def aws_disable_user_check(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("aws_disable_user_check() called")
# set user and message variables for phantom.prompt call
user = "******"
message = """The following AWS user(s) were found to be inactive:\n\n```\n{0}\n```"""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_1:condition_2:playbook_input:aws_username"
]
# responses
response_types = [
{
"prompt": "Should those user account(s) be disabled?",
"options": {
"type": "list",
"choices": [
"Yes",
"No"
],
},
}
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="aws_disable_user_check", parameters=parameters, response_types=response_types, callback=decision_1)
return
def prompt_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """{0}"""
# parameter list for template variable replacement
parameters = [
"format_2:formatted_data",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "message",
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_1", parameters=parameters, response_types=response_types)
return
def prompt_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_2() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """test 2 -2"""
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "message",
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_2",
response_types=response_types,
callback=prompt_3)
return
def prompt_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_3() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """test 3? ajskldjf"""
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "range",
"min": 1,
"max": 100,
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_3",
response_types=response_types)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("prompt_1() called")
# set user and message variables for phantom.prompt call
user = "******"
message = """The result are\n\nuser: {0} destination {2} time {1}"""
# parameter list for template variable replacement
parameters = [
"run_query_1:action_result.data.*.user",
"run_query_1:action_result.data.*.dest",
"run_query_1:action_result.data.*._time"
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters)
return
def isolate_ec2_instance_approval(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('isolate_ec2_instance_approval() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The playbook ec2_instance_investigation_and_notification has investigated the EC2 instance with ID {0} and name {1}. Should Phantom quarantine the instance by changing the instance's Security Group to disallow all traffic?"""
# parameter list for template variable replacement
parameters = [
"describe_ec2_instance:action_result.parameter.instance_ids",
"describe_ec2_instance:action_result.data.*.Reservations.*.Instances.*.Tags.Name",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="isolate_ec2_instance_approval", parameters=parameters, response_types=response_types, callback=prompt_decision)
return
def select_response_plan(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("select_response_plan() called")
# set user and message variables for phantom.prompt call
user = json.loads(phantom.get_run_data(key='get_effective_user:username'))
message = """Splunk SOAR has loaded all available response plans\n - Only Playbooks with tags "response_option" are shown."""
# Playbooks list
playbook_list = phantom.collect2(container=container, datapath=["list_response_playbooks:custom_function_result.data.*.full_name"], action_results=results)
playbook_list = [item[0] for item in playbook_list]
playbook_list.append("Do Nothing")
#responses:
response_types = [
{
"prompt": "Response Plan",
"options": {
"type": "list",
"choices": playbook_list
},
}
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="select_response_plan", response_types=response_types, callback=user_response_decision)
return
def prompt_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The following Domain is malicious
{0}
Do you want to block this Hash?"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.destinationDnsDomain",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_1", parameters=parameters, response_types=response_types, callback=filter_4)
return
def Notable_Creation_Approval_Request(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Notable_Creation_Approval_Request() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """You have received the following request: {0}"""
# parameter list for template variable replacement
parameters = [
"format_12:formatted_data",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="Notable_Creation_Approval_Request", parameters=parameters, response_types=response_types, callback=Notable_Creation_Approval_Request_callback)
return
def Notify_IT(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('Notify_IT() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """A potentially malicious file download has been detected on a local server with IP address {0}. Notify IT team?"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.destinationAddress",
]
#responses:
response_types = [
{
"prompt": "Notify IT?",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
{
"prompt": "Briefly describe reason",
"options": {
"type": "message",
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="Notify_IT", parameters=parameters, response_types=response_types, callback=prompt_timeout)
return
def New_Case_Assigned(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('New_Case_Assigned() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """A new case has been assigned: {0}. Please acknowledge you have received this notification."""
