def Add_comment_and_update_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Add_comment_and_update_list() called') filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_1:condition_1:artifact:*.cef.fileHash' ]) filtered_artifacts_item_1_0 = [ item[0] for item in filtered_artifacts_data_1 ] phantom.comment(container=container, comment="Comment filehash not seen") phantom.add_list("Prior Hashes", filtered_artifacts_item_1_0) return
def add_list_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_list_1() called') filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=['filtered-data:filter_1:condition_1:artifact:*.cef.toEmail']) phantom.debug("filtered_data: {}".format(filtered_artifacts_data_1)) now = int("{:%s}".format(datetime.now())) filtered_artifacts_item_1_0 = [ item[0] for item in filtered_artifacts_data_1 ] phantom.debug("filtered_artifact: {}".format(filtered_artifacts_item_1_0)) timestamped_list = [[item[0], now] for item in filtered_artifacts_item_1_0] phantom.debug("timestamp_list: {}".format(timestamped_list)) phantom.add_list("email_supression_24hr", timestamped_list) return
def Make_List(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('Make_List() called') results_data_1 = phantom.collect2(container=container, datapath=['run_query_1:action_result.data'], action_results=results) results_item_1_0 = [item[0] for item in results_data_1] ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... list_name = "temp_peer_list_%s" % container['id'] # Store list name in container data data = phantom.get_container(container['id'])['data'] data.update({"peer_list":list_name}) phantom.update(container, {'data':data} ) phantom.remove_list(list_name) #phantom.debug(results_item_1_0) for row in results_item_1_0[0]: phantom.add_list(list_name, [row["peer"],row["count"], row["priority"]]) ################################################################################ ## Custom Code End ################################################################################ add_comment_1(container=container) return
def add_list_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_list_2() called') filtered_results_data_1 = phantom.collect2(container=container, datapath=["filtered-data:filter_2:condition_1:ip_reputation_1:action_result.parameter.ip"]) filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1] phantom.add_list("malicious_ips", filtered_results_item_1_0) return
def create_custom_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('create_custom_list() called') phantom.add_list("Active Directory Administrators", []) return
def L5_CF_Get_Query_Results_py3_SOAR53(peer=None, priority=None, count=None, container=None, **kwargs): """ created with SOAR 5.3 Args: peer priority count container (CEF type: phantom container id) Returns a JSON-serializable object that implements the configured data paths: results_list_name """ ############################ Custom Code Goes Below This Line ################################# import json import phantom.rules as phantom outputs = {} # Write your custom code here... phantom.debug(container) phantom.debug(type(container)) list_name = "temp_peer_list_%s" % container # You need the container object in order to update it. update_container = phantom.get_container(container) # Get the data node of the container data = phantom.get_container(container)['data'] data.update({"peer_list": list_name}) phantom.update(update_container, {'data': data}) phantom.remove_list(list_name) for i in range(0, len(peer)): phantom.add_list(list_name, [peer[i], priority[i], count[i]]) # The actual list is in slot 3 of the tuple returned by phantom.get_list() results_list = phantom.get_list(list_name)[2] phantom.debug(results_list) outputs = {'results_list_name': list_name} # Return a JSON-serializable object assert json.dumps( outputs ) # Will raise an exception if the :outputs: object is not JSON-serializable return outputs
def add_ip_to_block_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_ip_to_block_list() called') results_data_1 = phantom.collect2( container=container, datapath=['search_splunk_for_ips:action_result.data.*.IP'], action_results=results) results_item_1_0 = [item[0] for item in results_data_1] phantom.add_list("IP Block List", results_item_1_0) return
def add_hash_to_seen_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_hash_to_seen_list() called') container_data = phantom.collect2( container=container, datapath=['artifact:*.cef.fileHash', 'artifact:*.id']) container_item_0 = [item[0] for item in container_data] phantom.add_list("Prior Hashes", container_item_0) join_Filter_Banned_Countries(container=container) return
def add_addresses_to_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_addresses_to_list() called') filtered_results_data_1 = phantom.collect2( container=container, datapath=[ "filtered-data:filter_1:condition_1:scan_port_5900:action_result.data.*.addresses.ipv4.*.ip" ]) filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1] phantom.add_list("macos_endpoints", filtered_results_item_1_0) return
def add_list_6(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_list_6() called') inputs_data_1 = phantom.collect2( container=container, datapath=['file_reputation_1:artifact:*.cef.fileHash'], action_results=results) inputs_item_1_0 = [item[0] for item in inputs_data_1] phantom.add_list("Prior Hashes", inputs_item_1_0) join_Filter_Banned_Countries(container=container) return
def update_custom_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('update_custom_list() called') filtered_results_data_1 = phantom.collect2( container=container, datapath=[ "filtered-data:filter_1:condition_1:get_users_1:action_result.data.*.samaccountname" ]) filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1] phantom.add_list("Active Directory Administrators", filtered_results_item_1_0) return
def add_list_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_list_1() called') filtered_results_data_1 = phantom.collect2( container=container, datapath=[ "filtered-data:filter_2:condition_2:geolocate_ip_1:action_result.parameter.ip" ]) filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1] phantom.add_list("internal_ip_list", filtered_results_item_1_0) join_format_1(container=container) return
def Add_Notes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('Add_Notes() called') results_data_1 = phantom.collect2(container=container, datapath=['Check_Login_Failures_Successes:action_result.data.*._raw'], action_results=results) formatted_data_1 = phantom.get_format_data(name='Add_Note_Format') formatted_data_2 = phantom.get_format_data(name='Add_Note_Format__as_list') results_item_1_0 = [item[0] for item in results_data_1] note_title = "Enforce access management through centralized access control system" note_content = formatted_data_1 note_format = "markdown" phantom.add_note(container=container, note_type="general", title=note_title, content=note_content, note_format=note_format) phantom.comment(container=container, comment=formatted_data_2) phantom.add_tags(container=container, tags="MITRE T0818") phantom.add_list("Login_List", results_item_1_0) return
def add_list_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_list_1() called') filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_1:condition_1:artifact:*.cef.fileHash' ]) filtered_artifacts_item_1_0 = [ item[0] for item in filtered_artifacts_data_1 ] phantom.add_list(" Prior Hashes", filtered_artifacts_item_1_0) return
def add_to_IP_Black_List(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug('add_to_IP_Black_List() called') filtered_artifacts_data_1 = phantom.collect2( container=container, datapath=[ 'filtered-data:filter_1:condition_1:artifact:*.cef.sourceAddress' ]) filtered_artifacts_item_1_0 = [ item[0] for item in filtered_artifacts_data_1 ] phantom.add_list("IP Black list", filtered_artifacts_item_1_0) return