def list_projects(container, filtered_artifacts=None, filtered_results=None): parameters = [] phantom.act("list projects", parameters=parameters, assets=['jira'], callback=decision_1, name="list_projects") return
def block_ip_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): # collect data for 'block_ip_1' call container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.sourceAddress', 'artifact:*.id']) parameters = [] # build parameters list for 'block_ip_1' call for container_item in container_data: if container_item[0]: parameters.append({ 'smartflow': "default-smartflow", 'service': "default-service", 'application': "WWT-API", 'source': container_item[0], 'host': "default-host", 'action': "deny", # context (artifact id) is added to associate results with the artifact 'context': {'artifact_id': container_item[1]}, }) if parameters: phantom.act("block ip", parameters=parameters, assets=['a10 lightning controller'], name="block_ip_1") else: phantom.error("'block_ip_1' will not be executed due to lack of parameters") return
def list_tickets_cb(action, success, incident, results, handle): if not success: return phantom.act('create ticket', parameters=[{ "short_description" : "Zeus, Multiple action need to be taken", "description" : "Investigative actions to check for the presence of Zeus"}], assets=["servicenow"], callback=create_ticket_cb) return
def on_finish(email, summary): setupkey = 'setup_data' + str(email['current_rule_run_id']) collectkey = 'collect_data' + str(email['current_rule_run_id']) email_to, email_from, smtp_asset = phantom.get_data(setupkey, clear_data=True) container_url = phantom.get_base_url() + 'container/' + str(email['id']) # calling get_summary to find out if we actually had anything we acted on getsummary = phantom.get_summary() #phantom.debug('Get summary: {}'.format(getsummary)) # if len(getsummary['result']) > 0: # we have processed at least one item in on_start collected_results, collected_vault_items, container_owner = phantom.get_data(collectkey, clear_data=True) # finalize the vault item info and add to email for vaultid in collected_vault_items.keys(): vaultinfo = phantom.get_vault_item_info(vaultid) for app_run_id, datavalues in collected_results.iteritems(): #phantom.debug('iterate collected results: \napprunid: {}\n\ndatavals: {}'.format(app_run_id, datavalues)) if datavalues['detonate_summary']['target'] == vaultid: collected_results[app_run_id]['vault_info'] = vaultinfo if len(collected_results) < (len(getsummary['result'])-2): # subtracting actions that arent counted as detonations collected_results['message'] = "Unexpected: Collected Results: {} is less than actions run: {}".format(len(collected_results), (len(getsummary['result'])-2)) # send summary email email_subject = "Results: Ingest file detonatation" email_body = '\nPhantom Container ID: {} - Owner: {}\nURL: {}\nReturned results by app_run_id:\n{}'.format(email['id'], container_owner, container_url, pprint.pformat(collected_results, indent=4)) phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb) phantom.debug("Summary: " + pprint.pformat(summary, indent=4)) else: # no artifacts run on phantom.debug('No artifacts, sending abort email.') email_subject = "Results: No artifacts to run, aborting" email_body = '\nPhantom Container ID: {}\nURL: {} \nSummary:\n{}'.format(email['id'],container_url,summary) phantom.act('send email', parameters=[{ "from" : email_from, "to" : email_to, "subject" : email_subject, "body" : email_body }], assets=[smtp_asset], callback=send_email_cb) return
def add_domains_to_block_list(): parameters = [{'domain': 'yahoo.com', 'disable_safeguards': True}, {'domain': 'msn.com', 'disable_safeguards': True}] phantom.act('block domain', parameters=parameters, assets=['opendns_umbrella'], callback=block_domains_cb) return
def list_firewall_rules_cb(action, success, incident, results, handle): if not success: return phantom.act('list srps', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=list_srps_cb) return
def list_processes_cb(action, success, incident, results, handle): if not success: return phantom.act('get process file', parameters=[{ "name" : "notepad.exe", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=get_process_file_cb) return
def list_sessions_cb(action, success, incident, results, handle): if not success: return phantom.act('logoff user', parameters=[{ "username" : "CORP\\User1", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=logoff_user_cb) return
