def account_lockout_endpoint_shutdown(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('account_lockout_endpoint_shutdown() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Do you want to shutdown the system?"""
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="account_lockout_endpoint_shutdown",
options=options,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """unblock?"""
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=1,
name="prompt_1",
options=options,
callback=decision_2)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """High priority asset has visited malicious URL. Please review and determine if device should be quarantined?"""
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
options=options,
callback=decision_7)
return
def prompt_2(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_2() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Do you want to Quarantine host: {0}"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.transaction.host_ip",
]
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_2",
parameters=parameters,
callback=decision_3)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """An email is being marked as a Phish attempt. Please inspect and approve so that Phantom can delete all instances of the phish from your mail server. If you do not respond within 6 hours (360 Minutes) the email will _NOT_ be deleted. If you respond \"Yes\" Phantom will start the removal of the phish from all mailboxes on your mail server. All enrichment data is in MIssion Control for your review."""
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=360,
name="prompt_1",
options=options,
callback=decision_1)
return
def DogedogeDogedogeDogedogeDogedogeDogedoge(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('DogedogeDogedogeDogedogeDogedogeDogedoge() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Prompt for administrator..."""
phantom.prompt(container=container, user=user, message=message, respond_in_mins=120, name="DogedogeDogedogeDogedogeDogedogeDogedoge")
return
def prompt_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('prompt_3() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """On a scale of 1 to 99, how Doge are you? Administrator answer only..."""
# response options
options = {
"type": "range",
"min": 1,
"max": 99,
}
phantom.prompt(container=container, user=user, message=message, respond_in_mins=30, name="prompt_3", options=options)
return
def macos_high_sierra_set_root_password(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('macos_high_sierra_set_root_password() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Would you like to set a random root password on the detected vulnerable MacOS High Sierra endpoints?
Consider the evidence in container {0} and make a determination on whether or not to set the same 40-character random root password on the detected endpoints, which are vulnerable to root account login with a blank password.
Choose \"Yes\" to set the root password on the endpoints with the following IP addresses:
{1}"""
# parameter list for template variable replacement
parameters = [
"container:id",
"filtered-data:filter_1:condition_1:ssh_detect_high_sierra:action_result.parameter.ip_hostname",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="macos_high_sierra_set_root_password",
parameters=parameters,
options=options,
callback=decision_2)
return
def prompt_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('prompt_2() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Prompt for admin..."""
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container, user=user, message=message, respond_in_mins=30, name="prompt_2", options=options)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The following user has lost his/her device:
{0}
This user is part of the executive team. Do you wish to:
1. Reset the user password and file ticket
2. Take no immediate action and file ticket
Please response with a 1 or 2."""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_3:condition_2:get_user_attributes_1:action_result.parameter.username",
]
# response options
options = {
"type": "range",
"min": 1,
"max": 100,
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
options=options,
callback=decision_2)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The following user has been flagged as a malicious insider:
{0}
Do you want to proceed with disabling the user and resetting their password?
Response should be: Yes/No"""
# parameter list for template variable replacement
parameters = [
"get_user_attributes_1:action_result.parameter.username",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
options=options,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """High Severity Alert of {0} on host: {2}
Would you like to block the requesting IP {1}"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.transaction.messages{}.message",
"artifact:*.cef.transaction.client_ip",
"artifact:*.cef.transaction.host_ip",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
options=options,
callback=prompt_1_callback)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Remediate the rootkit?"""
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
callback=playbook_community_rootkit_remediate_1)
return
def compromised_email_password_reset(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('compromised_email_password_reset() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """A threat intelligence service has detected that one or more of our internal email accounts has been compromised and is being used to send malicious outbound email. The following email addresses have been identified and found to be associated with LDAP accounts:
{0}
Select Yes to reset the passwords on the associated LDAP accounts."""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_2:condition_1:query_ldap:action_result.parameter.username",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="compromised_email_password_reset",
parameters=parameters,
options=options,
callback=decision_1)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """A user is requesting to unblock the website at URL:
{0}
Reputation services have not indicated that this site is malicious. Additional information is contained in Mission Control. Do you want to allow this?"""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_3:condition_1:artifact:*.cef.requestURL",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
options=options,
callback=decision_2)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """The risk score of {0} has been evaluated by DomainTools Domain Reputation as {1}, which exceeds the Playbook's defined threshold. Would you like to block this domain?"""
# parameter list for template variable replacement
parameters = [
"domain_reputation_1:action_result.parameter.domain",
"domain_reputation_1:action_result.data.*.risk_score",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=60,
name="prompt_1",
parameters=parameters,
options=options,
callback=decision_3)
return
def endpoint_infection_ticket_approval(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('endpoint_infection_ticket_approval() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """Endpoint at {0} has been deemed infected. Would you like to create a ticket to contain this infection?"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.sourceAddress",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=60,
name="endpoint_infection_ticket_approval",
parameters=parameters,
options=options,
callback=decision_2)
return
def prompt_1(action=None,
success=None,
container=None,
results=None,
handle=None,
filtered_artifacts=None,
filtered_results=None):
phantom.debug('prompt_1() called')
# set user and message variables for phantom.prompt call
user = "******"
message = """sourceAddress \"{0}\" has been compromised - is this a test machine?"""
# parameter list for template variable replacement
parameters = [
"artifact:*.cef.sourceAddress",
]
# response options
options = {
"type": "list",
"choices": [
"Yes",
"No",
]
}
phantom.prompt(container=container,
user=user,
message=message,
respond_in_mins=30,
name="prompt_1",
parameters=parameters,
options=options,
callback=decision_4)
return