def join_set_status_set_severity_set_sensitivity_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_set_status_set_severity_set_sensitivity_1() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(
key='join_set_status_set_severity_set_sensitivity_1_called'):
return
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['update_ticket_3']):
# save the state that the joined function has now been called
phantom.save_run_data(
key='join_set_status_set_severity_set_sensitivity_1_called',
value='set_status_set_severity_set_sensitivity_1')
# call connected block "set_status_set_severity_set_sensitivity_1"
set_status_set_severity_set_sensitivity_1(container=container,
handle=handle)
return
def playbook_wait(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_wait() called")
decide_and_launch_playbooks__names = json.loads(
phantom.get_run_data(key="decide_and_launch_playbooks:names"))
################################################################################
## Custom Code Start
################################################################################
if phantom.completed(playbook_names=decide_and_launch_playbooks__names):
# call connected block "indicators_not_blocked"
get_indicators_status(container=container)
# return early to avoid calling connected block too soon
return
################################################################################
## Custom Code End
################################################################################
get_indicators_status(container=container)
return
def playbook_wait(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("playbook_wait() called")
################################################################################
# Custom code block operating as a join function for dynamic playbook calls.
################################################################################
decide_and_launch_playbooks__names = json.loads(
phantom.get_run_data(key="decide_and_launch_playbooks:names"))
################################################################################
## Custom Code Start
################################################################################
if phantom.completed(playbook_names=decide_and_launch_playbooks__names):
process_notes(container=container)
# return early to avoid moving to next block
return
################################################################################
## Custom Code End
################################################################################
process_notes(container=container)
return
def join_format_prompt(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_format_prompt() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_format_prompt_called'):
return
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['get_process_details']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_format_prompt_called',
value='format_prompt')
# call connected block "format_prompt"
format_prompt(container=container, handle=handle)
return
def join_merge_individual_format(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("join_merge_individual_format() called")
if phantom.completed(custom_function_names=["merge_selected"], action_names=["event_details"]):
# call connected block "merge_individual_format"
merge_individual_format(container=container, handle=handle)
return
def join_get_info_service_path(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_get_info_service_path() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['get_service_pin']):
# call connected block "get_info_service_path"
get_info_service_path(container=container, handle=handle)
return
def join_format_for_emailer(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_format_for_emailer() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['hunt_file_1', 'hunt_file_2']):
# call connected block "format_for_emailer"
format_for_emailer(container=container, handle=handle)
return
def join_format_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_format_3() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['run_query_2', 'run_query_1'], custom_function_names=['cf_local_create_current_epoch_time_1']):
# call connected block "format_3"
format_3(container=container, handle=handle)
return
def join_url_reputation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_url_reputation_1() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['unshorten_url_1']):
# call connected block "url_reputation_1"
url_reputation_1(container=container, handle=handle)
return
def join_add_tag_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):
phantom.debug('join_add_tag_5() called')
# if the joined function has already been called, do nothing
if phantom.get_run_data(key='join_add_tag_5_called'):
return
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['add_tag_service_restart_in_progress', 'get_pin_info_path']):
# save the state that the joined function has now been called
phantom.save_run_data(key='join_add_tag_5_called', value='add_tag_5')
# call connected block "add_tag_5"
add_tag_5(container=container, handle=handle)
return
def join_collect_type_host(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("join_collect_type_host() called")
if phantom.completed(custom_function_names=["collect_type_user"],
action_names=["run_identity_query"]):
# call connected block "collect_type_host"
collect_type_host(container=container, handle=handle)
return
def join_filter_inactive_accounts(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("join_filter_inactive_accounts() called")
if phantom.completed(action_names=["list_all_accounts"],
custom_function_names=["calculate_start_time"]):
# call connected block "filter_inactive_accounts"
filter_inactive_accounts(container=container, handle=handle)
return
def join_Set_staus_OPEN(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_Set_staus_OPEN() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=['add_tag_notable_to_artifakt']):
# call connected block "Set_staus_OPEN"
Set_staus_OPEN(container=container, handle=handle)
return
def join_SOC_email_format_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_SOC_email_format_2() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(playbook_names=['playbook_Main_Hunt_file_1'],
action_names=['create_ticket_1']):
# call connected block "SOC_email_format_2"
SOC_email_format_2(container=container, handle=handle)
