Exemplos de pin em Python

Exemplo n.º 1

def update_case(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('update_case() called')
    
    get_pins_body = phantom.collect2(container=container, datapath=['get_pins:action_result.data.*.response_body'], action_results=results)

    # get the necessary run_data
    fuzzy_matched_access_points = json.loads(phantom.get_run_data(key='fuzzy_matched_access_points'))
    live_case_id = int(phantom.get_run_data(key='live_case_id'))

    # delete all the existing pins to prevent duplicates
    for pin in get_pins_body[0][0]['data']:
        phantom.delete_pin(int(pin['id']))
    
    # add a pin for each ap that fuzzy-matched the greylist
    for ap in fuzzy_matched_access_points:
        if ap['is_escalated']:
            phantom.pin(container=live_case_id, message=ap['signal_strength'], data=ap['mac_address'], pin_type="card_medium", pin_style="red")
            phantom.add_artifact(
                container=live_case_id,
                raw_data={},
                cef_data=ap,
                label='wireless',
                name='suspicious access point detection',
                severity='high',
                identifier=None,
                artifact_type='network')
    
    decision_1(container=container)

    return

Exemplo n.º 2

def pin_5(action=None,
          success=None,
          container=None,
          results=None,
          handle=None,
          filtered_artifacts=None,
          filtered_results=None,
          custom_function=None,
          **kwargs):
    phantom.debug('pin_5() called')

    filtered_results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            'filtered-data:filter_3:condition_1:geolocate_ip_1:action_result.data.*.country_name'
        ])

    filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]

    phantom.pin(container=container,
                data=filtered_results_item_1_0,
                message="There was a hit on the following Country!",
                pin_type="card",
                pin_style="red",
                name="Block Country List")
    high_positives(container=container)

    return

Exemplo n.º 3

def pin_DNS_alert(action=None,
                  success=None,
                  container=None,
                  results=None,
                  handle=None,
                  filtered_artifacts=None,
                  filtered_results=None,
                  custom_function=None,
                  **kwargs):
    phantom.debug('pin_DNS_alert() called')

    results_data_1 = phantom.collect2(
        container=container,
        datapath=['run_DNS_alert_query:action_result.data.*.query'],
        action_results=results)

    results_item_1_0 = [item[0] for item in results_data_1]

    phantom.pin(container=container,
                data=results_item_1_0,
                message="Connection to Alerted DNS Address",
                pin_type="card",
                pin_style="red",
                name=None)

    return

Exemplo n.º 4

def Prompt_timeout_api(action=None,
                       success=None,
                       container=None,
                       results=None,
                       handle=None,
                       filtered_artifacts=None,
                       filtered_results=None,
                       custom_function=None,
                       **kwargs):
    phantom.debug('Prompt_timeout_api() called')

    phantom.pin(container=container,
                data="",
                message="\"Awaiting Action\"",
                pin_type="card",
                pin_style="red",
                name="Awaiting_Action_pin")

    note_title = ""
    note_content = ""
    note_format = "markdown"
    phantom.add_note(container=container,
                     note_type="general",
                     title=note_title,
                     content=note_content,
                     note_format=note_format)

    phantom.comment(
        container=container,
        comment="“User failed to promote event within time limit.”")

    phantom.set_status(container=container, status="Closed")

    return

Exemplo n.º 5

def pin_virustotal_response(action=None,
                            success=None,
                            container=None,
                            results=None,
                            handle=None,
                            filtered_artifacts=None,
                            filtered_results=None,
                            custom_function=None,
                            **kwargs):
    phantom.debug('pin_virustotal_response() called')

    filtered_results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            'filtered-data:filter_7:condition_1:file_reputation_1:action_result.data.*.sha1'
        ])

    filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]

    phantom.pin(container=container,
                data=filtered_results_item_1_0,
                message="File Downloads VT Hit",
                pin_type="card",
                pin_style="",
                name=None)

    return

Exemplo n.º 6

def pin_DNS_alert(action=None,
                  success=None,
                  container=None,
                  results=None,
                  handle=None,
                  filtered_artifacts=None,
                  filtered_results=None,
                  custom_function=None,
                  **kwargs):
    phantom.debug('pin_DNS_alert() called')

    container_data = phantom.collect2(
        container=container,
        datapath=['artifact:*.cef.query', 'artifact:*.id'])

