def Add_comment_and_update_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('Add_comment_and_update_list() called')
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.fileHash'
])
filtered_artifacts_item_1_0 = [
item[0] for item in filtered_artifacts_data_1
]
phantom.comment(container=container, comment="Comment filehash not seen")
phantom.add_list("Prior Hashes", filtered_artifacts_item_1_0)
return
def add_list_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_list_1() called')
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=['filtered-data:filter_1:condition_1:artifact:*.cef.toEmail'])
phantom.debug("filtered_data: {}".format(filtered_artifacts_data_1))
now = int("{:%s}".format(datetime.now()))
filtered_artifacts_item_1_0 = [
item[0] for item in filtered_artifacts_data_1
]
phantom.debug("filtered_artifact: {}".format(filtered_artifacts_item_1_0))
timestamped_list = [[item[0], now] for item in filtered_artifacts_item_1_0]
phantom.debug("timestamp_list: {}".format(timestamped_list))
phantom.add_list("email_supression_24hr", timestamped_list)
return
def Make_List(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('Make_List() called')
results_data_1 = phantom.collect2(container=container, datapath=['run_query_1:action_result.data'], action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
list_name = "temp_peer_list_%s" % container['id']
# Store list name in container data
data = phantom.get_container(container['id'])['data']
data.update({"peer_list":list_name})
phantom.update(container, {'data':data} )
phantom.remove_list(list_name)
#phantom.debug(results_item_1_0)
for row in results_item_1_0[0]:
phantom.add_list(list_name, [row["peer"],row["count"], row["priority"]])
################################################################################
## Custom Code End
################################################################################
add_comment_1(container=container)
return
def add_list_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_list_2() called')
filtered_results_data_1 = phantom.collect2(container=container, datapath=["filtered-data:filter_2:condition_1:ip_reputation_1:action_result.parameter.ip"])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.add_list("malicious_ips", filtered_results_item_1_0)
return
def create_custom_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('create_custom_list() called')
phantom.add_list("Active Directory Administrators", [])
return
def L5_CF_Get_Query_Results_py3_SOAR53(peer=None,
priority=None,
count=None,
container=None,
**kwargs):
"""
created with SOAR 5.3
Args:
peer
priority
count
container (CEF type: phantom container id)
Returns a JSON-serializable object that implements the configured data paths:
results_list_name
"""
############################ Custom Code Goes Below This Line #################################
import json
import phantom.rules as phantom
outputs = {}
# Write your custom code here...
phantom.debug(container)
phantom.debug(type(container))
list_name = "temp_peer_list_%s" % container
# You need the container object in order to update it.
update_container = phantom.get_container(container)
# Get the data node of the container
data = phantom.get_container(container)['data']
data.update({"peer_list": list_name})
phantom.update(update_container, {'data': data})
phantom.remove_list(list_name)
for i in range(0, len(peer)):
phantom.add_list(list_name, [peer[i], priority[i], count[i]])
# The actual list is in slot 3 of the tuple returned by phantom.get_list()
results_list = phantom.get_list(list_name)[2]
phantom.debug(results_list)
outputs = {'results_list_name': list_name}
# Return a JSON-serializable object
assert json.dumps(
outputs
) # Will raise an exception if the :outputs: object is not JSON-serializable
return outputs
def add_ip_to_block_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_ip_to_block_list() called')
results_data_1 = phantom.collect2(
container=container,
datapath=['search_splunk_for_ips:action_result.data.*.IP'],
action_results=results)
results_item_1_0 = [item[0] for item in results_data_1]
phantom.add_list("IP Block List", results_item_1_0)
return
def add_hash_to_seen_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_hash_to_seen_list() called')
container_data = phantom.collect2(
container=container,
datapath=['artifact:*.cef.fileHash', 'artifact:*.id'])
container_item_0 = [item[0] for item in container_data]
phantom.add_list("Prior Hashes", container_item_0)
join_Filter_Banned_Countries(container=container)
return
def add_addresses_to_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_addresses_to_list() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_1:condition_1:scan_port_5900:action_result.data.*.addresses.ipv4.*.ip"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.add_list("macos_endpoints", filtered_results_item_1_0)
return
def add_list_6(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_list_6() called')
inputs_data_1 = phantom.collect2(
container=container,
datapath=['file_reputation_1:artifact:*.cef.fileHash'],
action_results=results)
inputs_item_1_0 = [item[0] for item in inputs_data_1]
phantom.add_list("Prior Hashes", inputs_item_1_0)
join_Filter_Banned_Countries(container=container)
return
def update_custom_list(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('update_custom_list() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_1:condition_1:get_users_1:action_result.data.*.samaccountname"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.add_list("Active Directory Administrators",
filtered_results_item_1_0)
return
def add_list_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_list_1() called')
filtered_results_data_1 = phantom.collect2(
container=container,
datapath=[
"filtered-data:filter_2:condition_2:geolocate_ip_1:action_result.parameter.ip"
])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.add_list("internal_ip_list", filtered_results_item_1_0)
join_format_1(container=container)
return
def Add_Notes(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Add_Notes() called')
results_data_1 = phantom.collect2(container=container, datapath=['Check_Login_Failures_Successes:action_result.data.*._raw'], action_results=results)
formatted_data_1 = phantom.get_format_data(name='Add_Note_Format')
formatted_data_2 = phantom.get_format_data(name='Add_Note_Format__as_list')
results_item_1_0 = [item[0] for item in results_data_1]
note_title = "Enforce access management through centralized access control system"
note_content = formatted_data_1
note_format = "markdown"
phantom.add_note(container=container, note_type="general", title=note_title, content=note_content, note_format=note_format)
phantom.comment(container=container, comment=formatted_data_2)
phantom.add_tags(container=container, tags="MITRE T0818")
phantom.add_list("Login_List", results_item_1_0)
return
def add_list_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('add_list_1() called')
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.fileHash'
])
filtered_artifacts_item_1_0 = [
item[0] for item in filtered_artifacts_data_1
]
phantom.add_list(" Prior Hashes", filtered_artifacts_item_1_0)
return
def add_to_IP_Black_List(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None,
custom_function=None,
**kwargs):
phantom.debug('add_to_IP_Black_List() called')
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=[
'filtered-data:filter_1:condition_1:artifact:*.cef.sourceAddress'
])
filtered_artifacts_item_1_0 = [
item[0] for item in filtered_artifacts_data_1
]
phantom.add_list("IP Black list", filtered_artifacts_item_1_0)
return
