def Get_Country_Name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('Get_Country_Name() called')
input_parameter_0 = ""
Get_Country_Name__countryName = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
data = phantom.get_object(key='country_name_Email_Notify', container_id=container['id'])
Get_Country_Name__countryName = data[0]['value']['value']
# clear object db
phantom.clear_object(key='country_name_Email_Notify',container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Get_Country_Name:countryName', value=json.dumps(Get_Country_Name__countryName))
format_1(container=container)
return
def get_object_data(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('get_object_data() called')
input_parameter_0 = "my_key"
get_object_data__value = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
data = phantom.get_object(key=input_parameter_0,
container_id=container['id'])
get_object_data__value = data[0]['value']['value']
# clear object db
phantom.clear_object(key=input_parameter_0, container_id=container['id'])
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='get_object_data:value',
value=json.dumps(get_object_data__value))
I_want_the_data(container=container)
return
def update_ticket_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('update_ticket_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ip = ''
artifacts_data_1 = phantom.collect2(
container=container,
datapath=['artifact:*.cef.cn2', 'artifact:*.cef.cs3'],
scope='all') # , 'artifact:*.id'
name_value = container.get('name', None)
for artifacts_item_1 in artifacts_data_1:
# phantom.debug('artifact_data_item {}'.format(artifacts_item_1))
if artifacts_item_1:
ip = artifacts_item_1[0]
if phantom.valid_ip(ip):
ip = str(ip)
addr = phantom.get_object(key=ip, playbook_name=playbook_name)
if addr:
ticket = addr[0]['value']['ticket']
# collect data for 'update_ticket_1' call
parameters = []
# build parameters list for 'update_ticket_1' call
update = "\"%s\"" % artifacts_item_1[
1] # or "\"{}\"".format(a)
parameters.append({
'id':
ticket,
'table':
"u_security_engineering_request",
'fields':
"{\"state\": \"1\", \"work_notes\": \"%s\" }" %
artifacts_item_1[1],
# 'fields': "{\"work_notes\": \"Updated\" }",
# 'fields': "{\"update\": {\"state\": \"open\", \"work_notes\": \"%s\"}}" % artifacts_item_1[1],
# 'fields': "{\"priority\": \"2\",\"impact\": \"2\",\"comments\": \"Anything can go here\"}",
'vault_id':
"",
})
phantom.debug('update ticket {} for ip {}: {}'.format(
ticket, ip, update))
phantom.act("update ticket",
parameters=parameters,
assets=['servicenow'],
name="update_ticket_1")
return
def Capture_object(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug('Capture_object() called')
id_value = container.get('id', None)
Capture_object__file = None
Capture_object__ip = None
Capture_object__domain = None
Capture_object__url = None
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
container_id = container['id']
Capture_object__file = phantom.get_object(key='Check_File_reputation',container_id = container_id)
Capture_object__file = Capture_object__file[0]['value']['feedback']
Capture_object__ip = phantom.get_object(key='Check_IP_reputation',container_id = container_id)
Capture_object__ip = Capture_object__ip[0]['value']['feedback']
Capture_object__domain = phantom.get_object(key='Check_Domain_reputation',container_id = container_id)
Capture_object__domain = Capture_object__domain[0]['value']['feedback']
Capture_object__url = phantom.get_object(key='Check_URL_reputation',container_id = container_id)
Capture_object__url = Capture_object__url[0]['value']['feedback']
################################################################################
## Custom Code End
################################################################################
phantom.save_run_data(key='Capture_object:file', value=json.dumps(Capture_object__file))
phantom.save_run_data(key='Capture_object:ip', value=json.dumps(Capture_object__ip))
phantom.save_run_data(key='Capture_object:domain', value=json.dumps(Capture_object__domain))
phantom.save_run_data(key='Capture_object:url', value=json.dumps(Capture_object__url))
Format_the_summarized_information(container=container)
return
def format_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('format_1() called')
pb_info = phantom.get_playbook_info()
if not pb_info:
return
playbook_name = pb_info[0].get('name', None)
ticket = phantom.collect(results,
"action_result.summary.created_ticket_id")
artifacts_data_1 = phantom.collect2(container=container,
datapath=['artifact:*.cef.src'])
if ticket:
ticket = ticket[0]
phantom.debug('Ticket {}'.format(ticket))
for artifacts_item_1 in artifacts_data_1:
if artifacts_item_1:
if phantom.valid_ip(artifacts_item_1[0]):