    container_item_0 = [item[0] for item in container_data]

    phantom.pin(container=container,
                data=container_item_0,
                message="Connection to Alerted DNS Address",
                pin_type="card",
                pin_style="red",
                name=None)

    return

Exemplo n.º 7

Arquivo: Investigation Lab.py Projeto: CyberChalm/phantom_playbook_course

def Banned_Country_Pin(action=None,
                       success=None,
                       container=None,
                       results=None,
                       handle=None,
                       filtered_artifacts=None,
                       filtered_results=None):
    phantom.debug('Banned_Country_Pin() called')

    results_data_1 = phantom.collect2(
        container=container,
        datapath=['geolocate_ip_1:action_result.data.*.country_name'],
        action_results=results)

    results_item_1_0 = [item[0] for item in results_data_1]

    phantom.pin(container=container,
                data=results_item_1_0,
                message="Banned country detected",
                pin_type="card",
                pin_style="red",
                name=None)
    High_positives(container=container)

    return

Exemplo n.º 8

def pin_7(action=None,
          success=None,
          container=None,
          results=None,
          handle=None,
          filtered_artifacts=None,
          filtered_results=None):
    phantom.debug('pin_7() called')

    filtered_results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            "filtered-data:filter_4:condition_1:list_connections_1:action_result.data.*.state"
        ])

    #filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
    filtered_results_item_1_0 = len(filtered_results_data_1)

    phantom.pin(container=container,
                data=filtered_results_item_1_0,
                message="Number of CLOSED_WAIT connections",
                pin_type="card",
                pin_style="red",
                name=None)

    return

Exemplo n.º 9

Arquivo: Get entity information.py Projeto: abuis78/conf2020

def pin_6(action=None,
          success=None,
          container=None,
          results=None,
          handle=None,
          filtered_artifacts=None,
          filtered_results=None,
          custom_function=None,
          **kwargs):
    phantom.debug('pin_6() called')

    results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            'get_entity_2:action_result.parameter.entity_title',
            'get_entity_2:action_result.data.*.*.ip.0'
        ],
        action_results=results)

    for item in results_data_1:
        results_item_1_0 = "Entity: " + item[0]
        results_item_1_1 = item[1]

        phantom.pin(container=container,
                    data=results_item_1_1,
                    message=results_item_1_0,
                    pin_type="card",
                    pin_style="grey",
                    name=None)

    return

Exemplo n.º 10

Arquivo: Investigation Lab 6.py Projeto: kshish/ph49_playbook_solutions

def pin_4(action=None,
          success=None,
          container=None,
          results=None,
          handle=None,
          filtered_artifacts=None,
          filtered_results=None):
    phantom.debug('pin_4() called')

    filtered_results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            "filtered-data:filter_banned_countries:condition_1:geolocate_ip_1:action_result.data.*.country_name"
        ])

    filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]

    phantom.pin(container=container,
                data="",
                message=filtered_results_item_1_0,
                pin_type="card",
                pin_style="red",
                name=None)
    decision_1(container=container)

    return

Exemplo n.º 11

def pin_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('pin_1() called')

    formatted_data_1 = phantom.get_format_data(name='format_3')

    phantom.pin(container=container, data=formatted_data_1, message="Encoded Powershell", pin_type="card", pin_style="red", name=None)

    return

Exemplo n.º 12

def Add_Pin_with_Service_Name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Add_Pin_with_Service_Name() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Service_Name')

    phantom.pin(container=container, data=formatted_data_1, message="Service", pin_type="card", pin_style="red", name=None)

    return

Exemplo n.º 13

Arquivo: otsec_action_check_access_login_fail_success.py Projeto: SplunkBAUG/ot-security-solution

def Pin_Check_Login_Failures_Successes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Check_Login_Failures_Successes() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Login_Failures_Success')

    phantom.pin(container=container, data=formatted_data_1, message="Check authentication activities through access control system", name="Login Failures Successes Detected")

    return

Exemplo n.º 14

def pin_suricata_alert(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('pin_suricata_alert() called')

    formatted_data_1 = phantom.get_format_data(name='format_suricata_pin')

    phantom.pin(container=container, data=formatted_data_1, message="Corelight UID with Surcata Alerts", name=None)

    return

Exemplo n.º 15

Arquivo: otsec_action_check_network_conf.py Projeto: SplunkBAUG/ot-security-solution

