def update_workbook_tasks(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("update_workbook_tasks() called") ################################################################################ # Custom code to determine which task this playbook occurs in, complete that task, # and set the status of the next task in the workbook (within the same phase) # to "In Progress". ################################################################################ ################################################################################ ## Custom Code Start ################################################################################ # Get current repo and playbook name current_scm = phantom.get_playbook_info()[0]['repo_name'] current_playbook = phantom.get_playbook_info()[0]['name'] task_order = None # Iterate through tasks on the current container for task in phantom.get_tasks(container=container): playbooks = task.get('data').get('suggestions').get('playbooks') if playbooks: for playbook in playbooks: # Check if the current container tasks contain a reference to this playbook. # If so, this is the task phase you want to mark as current if playbook['playbook'] == current_playbook and playbook['scm'] == current_scm: task_order = task['data']['order'] status = task['data']['status'] url = phantom.build_phantom_rest_url('workflow_task') + '/{}'.format(task['data']['id']) # If status is not started (statud id 0), move to in progress (status id 2) before moving to complete (status id 1) if status == 0: data = {'status': 2} phantom.requests.post(url, data=json.dumps(data), verify=False) data = {'status': 1} phantom.set_phase(container=container, phase=task['data']['phase']) phantom.requests.post(url, data=json.dumps(data), verify=False) # Iterate through the other tasks on the current container if a task was updated as indicated by the presence of "task_order" if task_order: for task in phantom.get_tasks(container=container): # If another task matches the updated task's order + 1, then update it as well if task['data']['order'] == task_order + 1: data = {'status': 2} url = phantom.build_phantom_rest_url('workflow_task') + '/{}'.format(task['data']['id']) phantom.requests.post(url, data=json.dumps(data), verify=False) ################################################################################ ## Custom Code End ################################################################################ return
def get_playbook_id(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('get_playbook_id() called') input_parameter_0 = "" get_playbook_id__parent_pb_run_id = None ################################################################################ ## Custom Code Start ################################################################################ get_playbook_id__parent_pb_run_id = int( phantom.get_playbook_info()[0]['parent_playbook_run_id']) phantom.debug( 'parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id)) # Used for Testing # get_playbook_id__parent_pb_run_id = 2479 # phantom.debug('Testing parent_playbook_id: {}'.format(get_playbook_id__parent_pb_run_id)) ################################################################################ ## Custom Code End ################################################################################ phantom.save_run_data(key='get_playbook_id:parent_pb_run_id', value=json.dumps(get_playbook_id__parent_pb_run_id)) check_parent_playbook_id(container=container) return
def Summery_save_object(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Summery_save_object() called') id_value = container.get('id', None) formatted_data_1 = phantom.get_format_data(name='Summery_IP_reputation') ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... container_id = container['id'] pb_info = phantom.get_playbook_info() playbook_name = pb_info[0].get('name', None) phantom.save_object(key=playbook_name, value={'feedback': formatted_data_1}, auto_delete=True, container_id=container_id) ################################################################################ ## Custom Code End ################################################################################ return