# parameter list for template variable replacement
parameters = [
"container:name",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="New_Case_Assigned", parameters=parameters, response_types=response_types, callback=format_2)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = container['owner']
message = """The following items were identified as malicious. Please review the evidence and decide which items you would like to take action on (Yes/No)."""
threat_object = [
item[0] for item in phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.threat_object'
])
]
threat_object_type = [
item[0] for item in phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.threat_object_type'
])
]
# dynamic response builder
response_types = []
pairings = []
for thr_obj, thr_obj_type in zip(threat_object, threat_object_type):
if thr_obj:
response_types.append({
"prompt": "Block {}".format(thr_obj),
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
})
pairings.append({thr_obj_type: thr_obj})
phantom.save_run_data(value=json.dumps(pairings),
key='pairings',
auto=True)
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
response_types=response_types,
callback=get_run_data)
return
def crowdstrike_new_file_detection(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('crowdstrike_new_file_detection() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """{0}"""
# parameter list for template variable replacement
parameters = [
"format_prompt:formatted_data",
]
#responses:
response_types = [
{
"prompt":
"Should Phantom create an Indicator in CrowdStrike to track this file hash from now on?",
"options": {
"type":
"list",
"choices": [
"No, do not create an Indicator in CrowdStrike at this time.",
"Yes, create a CrowdStrike Indicator to detect and block this file hash from now on. (True Positive)",
"Yes, create a CrowdStrike Indicator to ignore this file hash from now on. (False Positive)",
]
},
},
{
"prompt": "Should Phantom quarantine the endpoint?",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="crowdstrike_new_file_detection",
parameters=parameters,
response_types=response_types,
callback=crowdstrike_new_file_detection_callback)
return
def prompt_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_3() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The infected endpoint info is:
DNS Name:
{0}
Computer Name:
{1}
OS info:
{2}
Do you want to
1. Contain the threat by terminating the process and blocking the hash?
2. Or do you want to reimage the endpoint ?"""
# parameter list for template variable replacement
parameters = [
"get_system_info_1:action_result.data.*.computer_dns_name",
"get_system_info_1:action_result.data.*.computer_name",
"get_system_info_1:action_result.data.*.os_environment_display_string",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"1",
"2",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_3",
parameters=parameters,
response_types=response_types,
callback=decision_6)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The host {0} communicated with these high priority servers:
{1}"""
# parameter list for template variable replacement
parameters = [
"cf_community_string_to_uppercase_1:custom_function_result.data.uppercase_string",
"format_2:formatted_data",
]
#responses:
response_types = [
{
"prompt": "Would you like to update the notable",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
{
"prompt": "Please enter a comment",
"options": {
"type": "message",
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
response_types=response_types,
callback=decision_1)
return
def select_indicators(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("select_indicators() called")
# set user and message variables for phantom.prompt call
custom_format__output = json.loads(
phantom.get_run_data(key="custom_format:output"))
user_id = phantom.get_effective_user()
url = phantom.build_phantom_rest_url('ph_user', user_id)
response = phantom.requests.get(url, verify=False).json()
user = response['username']
message = """Please review the list of suspect indicators and select an action.\n\n{0}""".format(
custom_format__output)
indicator_records = phantom.collect2(
container=container,
datapath=[
"get_suspect_indicators:custom_function_result.data.*.indicator_value"
],
action_results=results)
indicator_value_list = [item[0] for item in indicator_records]
# dynamic response generation
response_types = []
parameters = None
for ind_val in indicator_value_list:
response_types.append({
"prompt": "{0}".format(ind_val),
"options": {
"type": "list",
"choices": ["Block", "Tag as Safe", "Do Nothing"]
}
})
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="select_indicators",
parameters=parameters,
response_types=response_types,
callback=process_responses)
return
def Approval_request_Add_IP_to_Black_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Approval_request_Add_IP_to_Black_list() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Hi, we have checked this IP. Please decide if this IP Should be added to the black list.
This are the result of the IP Reputation check:
{0}
Further information \"whois query\" can be found in the notes.