def Pin_OT_Asset_Info(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_OT_Asset_Info() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_OT_Asset_Info')

    phantom.pin(container=container, data=formatted_data_1, message="Check Network Config", pin_type="card", pin_style="red", name="Check Network Config")

    return

Exemplo n.º 16

Arquivo: otsec_action_check_network_allowlist.py Projeto: SplunkBAUG/ot-security-solution

def Pin_Check_Network_Sessions(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Check_Network_Sessions() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Format_Network_Sessions')

    phantom.pin(container=container, data=formatted_data_1, message="Check for allowed hosts/users for the asset", name="Check for allowed hosts/users for the asset")

    return

Exemplo n.º 17

Arquivo: otsec_action_get_asset_info.py Projeto: SplunkBAUG/ot-security-solution

def Pin_Zone_Level(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Zone_Level() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Zone_Level')

    phantom.pin(container=container, data=formatted_data_1, message="Verify Asset Zone, Level, Location", name="Asset Zone and Level")

    return

Exemplo n.º 18

Arquivo: otsec_action_check_network_outbound_url.py Projeto: SplunkBAUG/ot-security-solution

def Pin_Check_Network_New_Outbound_URL(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Check_Network_New_Outbound_URL() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Network_New_Outbound_URL')

    phantom.pin(container=container, data=formatted_data_1, message="Check Network New Outbound", name="Check Network New Outbound")

    return

Exemplo n.º 19

def Pin_Check_Limit_HW_USB_Activity(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Check_Limit_HW_USB_Activity() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Limit_HW_USB_Activity')

    phantom.pin(container=container, data=formatted_data_1, message="Check Limit HW USB Activity", name="Check Limit HW USB Activity")

    return

Exemplo n.º 20

def pin_add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('pin_add_comment_2() called')

    phantom.pin(container=container, data="", message="Awaiting Action", pin_type="card", pin_style="red", name=None)

    phantom.comment(container=container, comment="User failed to promote event within time limit")

    return

Exemplo n.º 21

Arquivo: otsec_action_get_es_notables_py3.py Projeto: philroyer-phantom/playbooks

def Pin_ES_Notables_Detected(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_ES_Notables_Detected() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_ES_Notables')

    phantom.pin(container=container, data=formatted_data_1, message="Check all detected ES notables", name="Check all detected ES notables")

    return

Exemplo n.º 22

def Pin_Check_Software_Sandbox_Status(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Pin_Check_Software_Sandbox_Status() called')

    formatted_data_1 = phantom.get_format_data(name='Format_Pin_Software_Sandbox_Status')

    phantom.pin(container=container, data=formatted_data_1, message="Check Software Sandbox Status", name="Check Software Sandbox Status")

    return

Exemplo n.º 23

def pin_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('pin_1() called')

    formatted_data_1 = phantom.get_format_data(name='format_1')

    phantom.pin(container=container, data=formatted_data_1, message="Suspicious File Hash", pin_type="card", pin_style="red", name=None)
    join_cf_community_noop_2(container=container)

    return

Exemplo n.º 24

Arquivo: Check_E-Mail_header_SpamAssassin.py Projeto: junos1982/P4Rworkhop

def HUD_gray(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('HUD_gray() called')

    formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_NO')

    phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="grey", name=None)
    join_Summery_XSpamStatus(container=container)

    return

Exemplo n.º 25

def pin_7(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('pin_7() called')

    formatted_data_1 = phantom.get_format_data(name='format_20')
    formatted_data_2 = phantom.get_format_data(name='format_21')

    phantom.pin(container=container, data=formatted_data_1, message=formatted_data_2, name=None)
    format_22(container=container)

    return

Exemplo n.º 26

Arquivo: first playbook.py Projeto: nick-phantom/training_playbooks

def pin_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
    phantom.debug('pin_2() called')

    results_data_1 = phantom.collect2(container=container, datapath=['ip_reputation_1:action_result.summary.detected_urls'], action_results=results)

    results_item_1_0 = [item[0] for item in results_data_1]

    phantom.pin(container=container, data=results_item_1_0, message="malicious urls", pin_type="card", pin_style="red", name="malicious urls")

    return

Exemplo n.º 27

Arquivo: Most Recent Domain_copy.py Projeto: phantom-bots/tenant-1-playbooks

def Calculate_Domain_Age(action=None,
                         success=None,
                         container=None,
                         results=None,
                         handle=None,
                         filtered_artifacts=None,
                         filtered_results=None):
    phantom.debug('Calculate_Domain_Age() called')
    results_data_1 = phantom.collect2(
        container=container,
        datapath=[
            'whois_domain_1:action_result.data.*.creation_date',
            'whois_domain_1:action_result.parameter.domain'
        ],
        action_results=results)
    results_item_1_0 = [item[0] for item in results_data_1]
    results_item_1_1 = [item[1] for item in results_data_1]