def Format_End_Marker(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Format_End_Marker() called') playbook_info = phantom.get_playbook_info() guid = phantom.get_data(playbook_info[0]['id'], clear_data=False) phantom.debug(guid) template = "eventcreate /id 999 /D \"ended test for {0} guid=%s\" /T INFORMATION /L application" % guid # parameter list for template variable replacement parameters = [ "Run_Start_Marker:action_result.parameter.ip_hostname", ] phantom.format(container=container, template=template, parameters=parameters, name="Format_End_Marker") Run_End_Marker(container=container) return
def Format_Start_Marker(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('format_1() called') playbook_info = phantom.get_playbook_info() guid = phantom.get_data(playbook_info[0]['id'], clear_data=False) template = "eventcreate /id 999 /D \"started test on {0} guid=%s\" /T INFORMATION /L application" % guid # parameter list for template variable replacement parameters = ["artifact:*.cef.destinationAddress"] phantom.format(container=container, template=template, parameters=parameters, name="Format_Start_Marker") Run_Start_Marker(container=container) return
def Post_Start_Event_to_Splunk(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('post_data_1() called') import platform import uuid # collect data for 'post_data_1' call formatted_data_1 = phantom.get_format_data(name='format_3') parameters = [] splunk_status_index_list = phantom.collect( container, "artifact:*.cef.splunk_status_index") if len(splunk_status_index_list) > 0: splunk_status_index = str(splunk_status_index_list[0]) else: splunk_status_index = "default" splunk_status_source_type_list = phantom.collect( container, "artifact:*.cef.splunk_status_source_type") if len(splunk_status_source_type_list) > 0: splunk_status_source_type = str(splunk_status_source_type_list[0]) else: splunk_status_source_type = "advsim:atr" try: guid = phantom.collect(container, "artifact:*.cef.request")[0] except: guid = uuid.uuid4().hex playbook_info = phantom.get_playbook_info() phantom.save_data(guid, playbook_info[0]['id']) source = playbook_info[0]['name'] data = {} data['msg'] = formatted_data_1 data['guid'] = guid data['playbook_info'] = playbook_info[0] data_json = json.dumps(data) # build parameters list for 'post_data_1' call parameters.append({ 'index': splunk_status_index, 'host': platform.node(), 'source_type': splunk_status_source_type, 'data': data_json, 'source': source, }) phantom.act("post data", parameters=parameters, app={"name": 'Splunk'}, callback=decision_2, name="Post_Start_Event_to_Splunk") return
def create_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_ticket_1() called') # collect data for 'create_ticket_1' call pb_info = phantom.get_playbook_info() playbook_name = pb_info[0].get('name', None) parameters = [] desc_sufix = ''' Action Required: Scan machine(s) with multiple Anti-Virus and Anti-Malware solutions Suggestions: - Microsoft Security Essentials - Kaspersky TDSS Rootkit Killer - Malware Bytes - Symantec Resolution: Provide logs of scan results to Security Operations Reboot affected host(s) as needed to fully clear quarantines malware ''' # build parameters list for 'create_ticket_1' call parameters.append({ 'short_description': "Issue: Possible botnet activity (" + str(results.count('\n') - 1) + ")", # str(results.count('\n')-1) 'description': results + desc_sufix, 'table': "incident", 'fields': "{\"urgency\": \"1\", \"impact\": \"3\",\"comments\": \"Playbook name: %s\", \"assignment_group\": \"Help Desk\", \"company\": \"Company\", \"caller_id\": \"phantom\", \"u_affected_business_service\": \"Security\", \"u_symptom\": \"Infosec Incident\"}" % playbook_name, 'vault_id': "", }) phantom.act("create ticket", parameters=parameters, assets=['servicenow'], name="create_ticket_1", callback=send_message_1) return
