diff --git a/cbc_alerts.json b/cbc_alerts.json new file mode 100644 index 00000000..7f8b0e5f --- /dev/null +++ b/cbc_alerts.json @@ -0,0 +1,8549 @@ +{ + "blockly": false, + "blockly_xml": "", + "category": "Uncategorized", + "coa": { + "data": { + "clean": true, + "code_block": "", + "description": "Carbon Black Cloud alerts playbook", + "joint": { + "cells": [ + { + "0": "S", + "1": "T", + "2": "A", + "3": "R", + "4": "T", + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "ref-x": 33, + "ref-y": 8, + "text": "START" + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.icon image": { + "ref-x": 13, + "xlink:href": "/inc/coa/img/block_icon_start.svg" + }, + "g.notes": { + "display": "block" + } + }, + "block_code": "def on_start(container):\n phantom.debug('on_start() called')\n \n # call 'decision_1' block\n decision_1(container=container)\n\n return", + "callback_code": "# read-only block view not available", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "d9cbe84e-9650-4dd5-b30d-2955f84a852a", + "inPorts": [], + "join_code": "# read-only block view not available", + "join_optional": [], + "join_start": 1, + "line_end": 16, + "line_start": 8, + "name": "", + "notes": "", + "number": 0, + "order": 1, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 0, + "y": -40 + }, + "previous_function": "", + "previous_name": "", + "show_number": true, + "size": { + "height": 54, + "width": 80 + }, + "status": "", + "title": "START", + "type": "coa.StartEnd", + "warn": false, + "z": 1 + }, + { + "0": "E", + "1": "N", + "2": "D", + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".title": { + "text": "END" + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_end.svg" + }, + "g.notes": { + "display": "block" + } + }, + "block_code": "def on_finish(container, summary):\n phantom.debug('on_finish() called')\n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n return", + "callback_code": "# read-only block view not available", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "dismiss alert, ban hash, unban hash, add ioc to feed or watchlist 1, add ioc to feed or watchlist 2, remove ioc from feed, remove ioc from watchlist, set device policy", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "inPorts": [ + "in" + ], + "join_code": "# read-only block view not available", + "join_optional": [], + "join_start": 1, + "line_end": 820, + "line_start": 807, + "name": "", + "notes": "", + "number": 0, + "order": 30, + "outPorts": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1780, + "y": 640 + }, + "previous_function": "", + "previous_name": "", + "show_number": true, + "size": { + "height": 54, + "width": 80 + }, + "status": "", + "title": "END", + "type": "coa.StartEnd", + "warn": false, + "z": 2 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "d8aa5d00-0bcc-4a3a-b0f0-039b2001e940", + "router": { + "name": "metro" + }, + "source": { + "id": "d9cbe84e-9650-4dd5-b30d-2955f84a852a", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 3 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "a8a61cb3-a986-46f6-9814-be7a3a2dba0e", + "router": { + "name": "metro" + }, + "source": { + "id": "bacb77a7-8e9a-4700-9112-35ff0ad174a6", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "69230e67-d63f-40a9-95a2-e1639e90e594", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 8 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "7d6fdb41-f0bd-4b8b-9e5f-78db2502c551", + "router": { + "name": "metro" + }, + "source": { + "id": "69230e67-d63f-40a9-95a2-e1639e90e594", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 11 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "474a8fde-83ee-4801-8c75-11194a587814", + "router": { + "name": "metro" + }, + "source": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "port": "out-3", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(3) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "9090f6d7-ab07-41eb-9fff-ffc732897b3e", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 23 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "4954bbe2-63fc-4c5c-bcff-2ae094b7795a", + "router": { + "name": "metro" + }, + "source": { + "id": "9090f6d7-ab07-41eb-9fff-ffc732897b3e", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 25 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "613776ee-0788-4f77-935f-9422ccf05bba", + "router": { + "name": "metro" + }, + "source": { + "id": "7f7ec6da-de82-4fb6-a80f-aa865cd2ef8e", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 33 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "96f3de4e-5038-45d2-9866-8a1352206ddb", + "router": { + "name": "metro" + }, + "source": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "974146f2-ff66-4954-8b2e-1e4d5e25bafd", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 34 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "6d87ee30-0472-4d63-8a7a-ca72e6b11b02", + "router": { + "name": "metro" + }, + "source": { + "id": "974146f2-ff66-4954-8b2e-1e4d5e25bafd", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 36 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "65d9fb13-898d-4689-8dad-e05bd36319af", + "router": { + "name": "metro" + }, + "source": { + "id": "d48cb7a5-c433-4318-aa6c-1e3b93bacd28", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 