def set_severity_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('set_severity_5() called')
phantom.set_severity(container, "low")
set_status_6(container=container)
return
def HUD_red_and_severity_medium(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('HUD_red_and_severity_medium() called')
formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_YES__as_list')
phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="red", name=None)
phantom.set_severity(container=container, severity="Medium")
join_Summery_XSpamStatus(container=container)
return
def set_severity_9(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('set_severity_9() called')
phantom.set_severity(container, "high")
return
def set_severity_13(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('set_severity_13() called')
phantom.set_severity(container, "medium")
pin_16(container=container)
return
def set_severity_12(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('set_severity_12() called')
phantom.set_severity(container, "high")
promote_to_case_14(container=container)
return
def escalate_alert(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('escalate_alert() called')
phantom.set_sensitivity(container, "red")
phantom.set_severity(container, "high")
return
def set_container_low(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('set_container_low() called')
phantom.set_severity(container=container, severity="Low")
return
def escalate_severity_to_high(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('escalate_severity_to_high() called')
phantom.set_severity(container=container, severity="High")
return
def set_status_set_severity_set_sensitivity_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('set_status_set_severity_set_sensitivity_1() called')
phantom.set_status(container=container, status="Closed")
phantom.set_severity(container=container, severity="Low")
phantom.set_sensitivity(container=container, sensitivity="green")
return
def resolve_container(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('resolve_container() called')
# Closing out the container
phantom.set_severity(container, "low")
my_add_tags(tags=["automation"])
# Updating required fields
resolution_data = {"Resolution": "Trivial True Positive"}
custom_fields = {"custom_fields": resolution_data}
phantom.update(container, custom_fields)
phantom.set_status(container, "closed")
return
def on_start(incident):
# lets do geo lookup of attacker IPs
phantom.debug(incident['name'] + 'has severity: ' + incident['sensitivity'])
phantom.debug(incident['name'] + 'has sensitivity: ' + incident['severity'])
phantom.debug(' ------------------ USER NAMES --------------------------------- ')
params = []
victims = list(set(phantom.collect(incident, 'artifact:*.cef.sourceUserName', scope='all')))
victims.extend(list(set(phantom.collect(incident, 'artifact:*.cef.destinationUserName', scope='all'))))
if len(victims) > 0:
exec_victims = []
execs = phantom.datastore_get("executives")
if execs is not None:
exec_victims = [exec_info[0] for exec_info in execs if exec_info[0] in victims]
if len(exec_victims) > 0:
phantom.debug('Execs impacted by this incident: '+str(exec_victims))
phantom.set_sensitivity(incident, 'amber')
phantom.set_severity(incident, 'high')
return
def on_start(incident):
# lets do geo lookup of attacker IPs
phantom.debug(incident['name'] + 'has severity: ' +
incident['sensitivity'])
phantom.debug(incident['name'] + 'has sensitivity: ' +
incident['severity'])
phantom.debug(
' ------------------ USER NAMES --------------------------------- ')
params = []
victims = list(
set(
phantom.collect(incident,
'artifact:*.cef.sourceUserName',
scope='all')))
victims.extend(
list(
set(
phantom.collect(incident,
'artifact:*.cef.destinationUserName',
scope='all'))))
if len(victims) > 0:
exec_victims = []
execs = phantom.datastore_get("executives")
if execs is not None:
exec_victims = [
exec_info[0] for exec_info in execs if exec_info[0] in victims
]
if len(exec_victims) > 0:
phantom.debug('Execs impacted by this incident: ' +
str(exec_victims))
phantom.set_sensitivity(incident, 'amber')
phantom.set_severity(incident, 'high')
return
def deescalate(container):
phantom.set_severity(container, "low")
phantom.close(container)
def escalate(container):
phantom.set_severity(container, "high")
