/
create_ticket.json
313 lines (313 loc) · 15.6 KB
/
create_ticket.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
{
"blockly": false,
"blockly_xml": "<xml></xml>",
"category": "Use Cases",
"coa": {
"data": {
"description": "Create a ticket in another case management system to track this event. Use the title and description from the input, but also append a header and indicator summary table to share more information from the SOAR event.",
"edges": [
{
"id": "port_0_to_port_4",
"sourceNode": "0",
"sourcePort": "0_out",
"targetNode": "4",
"targetPort": "4_in"
},
{
"id": "port_4_to_port_6",
"sourceNode": "4",
"sourcePort": "4_out",
"targetNode": "6",
"targetPort": "6_in"
},
{
"id": "port_6_to_port_3",
"sourceNode": "6",
"sourcePort": "6_out",
"targetNode": "3",
"targetPort": "3_in"
},
{
"id": "port_3_to_port_1",
"sourceNode": "3",
"sourcePort": "3_out",
"targetNode": "1",
"targetPort": "1_in"
}
],
"hash": "82956944bcc34010d9d69a585c04061e5c513b4f",
"nodes": {
"0": {
"data": {
"advanced": {
"join": []
},
"functionName": "on_start",
"id": "0",
"type": "start"
},
"errors": {},
"id": "0",
"type": "start",
"x": 1000,
"y": 419.99999999999966
},
"1": {
"data": {
"advanced": {
"join": []
},
"functionId": 1,
"functionName": "on_finish",
"id": "1",
"type": "end"
},
"errors": {},
"id": "1",
"type": "end",
"userCode": "\n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n",
"x": 1000,
"y": 920
},
"3": {
"data": {
"action": "create ticket",
"actionType": "generic",
"advanced": {
"join": []
},
"connector": "ServiceNow",
"connectorConfigs": [
"servicenow"
],
"connectorId": "a590c3bc-ca41-4a0e-b063-8066ca868794",
"connectorVersion": "v1",
"functionId": 1,
"functionName": "create_ticket_1",
"id": "3",
"parameters": {
"description": "format_ticket_description:formatted_data",
"short_description": "playbook_input:ticket_title",
"table": "incident"
},
"requiredParameters": [
{
"data_type": "string",
"default": "incident",
"field": "table"
}
],
"type": "action"
},
"errors": {},
"id": "3",
"type": "action",
"x": 980,
"y": 780
},
"4": {
"data": {
"advanced": {
"join": []
},
"customFunction": {
"draftMode": false,
"name": "indicator_collect",
"repoName": "community"
},
"functionId": 1,
"functionName": "indicator_collect_1",
"id": "4",
"selectMore": false,
"type": "utility",
"utilities": {
"indicator_collect": {
"description": "Collect all indicators in a container and separate them by data type. Additional output data paths are created for each data type. Artifact scope is ignored.",
"fields": [
{
"dataTypes": [
"phantom container id"
],
"description": "The current container",
"inputType": "item",
"label": "container",
"name": "container",
"placeholder": "container:id",
"renderType": "datapath",
"required": false
},
{
"dataTypes": [
"phantom artifact id"
],
"description": "Optional parameter to only look for indicator values that occur in the artifacts with these IDs. Must be one of: json serializable list, comma separated integers, or a single integer.",
"inputType": "list",
"label": "artifact_ids_include",
"name": "artifact_ids_include",
"placeholder": "artifact:*.id",
"renderType": "datapath",
"required": false
},
{
"dataTypes": [],
"description": "Optional parameter to only include indicators with at least one of the provided types in the output. If left empty, all indicator types will be included except those that are explicitly excluded. Accepts a comma-separated list.",
"inputType": "list",
"label": "indicator_types_include",
"name": "indicator_types_include",
"placeholder": "ip, domain",
"renderType": "datapath",
"required": false
},
{
"dataTypes": [],
"description": "Optional parameter to exclude indicators with any of the provided types from the output. Accepts a comma-separated list.",
"inputType": "list",
"label": "indicator_types_exclude",
"name": "indicator_types_exclude",
"placeholder": "ip, domain",
"renderType": "datapath",
"required": false
},
{
"dataTypes": [],
"description": "Optional parameter to only include indicators with at least one of the provided tags in the output. If left empty, tags will be ignored except when they are excluded. Accepts a comma-separated list.",