addr = phantom.get_object(key=str(artifacts_item_1[0]),
playbook_name=playbook_name)
if addr:
addr[0]['value']['ticket'] = ticket
#phantom.debug('Saving object {} of type {} with key {}'.format(addr[0], type(addr[0]['value']), artifacts_item_1[0]))
phantom.save_object(key=str(artifacts_item_1[0]),
value=addr[0]['value'],
auto_delete=False,
playbook_name=playbook_name)
template = """Ticket
id: {0} number: {1}"""
# parameter list for template variable replacement
parameters = [
"create_ticket_1:action_result.summary.created_ticket_id",
"create_ticket_1:action_result.data.*.number",
]
phantom.format(container=container,
template=template,
parameters=parameters,
name="format_1")
return
def decision_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('decision_2() called')
action = ''
pb_info = phantom.get_playbook_info()
name_value = container.get('name', None)
playbook_name = pb_info[0].get('name', None)
container_id = container['id']
if not pb_info:
return
filtered_artifacts_data_1 = phantom.collect2(
container=container,
datapath=['filtered-data:filter_2:condition_1:artifact:*.cef'])
phantom.debug('TOTAL number of cef.src artifacts is count: {}'.format(
len(filtered_artifacts_data_1)))
# local_tz = timezone('America/New_York')
start = (container['start_time']
)[:-3] # start = (container['start_time']).strip('+00')
start_time = datetime.strptime(
start, '%Y-%m-%d %H:%M:%S.%f') # format 2017-10-17 11:32:00.839350
# start_time = local_tz.localize(start_time)
for filtered_artifacts_item_1 in filtered_artifacts_data_1:
item_1 = filtered_artifacts_item_1[0]['src']
phantom.debug('ITEM to be processed: {}'.format(item_1))
if item_1:
addr = phantom.get_object(key=str(item_1),
playbook_name=playbook_name)
if not addr:
phantom.debug('SAVE NEW count: {} {} {} '.format(
1, start_time.strftime("%c"), start_time.strftime("%c")))
phantom.save_object(key=str(item_1),
value={
'count': 1,
'start': start_time.strftime("%c"),
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': '',
'ignore': False
},
auto_delete=False,
playbook_name=playbook_name)
else:
count = addr[0]['value']['count'] + 1
ignore = addr[0]['value']['ignore']
ticket = addr[0]['value']['ticket']
saved_start = addr[0]['value']['start']
saved_start_time = datetime.strptime(
saved_start, '%a %b %d %H:%M:%S %Y'
) # format Mon Oct 16 11:46:30 2017 or '%Y-%m-%d %H:%M:%S.%f'
# saved_start_time = local_tz.localize(start_time)
delta = abs((start_time -
saved_start_time)).total_seconds() # .seconds
phantom.debug(
'DECISION start_time {} - saved_start_time {} = {}s '.
format(start_time, saved_start_time, delta))
if ignore and (delta > REPEAT):
phantom.debug(
'IGNORE {} start_time {} - saved_start_time {} = {}s '.
format(ignore, start_time, saved_start_time, delta))
ignore = False
saved_start = start_time.strftime("%c")
if not ignore:
if (ticket == '') and (delta > WINDOW):
saved_start = start_time.strftime("%c")
count = 0
phantom.debug(
'RESET time/co ticket {} delta {}s {} <- {}'.
format(ticket, delta, saved_start,
start_time.strftime("%c")))
elif (count > LIMIT) and (delta < WINDOW):
count = 0
saved_start = start_time.strftime("%c")
raw = {}
cef = {}
cef['cs3'] = filtered_artifacts_item_1[0]['cs3']
if (ticket == ''):
phantom.debug(
'OPENED {} opened {} {}s ago '.format(
item_1, saved_start_time, delta))
cef['cn1'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='create',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
else:
phantom.debug(
'REOPEN {} reopen {} {}s ago '.format(
ticket, saved_start_time, delta))
cef['cn2'] = item_1
success, message, artifact_id = phantom.add_artifact(
container=container,
raw_data=raw,
cef_data=cef,
label='update',
name='ticket',
severity='high',
identifier=None,
artifact_type='host')
ignore = True
phantom.debug(
'SAVE OLD count: {0} ticket: {1} {2} {3} {4}s'.format(
count, ticket, saved_start,
start_time.strftime("%c"), delta))
phantom.save_object(key=str(item_1),
value={
'count': count,
'start': saved_start,
'end': start_time.strftime("%c"),
'description': name_value,
'ticket': ticket,
'ignore': ignore
},
auto_delete=False,
playbook_name=playbook_name)
# check for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "create"],
])
# call connected blocks if condition 1 matched
if matched_artifacts_1 or matched_results_1:
create_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
# check for 'elif' condition 2
matched_artifacts_2, matched_results_2 = phantom.condition(
container=container,
scope='all',
conditions=[
["artifact:*.label", "==", "update"],
])
# call connected blocks if condition 2 matched
if matched_artifacts_2 or matched_results_2:
update_ticket_1(action=action,
success=success,
container=container,
results=results,
handle=handle)
return
return