameters,
assets=['slack'],
callback=execute_program_2,
name="send_message_2")
return
def query_user_identity_info(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('query_user_identity_info() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'query_user_identity_info' call
formatted_data_1 = phantom.get_format_data(
name='format_user_identity_info')
parameters = []
# build parameters list for 'query_user_identity_info' call
parameters.append({
'query': formatted_data_1,
'display': "",
})
phantom.act("run query",
parameters=parameters,
assets=['splunk'],
callback=join_add_comment_2,
name="query_user_identity_info")
return
def query_endpoint_auth_logs(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('query_endpoint_auth_logs() called')
# collect data for 'query_endpoint_auth_logs' call
formatted_data_1 = phantom.get_format_data(
name='format_endpoint_auth_logs')
parameters = []
# build parameters list for 'query_endpoint_auth_logs' call
parameters.append({
'query': formatted_data_1,
'display': "",
})
phantom.act("run query",
parameters=parameters,
assets=['splunk'],
callback=query_endpoint_auth_logs_callback,
name="query_endpoint_auth_logs")
return
def fetch_es_assets(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("fetch_es_assets() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
es_assets__as_list = phantom.get_format_data(name="es_assets__as_list")
parameters = []
if es_assets__as_list is not None:
parameters.append({
"query": es_assets__as_list,
"command": "| inputlookup",
})
################################################################################
## Custom Code Start
################################################################################
parameters = []
phantom.debug(es_assets__as_list)
for formatted_item in es_assets__as_list:
parameters.append({
"query": formatted_item,
"command": "| inputlookup",
})
################################################################################
## Custom Code End
################################################################################
phantom.act("run query", parameters=parameters, name="fetch_es_assets", assets=["splunk"])
return
def run_get_children_of_java(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("run_get_children_of_java() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
get_children_of_java__as_list = phantom.get_format_data(name="get_children_of_java__as_list")
parameters = []
if get_children_of_java__as_list is not None:
parameters.append({
"query": get_children_of_java__as_list,
"command": "tstats",
})
################################################################################
## Custom Code Start
################################################################################
parameters = []
phantom.debug(get_children_of_java__as_list)
for formatted_item in get_children_of_java__as_list:
parameters.append({
"query": formatted_item,
"command": "| tstats",
})
################################################################################
## Custom Code End
################################################################################
phantom.act("run query", parameters=parameters, name="run_get_children_of_java", assets=["splunk"])
return
def add_work_note_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('add_work_note_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'add_work_note_2' call
results_data_1 = phantom.collect2(container=container, datapath=['get_data_5:action_result.data.*.response_body.data.*.data', 'get_data_5:action_result.parameter.context.artifact_id'], action_results=results)
formatted_data_1 = phantom.get_format_data(name='format_16')
parameters = []
# build parameters list for 'add_work_note_2' call
for results_item_1 in results_data_1:
if results_item_1[0]:
parameters.append({
'id': results_item_1[0],
'is_sys_id': "",
'work_note': formatted_data_1,
'table_name': "incident",
# context (artifact id) is added to associate results with the artifact
'context': {'artifact_id': results_item_1[1]},
})
phantom.act(action="add work note", parameters=parameters, assets=['servicenow'], callback=restart_Service, name="add_work_note_2")
return
def update_maintenance_window_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('update_maintenance_window_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'update_maintenance_window_1' call
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'update_maintenance_window_1' call
parameters.append({
'maintenance_window_id': formatted_data_1,
'title': "",
'relative_start_time': "",
'relative_end_time': 60,
'start_time': "",
'end_time': "",
'object_type': "",
'object_ids': "",
'comment': "Phantom: end maintenance window in 60 seconds",
})
phantom.act(action="update maintenance window", parameters=parameters, assets=['splunk itsi'], callback=add_episode_comment_1, name="update_maintenance_window_1")
return
def create_ticket_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_2() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'create_ticket_2' call
formatted_data_1 = phantom.get_format_data(name='format_4')
parameters = []
# build parameters list for 'create_ticket_2' call
parameters.append({
'short_description': "Lost/Stolen Mobile Device",
'table': "",
'vault_id': "",
'description': formatted_data_1,
'fields': "",
})
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
callback=join_set_status_1,
name="create_ticket_2")
return
def task_close(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("task_close() called")
id_value = container.get("id", None)
format_task_close = phantom.get_format_data(name="format_task_close")
parameters = []
parameters.append({
"owner": None,
"status": "complete",
"container": id_value,
"task_name": "Render Verdict",
"note_title": "[Auto-Generated] Response Verdict Summary",
"note_content": format_task_close,
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.custom_function(custom_function="community/workbook_task_update", parameters=parameters, name="task_close")
return
def update_event(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("update_event() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