return
def join_decision_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_decision_3() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(
custom_function_names=['whois_epoch', 'minus_thirty']):
# call connected block "decision_3"
decision_3(container=container, handle=handle)
return
def join_format_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_format_5() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(custom_function_names=[
'cf_community_list_drop_none_1', 'cf_local_url_encode_string_1'
]):
# call connected block "format_5"
format_5(container=container, handle=handle)
return
def join_trace_email_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_trace_email_1() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(custom_function_names=[
'cf_community_datetime_modify_1', 'cf_community_datetime_modify_2'
]):
# call connected block "trace_email_1"
trace_email_1(container=container, handle=handle)
return
def join_filter_3(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_filter_3() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=[
'geolocate_ip_1', 'domain_reputation_2', 'file_reputation_1'
]):
# call connected block "filter_3"
filter_3(container=container, handle=handle)
return
def join_format_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_format_5() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(custom_function_names=[
'cf_rba_master_decode_base64_1', 'cf_rba_master_decode_base64_2'
]):
# call connected block "format_5"
format_5(container=container, handle=handle)
return
def join_cf_community_noop_4(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_cf_community_noop_4() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(playbook_names=[
'playbook_rba_master_rba_master_RBA_Investigate_file_hash_1'
]):
# call connected block "cf_community_noop_4"
cf_community_noop_4(container=container, handle=handle)
return
def join_filter_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_filter_2() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=[
'logoff_user_1', 'shutdown_system_1', 'disable_user_1',
'block_hash_3'
]):
# call connected block "filter_2"
filter_2(container=container, handle=handle)
return
def join_decision_5(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_decision_5() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(custom_function_names=[
'cf_community_noop_1', 'cf_community_noop_2',
'cf_community_noop_3', 'cf_community_noop_4'
]):
# call connected block "decision_5"
decision_5(container=container, handle=handle)
return
def join_playbook_log4j_respond_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("join_playbook_log4j_respond_1() called")
if phantom.completed(playbook_names=[
"playbook_internal_host_ssh_log4j_investigate_1",
"playbook_internal_host_ssh_investigate_1",
"playbook_internal_host_winrm_log4j_investigate_1",
"playbook_internal_host_winrm_investigate_1"
]):
# call connected block "playbook_log4j_respond_1"
playbook_log4j_respond_1(container=container, handle=handle)
return
def join_playbook_local_local_Message_Print_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None):
phantom.debug('join_playbook_local_local_Message_Print_1() called')
# check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed
if phantom.completed(action_names=[
'SRC_Public_Reverse_DNS', 'SRC_Private_Reverse_DNS',
'DST_Reverse_DNS', 'DST_Private_Reverse_DNS'
]):
# call connected block "playbook_local_local_Message_Print_1"
playbook_local_local_Message_Print_1(container=container,
handle=handle)
return
def add_notes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("add_notes() called")
################################################################################
# Add notes to the container if any were generated by playbooks from the previous
# step.
################################################################################
launch_investigate_playbooks__playbooks_launched = json.loads(phantom.get_run_data(key="launch_investigate_playbooks:playbooks_launched"))
input_parameter_0 = ""
################################################################################
## Custom Code Start
################################################################################
playbooks_launched = launch_investigate_playbooks__playbooks_launched
# return early if any of the launched playbooks are not completed
if not phantom.completed(playbook_names=launch_investigate_playbooks__playbooks_launched):
return
playbook_outputs = []
for playbook_name in playbooks_launched:
note_title = phantom.collect2(container=container, datapath=["{}:playbook_output:note_title".format(playbook_name)])[0][0]
note_content = phantom.collect2(container=container, datapath=["{}:playbook_output:note_content".format(playbook_name)])[0][0]
phantom.add_note(container=container, content=note_content, note_format="markdown", note_type="general", title=note_title)
#phantom.add_note(container=container, content=note, note_format="markdown", note_type="general", title='trustar test note')
################################################################################
## Custom Code End
################################################################################
threat_intel_indicator_review(container=container)
return
def join_risk_notable_enrich(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("join_risk_notable_enrich() called")
# if the joined function has already been called, do nothing
if phantom.get_run_data(key="join_risk_notable_enrich_called"):
return
if phantom.completed(playbook_names=["risk_notable_import_data"]):
# save the state that the joined function has now been called
phantom.save_run_data(key="join_risk_notable_enrich_called",
value="risk_notable_enrich")
# call connected block "risk_notable_enrich"
risk_notable_enrich(container=container, handle=handle)
return
def join_merge_notes(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug("join_merge_notes() called")
# if the joined function has already been called, do nothing
if phantom.get_run_data(key="join_merge_notes_called"):
return
if phantom.completed(action_names=["protect_prompt"]):
# save the state that the joined function has now been called
phantom.save_run_data(key="join_merge_notes_called",
value="merge_notes")
# call connected block "merge_notes"
merge_notes(container=container, handle=handle)
return