def delete_srp1_cb(action, success, incident, results, handle): if not success: return phantom.act('block path', parameters=[{ "path" : "infostealer*", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=block_path_cb) return
def delete_srp_cb(action, success, incident, results, handle): if not success: return phantom.act('block ip', parameters=[{ "protocol" : "tcp", "remote_port" : "22", "ip_hostname" : "10.17.1.44", "rule_name" : "ph_block_rule_AAB123", "dir" : "out", "remote_ip" : "192.94.73.9" }], assets=["domainctrl1"], callback=block_ip_cb) return
def list_tickets_cb(action, success, incident, results, handle): if not success: return phantom.act('create ticket', parameters=[{ "subject" : "Zeus Incident.", "text" : "Please look into this", "priority" : "3" }], assets=["rt"], callback=create_ticket_cb) return
def block_ip_cb(action, success, incident, results, handle): if not success: return phantom.act('block application', parameters=[{ "application" : "junos-http", "from_zone" : "trust", "to_zone" : "untrust" }], assets=["junipersrx"], callback=block_application_cb) return
def get_config_cb(action, success, incident, results, handle): if not success: return phantom.act('block ip', parameters=[{ "src" : "any", "direction" : "in", "dest" : "10.10.10.2", "access-list" : "inside_access_in", "interface" : "inside" }], assets=["ciscoasa"], callback=block_ip_cb) return
def get_version_cb(action, success, incident, results, handle): if not success: return phantom.act('get config', parameters=[{ }], assets=["ciscoasa"], callback=get_config_cb) return
def detonate_file_cb(action, success, incident, results, handle): if not success: return phantom.act('detonate url', parameters=[{ "url" : "www.phantomcyber.com" }], assets=["anubis"], callback=detonate_url_cb) return
def set_system_attribute_cb(action, success, incident, results, handle): if not success: return phantom.act('get user attributes', parameters=[{ "username" : "jason_malware" }], assets=["domainctrl1"], callback=get_user_attributes_cb) return
def get_user_attributes_cb(action, success, incident, results, handle): if not success: return phantom.act('get system attributes', parameters=[{ "hostname" : "winxpprox87" }], assets=["domainctrl1"], callback=get_system_attributes_cb) return
def disable_user_cb(action, success, incident, results, handle): if not success: return phantom.act('enable user', parameters=[{ "username" : "jason_malware" }], assets=["domainctrl1"], callback=enable_user_cb) return
def detonate_file_cb(action, success, incident, results, handle): if not success: return phantom.act('detonate url', parameters=[{'url': 'www.phantomcyber.com'}], assets=['cuckoo'], callback=detonate_url_cb) return
def enable_user_cb(action, success, incident, results, handle): if not success: return phantom.act('change system ou', parameters=[{ "ou" : "staging", "hostname" : "winxpprox87" }], assets=["domainctrl1"], callback=change_system_ou1_cb) return
def block_ip_cb(action, success, incident, results, handle): if not success: return phantom.act('delete firewall rule', parameters=[{ "rule_name" : "ph_block_rule_AAB123", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=delete_firewall_rule_cb) return
def change_system_ou_cb(action, success, incident, results, handle): if not success: return phantom.act('set system attribute', parameters=[{ "attribute_value" : "admin,Office,NYC", "hostname" : "winxpprox87", "attribute_name" : "extensionattribute1" }], assets=["domainctrl1"], callback=set_system_attribute_cb) return
def logoff_user_cb(action, success, incident, results, handle): if not success: return phantom.act('reboot system', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=reboot_system_cb) return
def snapshot_vm_cb(action, success, incident, results, handle): if not success: return phantom.act('list connections', parameters=[{ "vault_id" : results[0]['action_results'][0]['summary']['vault_id'] }], assets=["volatility"], callback=list_connections_cb) return
def block_hash_cb(action, success, incident, results, handle): if not success: return phantom.act('delete srp', parameters=[{ "guid" : results[0]['action_results'][0]['data'][0]['guid'], "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=delete_srp1_cb) return
def list_processes_cb(action, success, incident, results, handle): if not success: return phantom.act('get process file', parameters=[{ "profile" : results[0]['action_results'][0]['summary']['vol_profile_used'], "vault_id" : results[0]['action_results'][0]['parameter']['vault_id'], "pid" : "2667" }], assets=["volatility"], callback=get_process_file_cb) return