################################################################################
# Update all notables with a link back to the parent case.
################################################################################
filtered_artifact_0_data_event_id_filter = phantom.collect2(container=container, datapath=["filtered-data:event_id_filter:condition_1:artifact:*.cef.event_id"], scope="all")
es_format = phantom.get_format_data(name="es_format")
parameters = []
# build parameters list for 'update_event' call
for filtered_artifact_0_item_event_id_filter in filtered_artifact_0_data_event_id_filter:
if filtered_artifact_0_item_event_id_filter[0] is not None:
parameters.append({
"comment": es_format,
"event_ids": filtered_artifact_0_item_event_id_filter[0],
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event", assets=["splunk"])
return
def Check_Login_Failures_Successes(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Check_Login_Failures_Successes() called')
# collect data for 'Check_Login_Failures_Successes' call
formatted_data_1 = phantom.get_format_data(
name='Format_Login_Failures_Successes')
parameters = []
# build parameters list for 'Check_Login_Failures_Successes' call
parameters.append({
'query': formatted_data_1,
'command': "",
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['splunk es - ot sec'],
callback=Filter_Login_Result,
name="Check_Login_Failures_Successes")
return
def workbook_task_update_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("workbook_task_update_4() called")
id_value = container.get("id", None)
merge_individual_format = phantom.get_format_data(name="merge_individual_format")
parameters = []
parameters.append({
"owner": None,
"status": None,
"container": id_value,
"task_name": "Investigate",
"note_title": "[Auto-Generated] Related Events Merged",
"note_content": merge_individual_format,
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.custom_function(custom_function="community/workbook_task_update", parameters=parameters, name="workbook_task_update_4")
return
def run_query_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('run_query_2() called')
# collect data for 'run_query_2' call
formatted_data_1 = phantom.get_format_data(name='format_proxy_query')
parameters = []
# build parameters list for 'run_query_2' call
parameters.append({
'query': formatted_data_1,
'display': "client_ip, policy_action, MD5, User",
})
phantom.act("run query",
parameters=parameters,
assets=['splunk_es'],
callback=get_user_attributes_1,
name="run_query_2")
return
def create_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_ticket_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'create_ticket_1' call
formatted_data_1 = phantom.get_format_data(name='format_ticket')
parameters = []
# build parameters list for 'create_ticket_1' call
parameters.append({
'short_description': "Forced updates for wannacry prevention",
'table': "",
'vault_id': "",
'description': formatted_data_1,
'fields': "",
})
phantom.act("create ticket",
parameters=parameters,
assets=['servicenow'],
callback=execute_win_update,
name="create_ticket_1")
return
def fetch_risk_rules(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('fetch_risk_rules() called')
# collect data for 'fetch_risk_rules' call
formatted_data_1 = phantom.get_format_data(name='format_splunk_query')
parameters = []
# build parameters list for 'fetch_risk_rules' call
parameters.append({
'query': formatted_data_1,
'command': "search",
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['es-rba'],
callback=cf_rba_master_parse_risk_results_1,
name="fetch_risk_rules")
return
def get_service_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('get_service_data() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'get_service_data' call
formatted_data_1 = phantom.get_format_data(name='check_service_HUD')
parameters = []
# build parameters list for 'get_service_data' call
parameters.append({
'headers': "",
'location': formatted_data_1,
'verify_certificate': False,
})
phantom.act(action="get data",
parameters=parameters,
assets=['http'],
callback=decision_1,
name="get_service_data")
return
def build_ip_lookup(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('build_ip_lookup() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'build_ip_lookup' call
formatted_data_1 = phantom.get_format_data(name='format_related_ip_lookup')
parameters = []
# build parameters list for 'build_ip_lookup' call
parameters.append({
'query': formatted_data_1,
'display': "",
})
phantom.act("run query",
parameters=parameters,
assets=['splunk'],
callback=search_splunk_for_ips,
name="build_ip_lookup")
return
def get_entity_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('get_entity_data() called')
# collect data for 'get_entity_data' call
formatted_data_1 = phantom.get_format_data(name='Check_entity_HUD')
parameters = []
# build parameters list for 'get_entity_data' call
parameters.append({
'headers': "",
'location': formatted_data_1,
'verify_certificate': False,
})
phantom.act(action="get data",
parameters=parameters,
assets=['http'],
callback=check_service_HUD,
name="get_entity_data")
return
def Check_Audit_Endpoint_Process(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Check_Audit_Endpoint_Process() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'Check_Audit_Endpoint_Process' call
formatted_data_1 = phantom.get_format_data(
name='Format_Audit_Endpoint_Process')
parameters = []
# build parameters list for 'Check_Audit_Endpoint_Process' call
parameters.append({
'query': formatted_data_1,
'command': "",
'display': "",
'parse_only': "",
})
phantom.act(action="run query",
parameters=parameters,
assets=['splunk es - ot sec'],
callback=filter_1,
name="Check_Audit_Endpoint_Process")
return
def post_data_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('post_data_1() called')
#phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
# collect data for 'post_data_1' call
formatted_data_1 = phantom.get_format_data(name='format_4')
parameters = []
# build parameters list for 'post_data_1' call
parameters.append({
'location': formatted_data_1,
'body': "",
'headers': "",
'verify_certificate': "",
})
phantom.act(action="post data",
parameters=parameters,
assets=['http'],
name="post_data_1")
return
def send_email_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('send_email_1() called')
# collect data for 'send_email_1' call
formatted_data_1 = phantom.get_format_data(name='format_1')
parameters = []
# build parameters list for 'send_email_1' call
parameters.append({
'from': "*****@*****.**",
'to': "*****@*****.**",
'cc': "",
'bcc': "",
'subject': "New Case Created",
'body': formatted_data_1,
'attachments': "",
'headers': "",
})
phantom.act("send email",
parameters=parameters,
assets=['smtp'],
name="send_email_1")
return
def add_comment_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("add_comment_2() called")
format_3 = phantom.get_format_data(name="format_3")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.comment(container=container, comment=format_3)
update_event_1(container=container)
return
