def playbook_log4j_respond_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_log4j_respond_1() called") ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ # call playbook "community/log4j_respond", returns the playbook_run_id playbook_run_id = phantom.playbook("community/log4j_respond", container=container) return
def playbook_local_ec2_instance_isolation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_ec2_instance_isolation_1() called') # call playbook "local/ec2_instance_isolation", returns the playbook_run_id playbook_run_id = phantom.playbook("local/ec2_instance_isolation", container=container) return
def risk_notable_preprocess(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("risk_notable_preprocess() called") ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ # call playbook "community/risk_notable_preprocess", returns the playbook_run_id playbook_run_id = phantom.playbook("community/risk_notable_preprocess", container=container, name="risk_notable_preprocess", callback=risk_notable_import_data) return
def playbook_soar_Sorsnce_Domain_Recon_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_soar_Sorsnce_Domain_Recon_1() called') # call playbook "soar/Sorsnce_Domain_Recon", returns the playbook_run_id playbook_run_id = phantom.playbook("soar/Sorsnce_Domain_Recon", container=container, name="playbook_soar_Sorsnce_Domain_Recon_1") return
def playbook_conf2020_conf2020_End_Maintenance_Windows_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_conf2020_conf2020_End_Maintenance_Windows_1() called') # call playbook "conf2020/End Maintenance Windows", returns the playbook_run_id playbook_run_id = phantom.playbook(playbook="conf2020/End Maintenance Windows", container=container, name="playbook_conf2020_conf2020_End_Maintenance_Windows_1", callback=format_snow_ticket_id_request) return
def decide_and_launch_playbook(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("decide_and_launch_playbook() called") ################################################################################ # Process user responses and determine which playbook should be launched. ################################################################################ select_response_plan_result_data = phantom.collect2(container=container, datapath=["select_response_plan:action_result.summary.responses.0"], action_results=results) select_response_plan_summary_responses_0 = [item[0] for item in select_response_plan_result_data] ################################################################################ ## Custom Code Start ################################################################################ # Lunch the playbook that the analyst chose. playbook_run_id = phantom.playbook(playbook=select_response_plan_summary_responses_0[0], container=container) ################################################################################ ## Custom Code End ################################################################################ decision_5(container=container) return
def playbook_conf2020_conf2020_add_Maintenance_Windows_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_conf2020_conf2020_add_Maintenance_Windows_2() called') # call playbook "conf2020/add Maintenance Windows", returns the playbook_run_id playbook_run_id = phantom.playbook(playbook="conf2020/add Maintenance Windows", container=container, name="playbook_conf2020_conf2020_add_Maintenance_Windows_2", callback=execute_program_3) return
def playbook_local_local_eh_phishing_generate_drilldowns_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_local_local_eh_phishing_generate_drilldowns_1() called') # call playbook "local/eh_phishing_generate_drilldowns", returns the playbook_run_id playbook_run_id = phantom.playbook(playbook="local/eh_phishing_generate_drilldowns", container=container) return
def playbook_local_Triage_Peers_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_Triage_Peers_1() called') # call playbook "local/Triage Peers", returns the playbook_run_id playbook_run_id = phantom.playbook("local/Triage Peers", container=container) return
def launch_reset_playbook(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('launch_reset_playbook() called') filtered_results_data_1 = phantom.collect2( container=container, datapath=[ "filtered-data:get_active_ad_users:condition_1:get_affected_ad_users:action_result.data.*.samaccountname" ]) filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1] ################################################################################ ## Custom Code Start ################################################################################ for r in filtered_results_item_1_0: phantom.debug("[DEBUG]: account = {}".format(r)) phantom.add_artifact(container=container, raw_data={'compromisedUserName': r}, cef_data={'compromisedUserName': r}, label='compromised_account', name='compromised account ' + r, identifier=None, artifact_type='user name', severity='high', run_automation=True) # calling the playbook here is necessary because artifacts are not evaluated while # this code block runs. Consequently, all artifacts are fired as a list instead of # individually without this next call to playbook(). phantom.playbook(playbook='local/activedirectory_reset_password', container=container, show_debug=True) ################################################################################ ## Custom Code End ################################################################################ return