def get_process_dump_cb(action, success, incident, results, handle): if not success: return phantom.act('terminate process', parameters=[{ "name" : "chrome.exe", "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=terminate_process_cb) return
def get_browser_history_cb(action, success, incident, results, handle): if not success: return phantom.act('list mrus', parameters=[{ "profile" : results[0]['action_results'][0]['summary']['vol_profile_used'], "vault_id" : results[0]['action_results'][0]['parameter']['vault_id'] }], assets=["volatility"], callback=list_mrus_cb) return
def list_connections_cb(action, success, incident, results, handle): if not success: return phantom.act('list processes', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=list_processes_cb) return
def list_srps_cb(action, success, incident, results, handle): if not success: return phantom.act('deactivate partition', parameters=[{ "ip_hostname" : "10.17.1.44" }], assets=["domainctrl1"], callback=deactivate_partition_cb) return
def create_detect_indicator(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('create_detect_indicator() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'create_detect_indicator' call filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_main_artifact:condition_1:artifact:*.cef.fileHashSha256', 'filtered-data:filter_main_artifact:condition_1:artifact:*.id' ]) parameters = [] # build parameters list for 'create_detect_indicator' call for filtered_artifacts_item_1 in filtered_artifacts_data_1: if filtered_artifacts_item_1[0]: parameters.append({ 'ioc': filtered_artifacts_item_1[0], 'policy': "detect", 'source': "", 'expiration': "", 'description': "", 'share_level': "red", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': filtered_artifacts_item_1[1] }, }) phantom.act(action="upload indicator", parameters=parameters, assets=['crowdstrike_oauth'], name="create_detect_indicator") return
def no_op_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): # handle passes count from the previous get_case_note_count phantom.debug('no_op_2() called') parameters = [] # build parameters list for 'no_op_2' call parameters.append({ 'sleep_seconds': 10, }) # if handle != 3: phantom.act("no op", parameters=parameters, assets=['local phantom'], callback=get_case_note_count, name="no_op_2", parent_action=action) else: prompt_1(container=container) return
def delete_srp_cb(action, success, incident, results, handle): if not success: return phantom.act('block ip', parameters=[{ "protocol": "tcp", "remote_port": "22", "ip_hostname": "10.17.1.44", "rule_name": "ph_block_rule_AAB123", "dir": "out", "remote_ip": "192.94.73.9" }], assets=["domainctrl1"], callback=block_ip_cb) return
def run_query_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('run_query_1() called') # collect data for 'run_query_1' call formatted_data_1 = phantom.get_format_data(name='format_1__as_list') parameters = [] # build parameters list for 'run_query_1' call for formatted_part_1 in formatted_data_1: parameters.append({ 'query': formatted_part_1, 'display': "", }) phantom.act(action="run query", parameters=parameters, assets=['esa100'], callback=format_2, name="run_query_1") return
def get_data_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('get_data_1() called') # collect data for 'get_data_1' call formatted_data_1 = phantom.get_format_data(name='format_2') parameters = [] # build parameters list for 'get_data_1' call parameters.append({ 'location': formatted_data_1, 'verify_certificate': False, 'headers': "", }) phantom.act("get data", parameters=parameters, assets=['local'], callback=custom_function_2, name="get_data_1") return
def Query_user(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Query_user() called') # collect data for 'Query_user' call formatted_data_1 = phantom.get_format_data(name='Format_user_query') parameters = [] # build parameters list for 'Query_user' call parameters.append({ 'location': formatted_data_1, 'verify_certificate': False, 'headers': "", }) phantom.act("get data", parameters=parameters, assets=['local'], callback=extract_email_address, name="Query_user") return
def list_vms_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('list_vms_1() called') parameters = [] phantom.act("list vms", parameters=parameters, assets=['vmwarevsphere'], callback=filter_1, name="list_vms_1") return