90 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "c834e9ef-ef68-4410-8e32-02c1c913cb51", + "router": { + "name": "metro" + }, + "source": { + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "c2e27189-999d-4069-9939-e63c9c32fe02", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 209 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "44f0a186-1586-4246-accc-5da6753834f6", + "router": { + "name": "metro" + }, + "source": { + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "c69ca356-3120-49db-9acc-98ba67fea689", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 253 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "2c95273b-772f-4541-a83d-d1fc23d59569", + "router": { + "name": "metro" + }, + "source": { + "id": "c69ca356-3120-49db-9acc-98ba67fea689", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "4bc6f85d-635b-4158-ae1e-cd587ca38867", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 255 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "3d3eb872-2dfc-476d-a6df-45f744e9f28e", + "router": { + "name": "metro" + }, + "source": { + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "bacb77a7-8e9a-4700-9112-35ff0ad174a6", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 275 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "2e86cc9a-bd07-4ab8-9faa-5372ca319a6c", + "router": { + "name": "metro" + }, + "source": { + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "b069e84d-fb6e-448c-9e36-5ee243a7f983", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 276 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "17f3928b-d6d0-421c-99bd-90eb4a4b940c", + "router": { + "name": "metro" + }, + "source": { + "id": "4bc6f85d-635b-4158-ae1e-cd587ca38867", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "1973b2bc-65d6-4f7b-9a84-41bd493d9d39", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 281 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "3c1782d8-ab83-4233-95b8-ecb8d74f9e54", + "router": { + "name": "metro" + }, + "source": { + "id": "b069e84d-fb6e-448c-9e36-5ee243a7f983", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "1973b2bc-65d6-4f7b-9a84-41bd493d9d39", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 285 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "b0769188-bf34-4dd8-baff-df6ead149fe6", + "router": { + "name": "metro" + }, + "source": { + "id": "1973b2bc-65d6-4f7b-9a84-41bd493d9d39", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "3e6d370f-63de-4581-a06f-b6605e338b27", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 287 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "5bfbfbe2-c60a-466c-8e0e-e146acac4267", + "router": { + "name": "metro" + }, + "source": { + "id": "9d31dcf2-55ee-4e06-a667-293d54dc1fba", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "4757e8e7-da2b-4ce3-a4f3-2410fd547836", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 299 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "731b314a-ab62-4ff7-b8a0-1f77af75cc68", + "router": { + "name": "metro" + }, + "source": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "port": "out-4", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(4) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2c9cb4bd-7409-4cab-9420-71b56e35dac7", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 319 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "9e9a9679-0ede-401a-9614-dfa58d29cd3b", + "router": { + "name": "metro" + }, + "source": { + "id": "dbc42c66-b230-4f11-b90b-dfbdf22f5b97", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "664451f5-e03e-42fe-aa7c-2fcec22b6d8d", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 329 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "29318004-c3c9-4cc8-901f-69dbd915f24e", + "router": { + "name": "metro" + }, + "source": { + "id": "dbc42c66-b230-4f11-b90b-dfbdf22f5b97", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "cf324aa8-e3ee-4c85-9df3-4190945d5454", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 350 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "2069122c-df87-47a5-829f-9b2686497aa0", + "router": { + "name": "metro" + }, + "source": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2c9cb4bd-7409-4cab-9420-71b56e35dac7", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 364 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "2b54fe7d-14f7-4df3-b350-3a4304598594", + "router": { + "name": "metro" + }, + "source": { + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "port": "out-5", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(5) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "7f7ec6da-de82-4fb6-a80f-aa865cd2ef8e", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 365 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "c84757bd-0038-4cb7-8306-8fce3425bbe1", + "router": { + "name": "metro" + }, + "source": { + "id": "2c9cb4bd-7409-4cab-9420-71b56e35dac7", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "e19070c1-88e2-44f0-bb91-4a6a043d3d63", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 367 + }, + { + ".scmName/text": "local", + "active": false, + "active_keys": {}, + "active_values": {}, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".customFunction": { + "text": "get_alert_triage_url" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".scmName": { + "text": "local" + }, + ".title": { + "text": "custom