"inputType": "list",
"label": "indicator_tags_include",
"name": "indicator_tags_include",
"placeholder": "not_contained, malware",
"renderType": "datapath",
"required": false
},
{
"dataTypes": [],
"description": "Optional parameter to exclude indicators with any of the provided tags from the output. Accepts a comma-separated list.",
"inputType": "list",
"label": "indicator_tags_exclude",
"name": "indicator_tags_exclude",
"placeholder": "contained, not_malware",
"renderType": "datapath",
"required": false
}
],
"label": "indicator_collect",
"name": "indicator_collect"
}
},
"utilityType": "custom_function",
"values": {
"indicator_collect": {
"artifact_ids_include": "playbook_input:artifact_ids_include",
"container": "container:id",
"indicator_tags_exclude": "playbook_input:indicator_tags_exclude",
"indicator_tags_include": "playbook_input:indicator_tags_include",
"indicator_types_exclude": "playbook_input:indicator_types_exclude",
"indicator_types_include": "playbook_input:indicator_types_include"
}
}
},
"errors": {},
"id": "4",
"type": "utility",
"userCode": "\n parameters[0][\"artifact_ids_include\"] = ', '.join([item[0] for item in playbook_input_artifact_ids_include_values if item])\n parameters[0][\"indicator_types_include\"] = ', '.join([item[0] for item in playbook_input_indicator_types_include_values if item])\n parameters[0][\"indicator_types_exclude\"] = ', '.join([item[0] for item in playbook_input_indicator_types_exclude_values if item])\n parameters[0][\"indicator_tags_include\"] = ', '.join([item[0] for item in playbook_input_indicator_tags_include_values if item])\n parameters[0][\"indicator_tags_exclude\"] = ', '.join([item[0] for item in playbook_input_indicator_tags_exclude_values if item])\n\n",
"x": 980,
"y": 520
},
"6": {
"data": {
"advanced": {
"customName": "format ticket description",
"customNameId": 0,
"join": []
},
"functionId": 1,
"functionName": "format_ticket_description",
"id": "6",
"parameters": [
"container:url",
"playbook_input:ticket_description",
"indicator_collect_1:custom_function_result.data.all_indicators.*.cef_value",
"indicator_collect_1:custom_function_result.data.all_indicators.*.tags",
"indicator_collect_1:custom_function_result.data.all_indicators.*.artifact_id"
],
"template": "Tracking SOAR event: {0}\n\n{1}\n\nSummary Table of select indicators from event:\n\n%%\nindicator value: {2}\nindicator tags: {3}\nSOAR artifact ID: {4}\n\n%%\n",
"type": "format"
},
"errors": {},
"id": "6",
"type": "format",
"x": 980,
"y": 640
}
},
"notes": "* Use the artifact and indicator inputs to specify the most important indicators for the event.\n\n* Often the event title can be reused as the ticket title."
},
"input_spec": [
{
"contains": [],
"description": "One line summary of the ticket",
"name": "ticket_title"
},
{
"contains": [],
"description": "Longer description of the ticket. A common header will be added to the beginning to link to the SOAR event, and an indicator summary table will be added to the end.",
"name": "ticket_description"
},
{
"contains": [],
"description": "If provided, only add indicators from the selected artifacts to the indicator summary table in the ticket description.",
"name": "artifact_ids_include"
},
{
"contains": [],
"description": "",
"name": "indicator_types_include"
},
{
"contains": [],
"description": "",
"name": "indicator_types_exclude"
},
{
"contains": [],
"description": "",
"name": "indicator_tags_include"
},
{
"contains": [],
"description": "",
"name": "indicator_tags_exclude"
}
],
"output_spec": [
{
"contains": [
"servicenow ticket sysid"
],
"datapaths": [
"create_ticket_1:action_result.summary.created_ticket_id"
],
"deduplicate": false,
"description": "The ID of the created ticket",
"metadata": {
"create_ticket_1:action_result.summary.created_ticket_id": {
"contains": [
"servicenow ticket sysid",
"md5"
]
}
},
"name": "ticket_id"
}
],
"playbook_type": "data",
"python_version": "3",
"schema": "5.0.6",
"version": "5.3.1.84890"
},
"create_time": "2022-06-12T19:42:46.018570+00:00",
"draft_mode": false,
"labels": [
"*"
],
"tags": []
}