Please decide:
Yes = Add to \"IP Black list\"
No = promote Event to case"""
# parameter list for template variable replacement
parameters = [
"ip_reputation_1:action_result.message",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="Approval_request_Add_IP_to_Black_list",
parameters=parameters,
response_types=response_types,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Hi,
we have determined that the service: {0} (on the host: {1})- is not available. Details on the process can be found in the ticket . Please confirm as follows:
Yes = the service is automatically restarted
No = we will assign the incident to you and the service will NOT be restarted
Do not respond within 5 minutes - the service will automatically restart"""
# parameter list for template variable replacement
parameters = [
"get_service_data:action_result.data.*.response_body.data.*.data",
"get_entity_data:action_result.data.*.parsed_response_body.data.*.data",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=2,
name="prompt_1",
parameters=parameters,
response_types=response_types,
callback=decision_3)
return
def quarantine_prompt(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("quarantine_prompt() called")
################################################################################
# Offer the user options to quarantine the affected endpoints
################################################################################
# set user and message variables for phantom.prompt call
user = "******"
message = """Choose an action you would like to take on the following hosts and then type confirm. The same selected action will be performed on every host.\n\n \n### Available Actions:\n- Restrict Outbound Traffic\n(Sets a firewall policy to prevent all outbound traffic. This may disrupt domain authentication for all but cached credentials.)\n- Shutdown Host (This is a forced shutdown)\n\n \n### Target Hosts\n{0}"""
# parameter list for template variable replacement
parameters = ["format_host_list_prompt:formatted_data"]
# responses
response_types = [{
"prompt": "Available Actions",
"options": {
"type":
"list",
"choices": [
"Restrict Outbound Traffic", "Shutdown",
"Restrict Outbound Traffic and Shutdown", "Do Nothing"
],
},
}, {
"prompt": "Type \"confirm\"",
"options": {
"type": "message",
},
}]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="quarantine_prompt",
parameters=parameters,
response_types=response_types,
callback=quarantine_decision)
return
def playbook_tutorial_prompt(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('playbook_tutorial_prompt() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Based on a SIEM event about a potential malware incident, Phantom has investigated and determined that the potential attacker IP address:
{0}
has been connected to malware with hash
{1}
and the above hash has {2} positive detections on a ReversingLabs reputation score. Should Phantom temporarily block the IP address using the Palo Alto Networks firewall for the next 60 minutes (after which it will be unblocked)?"""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_3:condition_1:artifact:*.cef.sourceAddress",
"filtered-data:filter_3:condition_1:artifact:*.cef.fileHash",
"filtered-data:filter_2:condition_1:file_reputation_1:action_result.summary.positives",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="playbook_tutorial_prompt",
parameters=parameters,
response_types=response_types,
callback=decision_4)
return
def Notify_IT(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Notify_IT() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """A potentially malicious file download has been detected on a local server with IP address {0}. Notify IT team?"""
# parameter list for template variable replacement
parameters = [
"filtered-data:Filter_destination_ip_null_values:condition_1:artifact:*.cef.destinationAddress",
]
#responses:
response_types = [
{
"prompt": "Notify IT?",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
{
"prompt": "Comments",
"options": {
"type": "message",
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=10,
name="Notify_IT",
parameters=parameters,
response_types=response_types,
callback=Prompt_timeout)
return
def prompt_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_4() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The infected VM is:
{0}
Host Name:
{1}
Do you want to
1. Contain the threat by terminating the process and blocking the hash?
2. Or do you want to revert the VM to last snapshot?"""
# parameter list for template variable replacement
parameters = [
"get_vm_info:action_result.data.*.vm_full_name",
"get_vm_info:action_result.data.*.vm_hostname",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"1",
"2",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_4",
parameters=parameters,
response_types=response_types,
callback=decision_7)
return
def crowdstrike_known_file_quarantine(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('crowdstrike_known_file_quarantine() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """{0}
---
Should Phantom quarantine the device?"""
# parameter list for template variable replacement
parameters = [
"format_repeat_note:formatted_data",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="crowdstrike_known_file_quarantine",
parameters=parameters,
response_types=response_types,
callback=quarantine_decision_2)
return
def Approval_Close_Incident(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Approval_Close_Incident() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The Episode {0} is resolved.