def get_parent_playbook_data(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('get_parent_playbook_data() called') # collect data for 'get_parent_playbook_data' call formatted_data_1 = phantom.get_format_data(name='playbook_run_data_url') parameters = [] # build parameters list for 'get_parent_playbook_data' call parameters.append({ 'headers': "", 'location': formatted_data_1, 'verify_certificate': False, }) phantom.act("get data", parameters=parameters, assets=['phantom_rest'], callback=playbook_message_format, name="get_parent_playbook_data") return
def list_channels_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('list_channels_1() called') parameters = [] phantom.act("list channels", parameters=parameters, assets=['slack_splunk'], callback=custom_function_2, name="list_channels_1") return
def get_service_pin(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('get_service_pin() called') # collect data for 'get_service_pin' call formatted_data_1 = phantom.get_format_data(name='format_9') parameters = [] # build parameters list for 'get_service_pin' call parameters.append({ 'headers': "", 'location': formatted_data_1, 'verify_certificate': False, }) phantom.act(action="get data", parameters=parameters, assets=['http'], callback=decision_4, name="get_service_pin") return
def list_endpoints_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('list_endpoints_1() called') parameters = [] phantom.act("list endpoints", parameters=parameters, assets=['carbonblack'], callback=filter_1, name="list_endpoints_1") return
def send_deny_email_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('send_deny_email_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'send_deny_email_2' call filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_2:condition_1:artifact:*.cef.fromEmail', 'filtered-data:filter_2:condition_1:artifact:*.id' ]) formatted_data_1 = phantom.get_format_data(name='format_deny_email') parameters = [] # build parameters list for 'send_deny_email_2' call for filtered_artifacts_item_1 in filtered_artifacts_data_1: if filtered_artifacts_item_1[0]: parameters.append({ 'body': formatted_data_1, 'to': filtered_artifacts_item_1[0], 'from': "*****@*****.**", 'attachments': "", 'subject': "Request Denied", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': filtered_artifacts_item_1[1] }, }) phantom.act("send email", parameters=parameters, assets=['smtp'], callback=join_update_ticket_denied, name="send_deny_email_2") return
def hunt_file_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): assets = get_specific_assets("hunt file", ["Carbon Black"]) if (not assets): phantom.debug("Carbon Black::hunt file not found returning.") # collect data for 'hunt_file_1' call container_data = phantom.collect2( container=container, datapath=['artifact:*.cef.fileHash', 'artifact:*.id']) parameters = [] # build parameters list for 'hunt_file_1' call for container_item in container_data: if container_item[0]: parameters.append({ 'hash': container_item[0], 'range': "", 'type': "binary", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': container_item[1] }, }) if parameters: phantom.act("hunt file", parameters=parameters, assets=assets, name="hunt_file_1", callback=filter_4) else: phantom.error( "'hunt_file_1' will not be executed due to lack of parameters") return
def no_shutdown_comment(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('no_shutdown_comment() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'no_shutdown_comment' call results_data_1 = phantom.collect2( container=container, datapath=[ 'query_notable_history:action_result.data.0.event_id', 'query_notable_history:action_result.parameter.context.artifact_id' ], action_results=results) parameters = [] # build parameters list for 'no_shutdown_comment' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'event_ids': results_item_1[0], 'owner': "", 'status': "", 'urgency': "", 'comment': "An analyst decided not to shut down the affected Windows machine so no action was taken.", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act("update event", parameters=parameters, assets=['splunk'], name="no_shutdown_comment") return