    Calculate_Domain_Age__domain_age = None

    ################################################################################
    ## Custom Code Start
    ################################################################################

    #phantom.debug(results_item_1_0)
    #phantom.debug(results_item_1_1)

    from datetime import datetime, timedelta

    all_domains_age = []

    for idx, val in enumerate(results_item_1_0):
        #Convert string to datetime object
        datetime_object = datetime.strptime(val[0], "%Y-%m-%dT%H:%M:%S")
        domain_age = datetime.strptime("2019-08-02T21:49:40",
                                       "%Y-%m-%dT%H:%M:%S") - datetime_object
        if domain_age.days < 15:
            phantom.pin(container=container,
                        message="Domain is less than 15 days old",
                        data=results_item_1_1[idx],
                        pin_type="card_medium",
                        pin_style="red")
        else:
            pass

        #all_domains_age.append(domain_age)

    ################################################################################
    ## Custom Code End
    ################################################################################

    phantom.save_run_data(key='Calculate_Domain_Age:domain_age',
                          value=json.dumps(Calculate_Domain_Age__domain_age))

    return

Exemplo n.º 28

Arquivo: Check_E-Mail_header_SpamAssassin.py Projeto: junos1982/P4Rworkhop

def HUD_red_and_severity_medium(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('HUD_red_and_severity_medium() called')

    formatted_data_1 = phantom.get_format_data(name='XSpamStatus_status_YES__as_list')

    phantom.pin(container=container, data=formatted_data_1, message="XSpamStatus", pin_type="card", pin_style="red", name=None)

    phantom.set_severity(container=container, severity="Medium")
    join_Summery_XSpamStatus(container=container)

    return

Exemplo n.º 29

def Add_HUD_high_red(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
    phantom.debug('Add_HUD_high_red() called')

    formatted_data_1 = phantom.get_format_data(name='Text_high_HUD')
    formatted_data_2 = phantom.get_format_data(name='Text_URL')

    phantom.pin(container=container, data=formatted_data_1, message=formatted_data_2, name=None)

    phantom.add_tags(container=container, tags="suspicious")
    get_screenshot_2(container=container)

    return

Exemplo n.º 30

Arquivo: pin_to_hud_sample.py Projeto: timfrazier1/tenant-1-playbooks

def pin_2(action=None,
          success=None,
          container=None,
          results=None,
          handle=None,
          filtered_artifacts=None,
          filtered_results=None):
    import random
    phantom.debug('pin_2() called')

    # collect data for 'pin_to_hud_6' call
    dest_username = filter(
        lambda x: x[0],
        phantom.collect2(container=container,
                         datapath=['artifact:*.cef.destinationUserName']))
    sorc_username = filter(
        lambda x: x[0],
        phantom.collect2(container=container,
                         datapath=['artifact:*.cef.sourceUserName']))

    styles = set(["white", "red", "purple"])
    pin_name = pin_name_mangle("pin_2", container)
    pin_id = phantom.get_data(pin_name)

    if not pin_id:
        ret_val, message, pin_id = phantom.pin(
            container=container,
            message="Affected Users",
            data=str(len(dest_username) + len(sorc_username)),
            pin_type="card_medium",
            pin_style="purple")
        phantom.debug("new pin_2")
    else:
        # Delete and remake this one, for the sake of demonstration
        ret_val, message = phantom.delete_pin(pin_id)
        ret_val, message, pin_id = phantom.pin(
            container=container,
            message="Affected Users",
            data=str(len(dest_username) + len(sorc_username)),
            pin_type="card_medium",
            pin_style=random.sample(styles, 1)[0])

    if ret_val:
        phantom.save_data(pin_id, pin_name)
    # set container properties for:
    update_data = {}

    phantom.update(container, update_data)

    return