All steps are documented in the ticket: {1}
Please decide if the status of this Episode should be changed to: CLOSED"""
# parameter list for template variable replacement
parameters = [
"container:name",
"artifact:*.cef.snow_inc",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=3,
name="Approval_Close_Incident",
parameters=parameters,
response_types=response_types,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("prompt_1() called")
# set user and message variables for phantom.prompt call
user = "******"
message = """here's the list\n\n{0} priority: {1} count:{2}"""
# parameter list for template variable replacement
parameters = [
"run_query_1:action_result.data.*.peer",
"run_query_1:action_result.data.*.priority",
"run_query_1:action_result.data.*.count"
]
# responses
response_types = [{
"prompt": "Update event?",
"options": {
"type": "list",
"choices": ["Yes", "No"],
},
}, {
"prompt": "comment:",
"options": {
"type": "message",
},
}]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
response_types=response_types,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("prompt_1() called")
# set user and message variables for phantom.prompt call
user = "******"
message = """{0}\n\n{1}"""
# parameter list for template variable replacement
parameters = [
"format_analyst_msg:formatted_data", "create_my_list:formatted_data"
]
# responses
response_types = [{
"prompt":
"Would you like to own the notable and change status to open",
"options": {
"type": "list",
"choices": ["Yes", "No"],
},
}, {
"prompt": "Please enter a comment for the notable",
"options": {
"type": "message",
},
}]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
response_types=response_types,
callback=decision_1)
return
def prompt_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_4() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The following URL is malicious
{0}
Do you want to block this URL?{0}"""
# parameter list for template variable replacement
parameters = [
"Parsed_Proofpoint_URL:custom_function:url_parsed",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_4",
parameters=parameters,
response_types=response_types,
callback=filter_9)
return
def event_details(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("event_details() called")
################################################################################
# A dynamic prompt to list out details for each container so that the user can
# decide which to merge.
################################################################################
# set user and message variables for phantom.prompt call
effective_user_id = phantom.get_effective_user()
url = phantom.build_phantom_rest_url('ph_user', effective_user_id)
response = phantom.requests.get(url, verify=False).json()
user = response.get('username')
message = """{0}"""
# parameter list for template variable replacement
parameters = [
"custom_format:custom_function:output",
]
# fetch data for dynamic response
container_data = phantom.collect2(container=container, datapath=['find_related_events:custom_function_result.data.*.container_id', 'find_related_events:custom_function_result.data.*.container_name'], action_results=results)
container_id_list = [item[0] for item in container_data]
container_name_list = [item[1] for item in container_data]
#Dynamic Responses:
response_types = []
for container_id, container_name in zip(container_id_list, container_name_list):
response_types.append({
"prompt": "Event {0}: {1}".format(container_id, container_name),
"options": {
"type": "list",
"choices": [
"Merge Into Case",
"Ignore",
]
},
})
phantom.save_run_data(value=json.dumps(container_id_list), key="container_list", auto=True)
phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="event_details", parameters=parameters, response_types=response_types, callback=process_responses)
return
def reset_password(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('reset_password() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Found the account \"{0}\" has a compromised credential! Would you like to automatically reset the password?"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.compromisedUserName",
]
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=30,
name="reset_password",
parameters=parameters,
response_types=response_types,
callback=reset_option)
return
def Request_approval_restart_service(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Request_approval_restart_service() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Hi,
we have determined that the service: (on the host: )- is not available. Details on the process can be found in the ticket . Please confirm as follows:
Yes = the service is automatically restarted
No = we will assign the incident to you and the service will NOT be restarted
Do not respond within 5 minutes - the service will automatically restart"""
#responses:
response_types = [
{
"prompt": "",
"options": {
"type": "list",
"choices": [
"Yes",
"No",
]
},
},
]
phantom.prompt2(container=container,
user=user,
message=message,
respond_in_mins=5,
name="Request_approval_restart_service",
response_types=response_types,
callback=decision_2)
return