-
Notifications
You must be signed in to change notification settings - Fork 1
/
Case Promotion Lab.py
103 lines (71 loc) · 3.9 KB
/
Case Promotion Lab.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
"""
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
@phantom.playbook_block()
def on_start(container):
phantom.debug('on_start() called')
# call 'compose_report' block
compose_report(container=container)
return
@phantom.playbook_block()
def compose_report(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("compose_report() called")
template = """A file has been detected with potentially malicious content. A case has been opened.\n\n-**Case Link**:{0}\n-**Container Name**: {1}\n-**Container Description**: {2}\n-**Source URL**: {3}\n-**Target server IP**: {4}\n-**Suspicious File Path**: {5} (*{7}*)\n-**Reason for promotion**: {6}\n"""
# parameter list for template variable replacement
parameters = [
"container:url",
"container:name",
"container:description",
"artifact:*.cef.sourceDnsDomain",
"artifact:*.cef.destinationAddress",
"artifact:*.cef.filePath",
"playbook_input:promotion_reason",
"playbook_input:hash_history"
]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.format(container=container, template=template, parameters=parameters, name="compose_report", drop_none=True)
add_comment_promote_to_case_add_note_1(container=container)
return
@phantom.playbook_block()
def add_comment_promote_to_case_add_note_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
phantom.debug("add_comment_promote_to_case_add_note_1() called")
compose_report = phantom.get_format_data(name="compose_report")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.comment(container=container, comment="Promoted to case")
phantom.promote(container=container, template="Data Breach")
phantom.add_note(container=container, content=compose_report, note_format="markdown", note_type="general", title="Incident Report")
container = phantom.get_container(container.get('id', None))
return
@phantom.playbook_block()
def on_finish(container, summary):
phantom.debug("on_finish() called")
################################################################################
## Custom Code Start
################################################################################
# This function is called after all actions are completed.
# summary of all the action and/or all details of actions
# can be collected here.
# summary_json = phantom.get_summary()
# if 'result' in summary_json:
# for action_result in summary_json['result']:
# if 'action_run_id' in action_result:
# action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
# phantom.debug(action_results)
################################################################################
## Custom Code End
################################################################################
return