def add_to_IP_blocklist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('add_to_IP_blocklist() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'add_to_IP_blocklist' call results_data_1 = phantom.collect2( container=container, datapath=[ 'block_ip_1:action_result.parameter.ip', 'block_ip_1:action_result.parameter.context.artifact_id' ], action_results=results) parameters = [] # build parameters list for 'add_to_IP_blocklist' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'list': "custom_list:ip_address_blocklist", 'create': True, 'new_row': results_item_1[0], # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act(action="add listitem", parameters=parameters, assets=['phantom'], name="add_to_IP_blocklist", parent_action=action) return
def send_email_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('send_email_3() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'send_email_3' call inputs_data_1 = phantom.collect2( container=container, datapath=[ 'allow_url_1:artifact:*.cef.fromEmail', 'allow_url_1:artifact:*.id' ], action_results=results) parameters = [] # build parameters list for 'send_email_3' call for inputs_item_1 in inputs_data_1: if inputs_item_1[0]: parameters.append({ 'body': "The URL has been unblocked for 24 hours", 'to': inputs_item_1[0], 'from': "*****@*****.**", 'attachments': "", 'subject': "Unblock Request Accepted", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': inputs_item_1[1] }, }) phantom.act("send email", parameters=parameters, assets=['smtp'], callback=join_set_status_4, name="send_email_3", parent_action=action) return
def create_ticket_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'create_ticket_2' call disabled_users = set(phantom.collect2(datapath='disable_user_1:action_result.parameter.username')) blocked_hashes = set(phantom.collect2(datapath='block_hash_3:action_result.parameter.hash')) loggedoff_users = set(phantom.collect2(datapath='logoff_user_1:action_result.parameter.username')) shutdown_systems = set(phantom.collect2(datapath='shutdown_system_1:action_result.parameter.ip_hostname')) file_reputation = phantom.collect2(datapath=['file_reputation_1:filtered-action_result.parameter.hash', 'file_reputation_1:filtered-action_result.summary.positives']) detected_users = set(phantom.collect2(datapath='hunt_file_2:action_result.data.*.process.results.*.username')) detected_systems = set(phantom.collect2(datapath='hunt_file_2:action_result.data.*.process.results.*.hostname')) title = "Virus Detected on {0} devices".format(len(detected_systems)) description = "Hashes sumbitted with detections:\n{0}\n\n".format(", ".join(["{0} ({1})".format(*fr) for fr in file_reputation])) description += "File was found on {0} devices:\n{1}\n\n".format(len(detected_systems), ', '.join(detected_systems)) description += "This impacts at least {0} users:\n{1}\n\n".format(len(detected_users), ', '.join(detected_users)) if len(blocked_hashes): description += "{0} hashes were submitted for blocking:\n{1}\n\n".format(len(blocked_hashes), ", ".join(blocked_hashes)) if len(loggedoff_users): description += "{0} users were forced to logoff:\n{1}\n\n".format(len(loggedoff_users), ", ".join(loggedoff_users)) if len(disabled_users): description += "{0} user accounts were disabled:\n{1}\n\n".format(len(disabled_users), ", ".join(disabled_users)) if len(shutdown_systems): description += "{0} systems were shutdown:\n{1}\n\n".format(len(shutdown_systems), ", ".join(shutdown_systems)) parameters = [] # build parameters list for 'create_ticket_2' call parameters.append({ 'short_description': title, 'description': description, 'fields': "", }) if parameters: phantom.act("create ticket", parameters=parameters, assets=['servicenow'], name="create_ticket_2", parent_action=action) else: phantom.error("'create_ticket_2' will not be executed due to lack of parameters") return
def create_ticket_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_ticket_5() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'create_ticket_5' call results_data_1 = phantom.collect2( container=container, datapath=[ 'get_report_2:action_result.parameter.threat_id', 'get_report_2:action_result.parameter.context.artifact_id' ], action_results=results) formatted_data_1 = phantom.get_format_data(name='format_1') parameters = [] # build parameters list for 'create_ticket_5' call for results_item_1 in results_data_1: parameters.append({ 'short_description': results_item_1[0], 'table': "incident", 'vault_id': "", 'description': formatted_data_1, 'fields': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act("create ticket", parameters=parameters, assets=['servicenow'], callback=create_ticket_5_callback, name="create_ticket_5") return