def update_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('update_ticket_1() called') pb_info = phantom.get_playbook_info() if not pb_info: return playbook_name = pb_info[0].get('name', None) ip = '' artifacts_data_1 = phantom.collect2( container=container, datapath=['artifact:*.cef.cn2', 'artifact:*.cef.cs3'], scope='all') # , 'artifact:*.id' name_value = container.get('name', None) for artifacts_item_1 in artifacts_data_1: # phantom.debug('artifact_data_item {}'.format(artifacts_item_1)) if artifacts_item_1: ip = artifacts_item_1[0] if phantom.valid_ip(ip): ip = str(ip) addr = phantom.get_object(key=ip, playbook_name=playbook_name) if addr: ticket = addr[0]['value']['ticket'] # collect data for 'update_ticket_1' call parameters = [] # build parameters list for 'update_ticket_1' call update = "\"%s\"" % artifacts_item_1[ 1] # or "\"{}\"".format(a) parameters.append({ 'id': ticket, 'table': "u_security_engineering_request", 'fields': "{\"state\": \"1\", \"work_notes\": \"%s\" }" % artifacts_item_1[1], # 'fields': "{\"work_notes\": \"Updated\" }", # 'fields': "{\"update\": {\"state\": \"open\", \"work_notes\": \"%s\"}}" % artifacts_item_1[1], # 'fields': "{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Anything can go here\"}", 'vault_id': "", }) phantom.debug('update ticket {} for ip {}: {}'.format( ticket, ip, update)) phantom.act("update ticket", parameters=parameters, assets=['servicenow'], name="update_ticket_1") return
def create_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_ticket_1() called') ip = '' artifacts_data_1 = phantom.collect2( container=container, datapath=['artifact:*.cef.cn1', 'artifact:*.cef.cs3'], scope='all') # , 'artifact:*.id' name_value = container.get('name', None) # phantom.debug('artifact_data {}'.format(artifacts_data_1)) for artifacts_item_1 in artifacts_data_1: # phantom.debug('artifact_data_item {}'.format(artifacts_item_1)) if artifacts_item_1: ip = artifacts_item_1[0] if phantom.valid_ip(ip): ip = str(ip) # collect data for 'create_ticket_1' call pb_info = phantom.get_playbook_info() playbook_name = pb_info[0].get('name', None) parameters = [] # build parameters list for 'create_ticket_1' call parameters.append({ 'short_description': artifacts_item_1[0] + ' -> ' + artifacts_item_1[1], 'description': "Source IP address: " + ip, 'table': "u_security_engineering_request", # 'fields': "{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Playbook name: %s\"}" % playbook_name, 'vault_id': "", }) phantom.debug('create ticket for ip {} '.format(ip)) # if len(ip)>0: phantom.act("create ticket", parameters=parameters, assets=['servicenow'], name="create_ticket_1", callback=format_1) # callback=get_ticket_id, return
def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('format_1() called') pb_info = phantom.get_playbook_info() if not pb_info: return playbook_name = pb_info[0].get('name', None) ticket = phantom.collect(results, "action_result.summary.created_ticket_id") artifacts_data_1 = phantom.collect2(container=container, datapath=['artifact:*.cef.src']) if ticket: ticket = ticket[0] phantom.debug('Ticket {}'.format(ticket)) for artifacts_item_1 in artifacts_data_1: if artifacts_item_1: if phantom.valid_ip(artifacts_item_1[0]): addr = phantom.get_object(key=str(artifacts_item_1[0]), playbook_name=playbook_name) if addr: addr[0]['value']['ticket'] = ticket #phantom.debug('Saving object {} of type {} with key {}'.format(addr[0], type(addr[0]['value']), artifacts_item_1[0])) phantom.save_object(key=str(artifacts_item_1[0]), value=addr[0]['value'], auto_delete=False, playbook_name=playbook_name) template = """Ticket id: {0} number: {1}""" # parameter list for template variable replacement parameters = [ "create_ticket_1:action_result.summary.created_ticket_id", "create_ticket_1:action_result.data.*.number", ] phantom.format(container=container, template=template, parameters=parameters, name="format_1") return
