-
Notifications
You must be signed in to change notification settings - Fork 1
/
Log File Hashes.py
115 lines (80 loc) · 4.05 KB
/
Log File Hashes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
"""
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
def on_start(container):
phantom.debug('on_start() called')
# call 'filter_1' block
filter_1(container=container)
return
def filter_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('filter_1() called')
# collect filtered artifact ids for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
conditions=[
["artifact:*.cef.fileHash", "!=", ""],
],
name="filter_1:condition_1")
# call connected blocks if filtered artifacts or results
if matched_artifacts_1 or matched_results_1:
decision_1(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1)
return
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('decision_1() called')
# check for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
conditions=[
["filtered-data:filter_1:condition_1:artifact:*.cef.fileHash", "in", "custom_list:Prior Hashes"],
])
# call connected blocks if condition 1 matched
if matched_artifacts_1 or matched_results_1:
format_1(action=action, success=success, container=container, results=results, handle=handle)
return
# call connected blocks for 'else' condition 2
format_2(action=action, success=success, container=container, results=results, handle=handle)
return
def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('format_1() called')
template = """File hash {0} has been observed before."""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_1:condition_1:artifact:*.cef.fileHash",
]
phantom.format(container=container, template=template, parameters=parameters, name="format_1")
add_comment_2(container=container)
return
def add_comment_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_comment_2() called')
formatted_data_1 = phantom.get_format_data(name='format_1')
phantom.comment(container=container, comment=formatted_data_1)
return
def format_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('format_2() called')
template = """File hash {0} is new, logging."""
# parameter list for template variable replacement
parameters = [
"filtered-data:filter_1:condition_1:artifact:*.cef.fileHash",
]
phantom.format(container=container, template=template, parameters=parameters, name="format_2")
add_comment_3(container=container)
return
def add_comment_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_comment_3() called')
formatted_data_1 = phantom.get_format_data(name='format_2')
phantom.comment(container=container, comment=formatted_data_1)
return
def on_finish(container, summary):
phantom.debug('on_finish() called')
# This function is called after all actions are completed.
# summary of all the action and/or all detals of actions
# can be collected here.
# summary_json = phantom.get_summary()
# if 'result' in summary_json:
# for action_result in summary_json['result']:
# if 'action_run_id' in action_result:
# action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
# phantom.debug(action_results)
return