def run_asset_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("run_asset_query() called") # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) ################################################################################ # Search for any matches to hosts in the asset table in Splunk. ################################################################################ format_asset_query = phantom.get_format_data(name="format_asset_query") parameters = [] if format_asset_query is not None: parameters.append({ "query": format_asset_query, "command": "| inputlookup", }) ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... ################################################################################ ## Custom Code End ################################################################################ phantom.act("run query", parameters=parameters, name="run_asset_query", assets=["splunk"], callback=join_results_decision) return
def detonate_file_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('detonate_file_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'detonate_file_1' call filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_8:condition_1:artifact:*.cef.vaultId', 'filtered-data:filter_8:condition_1:artifact:*.id' ]) parameters = [] # build parameters list for 'detonate_file_1' call for filtered_artifacts_item_1 in filtered_artifacts_data_1: if filtered_artifacts_item_1[0]: parameters.append({ 'file_name': "", 'vault_id': filtered_artifacts_item_1[0], 'force_analysis': "", 'vm': "", 'private': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': filtered_artifacts_item_1[1] }, }) phantom.act("detonate file", parameters=parameters, assets=['threatgrid'], callback=filter_5, name="detonate_file_1", parent_action=action) return
def update_ticket_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('update_ticket_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'update_ticket_1' call results_data_1 = phantom.collect2( container=container, datapath=[ 'create_ticket_1:action_result.summary.created_ticket_id', 'create_ticket_1:action_result.parameter.context.artifact_id' ], action_results=results) formatted_data_1 = phantom.get_format_data(name='format_2') parameters = [] # build parameters list for 'update_ticket_1' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'table': "", 'vault_id': "", 'id': results_item_1[0], 'fields': formatted_data_1, # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act("update ticket", parameters=parameters, assets=['servicenow'], callback=compromised_email_password_reset, name="update_ticket_1") return
def get_file_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('get_file_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'get_file_2' call filtered_results_data_1 = phantom.collect2( container=container, datapath=[ "filtered-data:filter_1:condition_1:file_reputation_1:action_result.parameter.hash", "filtered-data:filter_1:condition_1:file_reputation_1:action_result.parameter.context.artifact_id" ]) parameters = [] # build parameters list for 'get_file_2' call for filtered_results_item_1 in filtered_results_data_1: parameters.append({ 'hash': filtered_results_item_1[0], 'ph_0': "", 'offset': "", 'get_count': "", 'sensor_id': "", 'file_source': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': filtered_results_item_1[1] }, }) phantom.act(action="get file", parameters=parameters, assets=['carbonblack'], name="get_file_2") return
def update_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('update_event_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'update_event_1' call container_data = phantom.collect2( container=container, datapath=['artifact:*.cef.eventId', 'artifact:*.id']) formatted_data_1 = phantom.get_format_data(name='format_comment') parameters = [] # build parameters list for 'update_event_1' call for container_item in container_data: if container_item[0]: parameters.append({ 'owner': "", 'status': "in progress", 'comment': formatted_data_1, 'urgency': "", 'event_ids': container_item[0], 'integer_status': "", 'wait_for_confirmation': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': container_item[1] }, }) phantom.act(action="update event", parameters=parameters, assets=['esaabb100'], name="update_event_1") return