def decision_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('decision_2() called') action = '' pb_info = phantom.get_playbook_info() name_value = container.get('name', None) playbook_name = pb_info[0].get('name', None) container_id = container['id'] if not pb_info: return filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=['filtered-data:filter_2:condition_1:artifact:*.cef']) phantom.debug('TOTAL number of cef.src artifacts is count: {}'.format( len(filtered_artifacts_data_1))) # local_tz = timezone('America/New_York') start = (container['start_time'] )[:-3] # start = (container['start_time']).strip('+00') start_time = datetime.strptime( start, '%Y-%m-%d %H:%M:%S.%f') # format 2017-10-17 11:32:00.839350 # start_time = local_tz.localize(start_time) for filtered_artifacts_item_1 in filtered_artifacts_data_1: item_1 = filtered_artifacts_item_1[0]['src'] phantom.debug('ITEM to be processed: {}'.format(item_1)) if item_1: addr = phantom.get_object(key=str(item_1), playbook_name=playbook_name) if not addr: phantom.debug('SAVE NEW count: {} {} {} '.format( 1, start_time.strftime("%c"), start_time.strftime("%c"))) phantom.save_object(key=str(item_1), value={ 'count': 1, 'start': start_time.strftime("%c"), 'end': start_time.strftime("%c"), 'description': name_value, 'ticket': '', 'ignore': False }, auto_delete=False, playbook_name=playbook_name) else: count = addr[0]['value']['count'] + 1 ignore = addr[0]['value']['ignore'] ticket = addr[0]['value']['ticket'] saved_start = addr[0]['value']['start'] saved_start_time = datetime.strptime( saved_start, '%a %b %d %H:%M:%S %Y' ) # format Mon Oct 16 11:46:30 2017 or '%Y-%m-%d %H:%M:%S.%f' # saved_start_time = local_tz.localize(start_time) delta = abs((start_time - saved_start_time)).total_seconds() # .seconds phantom.debug( 'DECISION start_time {} - saved_start_time {} = {}s '. format(start_time, saved_start_time, delta)) if ignore and (delta > REPEAT): phantom.debug( 'IGNORE {} start_time {} - saved_start_time {} = {}s '. format(ignore, start_time, saved_start_time, delta)) ignore = False saved_start = start_time.strftime("%c") if not ignore: if (ticket == '') and (delta > WINDOW): saved_start = start_time.strftime("%c") count = 0 phantom.debug( 'RESET time/co ticket {} delta {}s {} <- {}'. format(ticket, delta, saved_start, start_time.strftime("%c"))) elif (count > LIMIT) and (delta < WINDOW): count = 0 saved_start = start_time.strftime("%c") raw = {} cef = {} cef['cs3'] = filtered_artifacts_item_1[0]['cs3'] if (ticket == ''): phantom.debug( 'OPENED {} opened {} {}s ago '.format( item_1, saved_start_time, delta)) cef['cn1'] = item_1 success, message, artifact_id = phantom.add_artifact( container=container, raw_data=raw, cef_data=cef, label='create', name='ticket', severity='high', identifier=None, artifact_type='host') else: phantom.debug( 'REOPEN {} reopen {} {}s ago '.format( ticket, saved_start_time, delta)) cef['cn2'] = item_1 success, message, artifact_id = phantom.add_artifact( container=container, raw_data=raw, cef_data=cef, label='update', name='ticket', severity='high', identifier=None, artifact_type='host') ignore = True phantom.debug( 'SAVE OLD count: {0} ticket: {1} {2} {3} {4}s'.format( count, ticket, saved_start, start_time.strftime("%c"), delta)) phantom.save_object(key=str(item_1), value={ 'count': count, 'start': saved_start, 'end': start_time.strftime("%c"), 'description': name_value, 'ticket': ticket, 'ignore': ignore }, auto_delete=False, playbook_name=playbook_name) # check for 'if' condition 1 matched_artifacts_1, matched_results_1 = phantom.condition( container=container, scope='all', conditions=[ ["artifact:*.label", "==", "create"], ]) # call connected blocks if condition 1 matched if matched_artifacts_1 or matched_results_1: create_ticket_1(action=action, success=success, container=container, results=results, handle=handle) return # check for 'elif' condition 2 matched_artifacts_2, matched_results_2 = phantom.condition( container=container, scope='all', conditions=[ ["artifact:*.label", "==", "update"], ]) # call connected blocks if condition 2 matched if matched_artifacts_2 or matched_results_2: update_ticket_1(action=action, success=success, container=container, results=results, handle=handle) return return