-
Notifications
You must be signed in to change notification settings - Fork 1
/
Child playbook.py
66 lines (47 loc) · 2.24 KB
/
Child playbook.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
"""
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
def on_start(container):
phantom.debug('on_start() called')
# call 'pin_1' block
pin_1(container=container)
return
def pin_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('pin_1() called')
phantom.pin(container=container, data="chris", message="wuz here", pin_type="card", pin_style="purple", name=None)
set_label_2(container=container)
return
def set_label_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('set_label_2() called')
phantom.set_label(container=container, label="phishing")
whois_ip_1(container=container)
return
def whois_ip_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('whois_ip_1() called')
# collect data for 'whois_ip_1' call
container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.sourceAddress', 'artifact:*.id'])
parameters = []
# build parameters list for 'whois_ip_1' call
for container_item in container_data:
if container_item[0]:
parameters.append({
'ip': container_item[0],
# context (artifact id) is added to associate results with the artifact
'context': {'artifact_id': container_item[1]},
})
phantom.act("whois ip", parameters=parameters, assets=['whois'], name="whois_ip_1")
return
def on_finish(container, summary):
phantom.debug('on_finish() called')
# This function is called after all actions are completed.
# summary of all the action and/or all detals of actions
# can be collected here.
# summary_json = phantom.get_summary()
# if 'result' in summary_json:
# for action_result in summary_json['result']:
# if 'action_run_id' in action_result:
# action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
# phantom.debug(action_results)
return