function" + }, + ".title-info": { + "text": "" + }, + "g.branch image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + } + }, + "block_code": "def cf_local_get_alert_triage_url_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('cf_local_get_alert_triage_url_4() called')\n \n container_data_0 = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id'])\n container_property_0 = [\n [\n container.get(\"asset_name\"),\n ],\n ]\n\n parameters = []\n\n container_property_0_0 = [item[0] for item in container_property_0]\n container_data_0_0 = [item[0] for item in container_data_0]\n\n parameters.append({\n 'asset': container_property_0_0,\n 'alert_id': container_data_0_0,\n })\n ################################################################################\n ## Custom Code Start\n ################################################################################\n\n # Write your custom code here...\n\n ################################################################################\n ## Custom Code End\n ################################################################################ \n\n # call custom function \"local/get_alert_triage_url\", returns the custom_function_run_id\n phantom.custom_function(custom_function='local/get_alert_triage_url', parameters=parameters, name='cf_local_get_alert_triage_url_4', callback=prompt_alert_triage_confirm)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "cfDisplayPath": "local/get_alert_triage_url", + "cfInputs": { + "alert_id": { + "collectionType": "container_data", + "dataPath": "artifact:*.cef.id", + "paramName": "container_data_0_0", + "type": "list" + }, + "asset": { + "collectionType": "container_property", + "dataPath": "container:asset_name", + "paramName": "container_property_0_0", + "type": "list" + } + }, + "color": "", + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "currentVersion": true, + "customCodeEndLineOffset": 7, + "customCodeStartLine": 22, + "customFunction": "local/get_alert_triage_url", + "customFunctionId": null, + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "draftMode": false, + "existingCF": true, + "functionBlock": "custom function", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "c69ca356-3120-49db-9acc-98ba67fea689", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 381, + "line_start": 347, + "message": "Configuring now", + "name": "get_alert_triage_url", + "notes": "", + "number": 4, + "order": 12, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 360, + "y": -140 + }, + "previous_function": "", + "previous_name": "cf_local_get_alert_triage_url_4", + "selectedCustomFunction": { + "description": "Gets URL of alert triage page in CBC console given configuration asset and alert id", + "draftMode": false, + "id": 62, + "inputs": [ + { + "_pretty_custom_function": "get_alert_triage_url", + "contains_type": [ + "*" + ], + "custom_function": 62, + "description": "configuration asset name or id", + "id": 206, + "input_type": "list", + "name": "asset", + "placeholder": "config asset" + }, + { + "_pretty_custom_function": "get_alert_triage_url", + "contains_type": [ + "*" + ], + "custom_function": 62, + "description": "", + "id": 207, + "input_type": "list", + "name": "alert_id", + "placeholder": "alert ID" + } + ], + "name": "get_alert_triage_url", + "outputs": [ + { + "_pretty_custom_function": "get_alert_triage_url", + "contains_type": [ + "*" + ], + "custom_function": 62, + "data_path": "console_url", + "description": "URL to console", + "id": 124 + } + ], + "playbooks": { + "draft_playbooks": [], + "draft_version_id": null, + "playbooks": [ + { + "active": false, + "display_path": "local/cbc_alerts", + "draft_mode": false, + "id": 143, + "name": "CBC alerts", + "viewable": true + } + ] + }, + "scmId": 2, + "scmName": "local" + }, + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "repo", + "status": "", + "title": "custom function", + "type": "coa.CustomFunctionBlock", + "userGeneratedCode": " # Write your custom code here...", + "warn": false, + "z": 379 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "f1a4573e-3c86-4fe8-b308-00aea658bcc8", + "router": { + "name": "metro" + }, + "source": { + "id": "cf324aa8-e3ee-4c85-9df3-4190945d5454", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "f30f19d0-1c44-4679-b562-2fde5d00cc42", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 385 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "c00c1e9c-00c7-4449-9654-21fa53baf3ff", + "router": { + "name": "metro" + }, + "source": { + "id": "f30f19d0-1c44-4679-b562-2fde5d00cc42", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 388 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "810c2579-8c62-4c32-bffb-5362943d2de6", + "router": { + "name": "metro" + }, + "source": { + "id": "7da856ca-e566-47a6-85fe-cd491ed47764", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 390 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 1 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_1() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n conditions=[\n [\"artifact:*.cef.type\", \"==\", \"CB_ANALYTICS\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n