def playbook_local_soc_fork_customer_request_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_soc_fork_customer_request_1() called') # ----- start of added code ----- import csv # get container id container_id = container.get('id', None) # use the container id to get information about any files in the vault vault_info = phantom.vault_info(container_id=container_id) # filter info returned to find the path where the file is stored in the vault file_path = vault_info[2][0]["path"] phantom.debug('vault file path: {}'.format(file_path)) # read the .csv file, file and add artifacts with the label "customer_request" to container raw_data = {} reader = None try: with open(file_path, 'r') as f: reader = csv.DictReader(f) for cef_data in reader: cef_data_keys = cef_data.keys() if 'action' in cef_data_keys and ( 'sourceAddress' in cef_data_keys or 'destinationAddress' in cef_data_keys): phantom.debug('adding artifact: {}'.format(cef_data)) success, message, artifact_id = phantom.add_artifact( container=container, raw_data=raw_data, cef_data=cef_data, label='customer_request', name='Parsed CSV Artifact', severity='high', identifier=None, artifact_type='network') if not success: phantom.error( "Adding Artifact failed: {}".format(message)) except Exception as e: phantom.error("Exception Occurred: {}".format(e.args[1])) return # ----- end of added code ----- # call playbook "local/soc_fork_customer_request", returns the playbook_run_id playbook_run_id = phantom.playbook("local/soc_fork_customer_request", container) return
def Check_hash(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Check_hash() called') # call playbook "phantom_playbook_course/Log File Hashes", returns the playbook_run_id playbook_run_id = phantom.playbook( "phantom_playbook_course/Log File Hashes", container=container) return
def playbook_local_Log_File_Hashes_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_Log_File_Hashes_1() called') # call playbook "local/Log File Hashes", returns the playbook_run_id playbook_run_id = phantom.playbook("local/Log File Hashes", container=container) return
def Promote_To_Case(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Promote_To_Case() called') # call playbook "local/Case Promotion Lab", returns the playbook_run_id playbook_run_id = phantom.playbook("local/Case Promotion Lab", container=container) return
def playbook_local_Test_AD_to_Slack_notification_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_Test_AD_to_Slack_notification_1() called') # call playbook "local/Test - AD to Slack notification", returns the playbook_run_id playbook_run_id = phantom.playbook("local/Test - AD to Slack notification", container=container) return
def playbook_community_rootkit_remediate_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_community_rootkit_remediate_1() called') # call playbook "community/rootkit_remediate", returns the playbook_run_id playbook_run_id = phantom.playbook("community/rootkit_remediate", container) return
def playbook_internal_host_ssh_log4j_respond_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_internal_host_ssh_log4j_respond_2() called") filtered_artifact_0_data_if_hosts_exist = phantom.collect2( container=container, datapath=[ "filtered-data:if_hosts_exist:condition_1:artifact:*.cef.deviceHostname", "filtered-data:if_hosts_exist:condition_1:artifact:*.cef.filePath" ], scope="all") filtered_artifact_0__cef_devicehostname = [ item[0] for item in filtered_artifact_0_data_if_hosts_exist ] filtered_artifact_0__cef_filepath = [ item[1] for item in filtered_artifact_0_data_if_hosts_exist ] inputs = { "ip_or_hostname": filtered_artifact_0__cef_devicehostname, "filepath": filtered_artifact_0__cef_filepath, } ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ # call playbook "community/internal_host_ssh_log4j_respond", returns the playbook_run_id playbook_run_id = phantom.playbook( "community/internal_host_ssh_log4j_respond", container=container, inputs=inputs) return
def playbook_internal_host_winrm_investigate_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_internal_host_winrm_investigate_1() called") filtered_artifact_0_data_os_filter = phantom.collect2( container=container, datapath=[ "filtered-data:os_filter:condition_2:artifact:*.cef.deviceHostname" ], scope="all") filtered_artifact_0__cef_devicehostname = [ item[0] for item in filtered_artifact_0_data_os_filter ] ip_or_hostname_combined_value = phantom.concatenate( filtered_artifact_0__cef_devicehostname, dedup=True) inputs = { "ip_or_hostname": ip_or_hostname_combined_value, } ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ # call playbook "community/internal_host_winrm_investigate", returns the playbook_run_id playbook_run_id = phantom.playbook( "community/internal_host_winrm_investigate", container=container, name="playbook_internal_host_winrm_investigate_1", callback=join_playbook_log4j_respond_1, inputs=inputs) return