def ip_reputation_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('ip_reputation_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'ip_reputation_2' call results_data_1 = phantom.collect2( container=container, datapath=[ 'geolocate_ip:action_result.parameter.ip', 'geolocate_ip:action_result.parameter.context.artifact_id' ], action_results=results) parameters = [] # build parameters list for 'ip_reputation_2' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'ip': results_item_1[0], 'ph': "", 'from': "", 'to': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act("ip reputation", parameters=parameters, assets=['passivetotal'], callback=join_format_results, name="ip_reputation_2", parent_action=action) return
def detonate_file_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('detonate_file_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'detonate_file_1' call results_data_1 = phantom.collect2( container=container, datapath=[ 'get_file_1:action_result.summary.vault_id', 'get_file_1:action_result.parameter.context.artifact_id' ], action_results=results) parameters = [] # build parameters list for 'detonate_file_1' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'vault_id': results_item_1[0], 'file_name': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act(action="detonate file", parameters=parameters, assets=['wildfire'], callback=filter_1, name="detonate_file_1", parent_action=action) return
def block_ip_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('block_ip_2() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'block_ip_2' call results_data_1 = phantom.collect2( container=container, datapath=[ 'list_connections_1:action_result.data.*.ip_addr', 'list_connections_1:action_result.parameter.context.artifact_id' ], action_results=results) parameters = [] # build parameters list for 'block_ip_2' call for results_item_1 in results_data_1: if results_item_1[0]: parameters.append({ 'ip': results_item_1[0], 'vsys': "", 'is_source_address': "", # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': results_item_1[1] }, }) phantom.act(action="block ip", parameters=parameters, assets=['pan'], name="block_ip_2", parent_action=action) return
def Format_ART_Command(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('format_command_1() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'format_command_1' call container_data = phantom.collect2(container=container, datapath=[ 'artifact:*.cef.os', 'artifact:*.cef.act', 'artifact:*.cef.input_arguments', 'artifact:*.id' ]) parameters = [] # build parameters list for 'format_command_1' call for container_item in container_data: if container_item[0] and container_item[1]: phantom.debug(container_item[1]) parameters.append({ 'supported_os': container_item[0], 'attack_id': container_item[1], 'input_arguments': container_item[2], # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': container_item[3] }, }) phantom.act("format command", parameters=parameters, app={"name": 'Atomic Red Team'}, callback=filter_1, name="Format_ART_Command", parent_action=action) return
def block_ip_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('block_ip_5() called') #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) # collect data for 'block_ip_5' call inputs_data_1 = phantom.collect2( container=container, datapath=[ 'block_hash_3:artifact:*.cef.sourceAddress', 'block_hash_3:artifact:*.cef.destinationAddress', 'block_hash_3:artifact:*.id' ], action_results=results) parameters = [] # build parameters list for 'block_ip_5' call for inputs_item_1 in inputs_data_1: parameters.append({ 'protocol': "", 'remote_port': "", 'ip_hostname': inputs_item_1[0], 'rule_name': "", 'dir': "out", 'remote_ip': inputs_item_1[1], # context (artifact id) is added to associate results with the artifact 'context': { 'artifact_id': inputs_item_1[2] }, }) phantom.act("block ip", parameters=parameters, assets=['domainctrl1'], name="block_ip_5") return
def create_ticket_cb(action, success, incident, results, handle): if not success: return phantom.debug("results: {0}".format(json.dumps(results))) data = results[0]['action_results'][0]['data'] id = data[0]['id'] phantom.act('get ticket', parameters=[{ "id": id }], assets=["jira"], callback=get_ticket_cb) return
def run_file_query(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('run_file_query() called') # collect data for 'run_file_query' call formatted_data_1 = phantom.get_format_data(name='format_file_query') parameters = [] # build parameters list for 'run_file_query' call parameters.append({ 'query': formatted_data_1, 'command': "search", 'display': "", 'parse_only': "", }) phantom.act(action="run query", parameters=parameters, assets=['splunk-demo'], name="run_file_query") return