cf_local_get_alert_triage_url_4(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n get_enriched_event_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 2\n matched = phantom.decision(\n container=container,\n conditions=[\n [\"artifact:*.cef.type\", \"==\", \"WATCHLIST\"],\n ])\n\n # call connected blocks if condition 2 matched\n if matched:\n cf_local_get_process_analysis_url_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n get_process_metadata_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": false, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "73a7403b-f02f-4cea-913d-887b3f46f34c", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 47, + "line_start": 16, + "name": "decision", + "notes": "", + "number": 1, + "order": 2, + "outPorts": [ + "out-1", + "out-2" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "artifact:*.cef.type", + "value": "CB_ANALYTICS" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "artifact:*.cef.type", + "value": "WATCHLIST" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 140, + "y": -60 + }, + "previous_function": "", + "previous_name": "decision_1", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 393 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "76d7fcf4-4e0b-47e8-9871-8898631d08bd", + "router": { + "name": "metro" + }, + "source": { + "id": "aeb80929-e747-4022-9a11-f7dc4c7a9c25", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 405 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "bbbbcd05-cf87-41c4-9ff4-47becc6c28e8", + "router": { + "name": "metro" + }, + "source": { + "id": "e19070c1-88e2-44f0-bb91-4a6a043d3d63", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "6f08db01-6259-422b-9bcd-72a33b75d2e0", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 411 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "1038ba21-abee-4d9d-89f3-b24e21cda22a", + "router": { + "name": "metro" + }, + "source": { + "id": "6f08db01-6259-422b-9bcd-72a33b75d2e0", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "dbc42c66-b230-4f11-b90b-dfbdf22f5b97", + "port": "in", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 413 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "02c1186b-06c5-452f-b661-330e3ae9ef01", + "router": { + "name": "metro" + }, + "source": { + "id": "4757e8e7-da2b-4ce3-a4f3-2410fd547836", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "2d0a25ad-6037-48fa-956d-ff1b1959c05b", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 415 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "ae6c47f3-a5ec-4bbd-9643-813e1158f7f7", + "router": { + "name": "metro" + }, + "source": { + "id": "3e6d370f-63de-4581-a06f-b6605e338b27", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "9d31dcf2-55ee-4e06-a667-293d54dc1fba", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 423 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "67037e1f-aea9-429d-a1c5-101aa7deb7fc", + "router": { + "name": "metro" + }, + "source": { + "id": "c2e27189-999d-4069-9939-e63c9c32fe02", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "3c5ce8bf-a446-4c4c-a94a-e6fb6abf1fed", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 444 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "14127c42-0495-43e0-97b3-a3e7dff3824d", + "router": { + "name": "metro" + }, + "source": { + "id": "3c5ce8bf-a446-4c4c-a94a-e6fb6abf1fed", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "69230e67-d63f-40a9-95a2-e1639e90e594", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 447 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "8ccc915e-0e45-4f58-ba46-e679cb55d588", + "router": { + "name": "metro" + }, + "source": { + "id": "664451f5-e03e-42fe-aa7c-2fcec22b6d8d", + "port": "out-1", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "d48cb7a5-c433-4318-aa6c-1e3b93bacd28", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 454 + }, + { + "action": "unban hash", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "process_hash": "get_process_metadata_1:action_result.data.*.details.process_sha256" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "unban hash", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "process_hash": "get_process_metadata_1:action_result.data.*.details.process_sha256" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "process_hash", + "column_order": 0, + "contains": [], + "data_path": "action_result.parameter.process_hash", + "data_type": "string" + }, + { + "column_name": "status", + "column_order": 1, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "process_hash": { + "contains": [ + "cbc process hash" + ], + "data_type": "string", + "default": "", + "description": "CBC Process Hash", + "key": "process_hash", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "unban hash" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def unban_hash_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('unban_hash_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'unban_hash_1' call\n results_data_1 = phantom.collect2(container=container, datapath=['get_process_metadata_1:action_result.data.