def playbook_r3d_GitHub_sleep_4_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_r3d_GitHub_sleep_4_4() called') # call playbook "r3d--GitHub/sleep", returns the playbook_run_id playbook_run_id = phantom.playbook("r3d--GitHub/sleep", container=container, name="playbook_r3d_GitHub_sleep_4_4", callback=custom_function_1) return
def playbook_local_eh_investigate_email_iocs_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_local_eh_investigate_email_iocs_1() called') # call playbook "local/eh_investigate_email_iocs", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="local/eh_investigate_email_iocs", container=container) return
def playbook_phantomPlaybooks_Log_File_Hashes_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_phantomPlaybooks_Log_File_Hashes_1() called') # call playbook "phantomPlaybooks/Log File Hashes", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="phantomPlaybooks/Log File Hashes", container=container) return
def playbook_rba_master_rba_master_RBA_Investigate_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_rba_master_rba_master_RBA_Investigate_1() called') # call playbook "rba-master/RBA Investigate", returns the playbook_run_id playbook_run_id = phantom.playbook(playbook="rba-master/RBA Investigate", container=container) return
def Promote_to_Case(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Promote_to_Case() called') # call playbook "phantom_playbook_course/Case Promotion Lab", returns the playbook_run_id playbook_run_id = phantom.playbook( "phantom_playbook_course/Case Promotion Lab", container=container, name="Promote_to_Case") return
def playbook_local_Atomic_Registry_Run_Keys_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('playbook_local_Atomic_Registry_Run_Keys_1() called') # call playbook "local/Atomic - Registry Run Keys", returns the playbook_run_id playbook_run_id = phantom.playbook("local/Atomic - Registry Run Keys", container) run_script_2(container=container) return
def playbook_internal_host_splunk_investigate_log4j_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_internal_host_splunk_investigate_log4j_2() called") container_artifact_data = phantom.collect2( container=container, datapath=["artifact:*.cef.deviceHostname"], scope="all") container_artifact_cef_item_0 = [ item[0] for item in container_artifact_data ] ip_or_hostname_combined_value = phantom.concatenate( container_artifact_cef_item_0, dedup=True) inputs = { "ip_or_hostname": ip_or_hostname_combined_value, } ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ # call playbook "community/internal_host_splunk_investigate_log4j", returns the playbook_run_id playbook_run_id = phantom.playbook( "community/internal_host_splunk_investigate_log4j", container=container, name="playbook_internal_host_splunk_investigate_log4j_2", callback=os_filter, inputs=inputs) return
def Promote_to_Case(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Promote_to_Case() called') # call playbook "phantomPlaybooks/Case Promotion Lab", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="phantomPlaybooks/Case Promotion Lab", container=container, name="Promote_to_Case") return
def playbook_Main_Hunt_file_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_Main_Hunt_file_1() called') # call playbook "Main/Hunt_file", returns the playbook_run_id playbook_run_id = phantom.playbook(playbook="Main/Hunt_file", container=container, name="playbook_Main_Hunt_file_1", callback=decision_2) return
def playbook_P4R_final_version_IOCs_File_mobile_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_P4R_final_version_IOCs_File_mobile_1() called') # call playbook "P4R_final_version/IOCs_File_mobile", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="P4R_final_version/IOCs_File_mobile", container=container, name="playbook_P4R_final_version_IOCs_File_mobile_1") return
def playbook_local_local_Message_Print_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_local_local_Message_Print_1() called') # call playbook "local/Message Print", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="local/Message Print", container=container, name="playbook_local_local_Message_Print_1") return
def playbook_conf2020_conf2020_Close_SNOW_Ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('playbook_conf2020_conf2020_Close_SNOW_Ticket_1() called') # call playbook "conf2020/Close SNOW Ticket", returns the playbook_run_id playbook_run_id = phantom.playbook( playbook="conf2020/Close SNOW Ticket", container=container, name="playbook_conf2020_conf2020_Close_SNOW_Ticket_1", callback=set_status_1) return