*.details.process_sha256', 'get_process_metadata_1:action_result.parameter.context.artifact_id'], action_results=results)\n\n parameters = []\n \n # build parameters list for 'unban_hash_1' call\n for results_item_1 in results_data_1:\n if results_item_1[0]:\n parameters.append({\n 'process_hash': results_item_1[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': results_item_1[1]},\n })\n\n phantom.act(action=\"unban hash\", parameters=parameters, assets=['test configuration asset'], name=\"unban_hash_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_watchlist_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "974146f2-ff66-4954-8b2e-1e4d5e25bafd", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 297, + "line_start": 274, + "message": "Configuring now", + "name": "unban hash", + "notes": "", + "number": 1, + "order": 9, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 740, + "y": 680 + }, + "previous_function": "", + "previous_name": "unban_hash_1", + "required_params": { + "process_hash": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 456 + }, + { + "action": "add ioc to feed or watchlist", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "cbc_field": "process_hash", + "feed_id": "prompt_feed_watchlist_name:action_result.summary.responses.0", + "ioc_id": "", + "ioc_value": "artifact:*.cef.threat_cause_actor_sha256", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "add ioc to feed or watchlist", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "cbc_field": "process_hash", + "feed_id": "prompt_feed_watchlist_name:action_result.summary.responses.0", + "ioc_id": "", + "ioc_value": "artifact:*.cef.threat_cause_actor_sha256", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "status", + "column_order": 0, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "column_name": "message", + "column_order": 1, + "data_path": "action_result.message", + "data_type": "string" + }, + { + "column_name": "ioc_id", + "column_order": 2, + "data_path": "action_result.data.*.ioc_id", + "data_type": "string" + } + ], + "parameters": { + "cbc_field": { + "contains": [], + "data_type": "string", + "default": "", + "description": "CBC IOC Field", + "key": "cbc_field", + "order": 3, + "primary": true, + "required": true, + "value_list": [] + }, + "feed_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Feed ID", + "key": "feed_id", + "order": 0, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC ID", + "key": "ioc_id", + "order": 2, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_value": { + "contains": [], + "data_type": "string", + "default": "", + "description": "CBC IOC Value", + "key": "ioc_value", + "order": 4, + "primary": true, + "required": true, + "value_list": [] + }, + "report_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Report ID", + "key": "report_id", + "order": 1, + "primary": true, + "required": true, + "value_list": [] + }, + "watchlist_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Watchlist ID", + "key": "watchlist_id", + "order": 0, + "primary": true, + "required": false, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "add ioc to feed or watchli..." + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def add_ioc_to_feed_or_watchlist_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('add_ioc_to_feed_or_watchlist_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'add_ioc_to_feed_or_watchlist_1' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_actor_sha256', 'artifact:*.id'])\n results_data_1 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results)\n results_data_2 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results)\n\n parameters = []\n \n # build parameters list for 'add_ioc_to_feed_or_watchlist_1' call\n for container_item in container_data:\n for results_item_1 in results_data_1:\n for results_item_2 in results_data_2:\n if container_item[0] and results_item_2[0]:\n parameters.append({\n 'ioc_id': \"\",\n 'feed_id': results_item_1[0],\n 'cbc_field': \"process_hash\",\n 'ioc_value': container_item[0],\n 'report_id': results_item_2[0],\n 'watchlist_id': \"\",\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': results_item_1[1]},\n })\n\n phantom.act(action=\"add ioc to feed or watchlist\", parameters=parameters, assets=['test configuration asset'], name=\"add_ioc_to_feed_or_watchlist_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "d48cb7a5-c433-4318-aa6c-1e3b93bacd28", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 250, + "line_end": 251, + "line_start": 219, + "message": "Configuring now", + "name": "add ioc to feed or watchlist", + "notes": "", + "number": 1, + "order": 7, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": 100 + }, + "previous_function": "", + "previous_name": "add_ioc_to_feed_or_watchlist_1", + "required_params": { + "cbc_field": true, + "ioc_value": true, + "report_id": true + }, + "reviewer": "", + "show_number": true, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 465 + }, + { + "action": "remove ioc from feed", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "feed_id": "", + "ioc_id": "", + "ioc_value": "", + "report_id": "" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "remove ioc from feed", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "feed_id": "", + "ioc_id": "", + "ioc_value": "", + "report_id": "" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "status", + "column_order": 0, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "column_name": "message", + "column_order": 1, + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "feed_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Feed ID", + "key": "feed_id", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + }, + "ioc_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC ID", + "key": "ioc_id", + "order": 2, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_value": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC Value", + "key": "ioc_value", + "order": 3, + "primary": true, + "required": false, + "value_list": [] + }, + "report_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Report ID", + "key": "report_id", + "order": 1, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "remove ioc from feed" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def remove_ioc_from_feed_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('remove_ioc_from_feed_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'remove_ioc_from_feed_1' call\n\n parameters = []\n \n # build parameters list for 'remove_ioc_from_feed_1' call\n parameters.append({\n 'ioc_id': \"\",\n 'feed_id': \"\",\n 'ioc_value': \"\",\n 'report_id': \"\",\n })\n\n phantom.act(action=\"remove ioc from feed\", parameters=parameters, assets=['test configuration asset'], name=\"remove_ioc_from_feed_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "7da856ca-e566-47a6-85fe-cd491ed47764", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 615, + "line_start": 594, + "message": "Configuring now", + "name": "remove ioc from feed", + "notes": "", + "number": 1, + "order": 21, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": 220 + }, + "previous_function": "", + "previous_name": "remove_ioc_from_feed_1", + "required_params": { + "feed_id": true, + "report_id": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 466 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "fda56172-0b17-45c7-b8fc-5b1514e147b9", + "router": { + "name": "metro" + }, + "source": { + "id": "664451f5-e03e-42fe-aa7c-2fcec22b6d8d", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "0c87478e-41ae-4b2d-a5cc-4a132cdb2f96", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 469 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "e4b62ce3-64b7-4e03-9059-ae04870bab7e", + "router": { + "name": "metro" + }, + "source": { + "id": "0c87478e-41ae-4b2d-a5cc-4a132cdb2f96", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "7da856ca-e566-47a6-85fe-cd491ed47764", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 471 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".format": { + "text": "format_ioc_v2_feed" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "text": "Configuring now" + }, + ".outPorts>.port-out-1": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out-1>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".title": { + "text": "format" + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def format_ioc_v2_feed(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('format_ioc_v2_feed() called')\n \n template = \"\"\"(process_hash:{0})\"\"\"\n\n # parameter list for template variable replacement\n parameters = [\n \"artifact:*.cef.threat_cause_actor_sha256\",\n ]\n\n phantom.format(container=container, template=template, parameters=parameters, name=\"format_ioc_v2_feed\")\n\n remove_ioc_from_feed_1(container=container)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "format_ioc_v2_feed", + "description": "", + "format": "format", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "0c87478e-41ae-4b2d-a5cc-4a132cdb2f96", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 791, + "line_start": 775, + "message": "Configuring now", + "name": "format", + "notes": "", + "number": 3, + "order": 28, + "outPorts": [ + "out-1" + ], + "parameters": [ + { + "position": 0, + "type": "", + "value": "artifact:*.cef.threat_cause_actor_sha256" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1140, + "y": 220 + }, + "previous_function": "", + "previous_name": "format_ioc_v2_feed", + "show_number": true, + "size": { + "height": 100, + "width": 180 + }, + "state": "format", + "status": "", + "template": "(process_hash:{0})", + "title": "format", + "type": "coa.Format", + "warn": false, + "z": 474 + }, + { + "action": "add ioc to feed or watchlist", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "cbc_field": "process_hash", + "feed_id": "", + "ioc_id": "", + "ioc_value": "artifact:*.cef.threat_cause_actor_sha256", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "prompt_feed_watchlist_name:action_result.summary.responses.0" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "add ioc to feed or watchlist", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "cbc_field": "process_hash", + "feed_id": "", + "ioc_id": "", + "ioc_value": "artifact:*.cef.threat_cause_actor_sha256", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "prompt_feed_watchlist_name:action_result.summary.responses.0" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "status", + "column_order": 0, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "column_name": "message", + "column_order": 1, + "data_path": "action_result.message", + "data_type": "string" + }, + { + "column_name": "ioc_id", + "column_order": 2, + "data_path": "action_result.data.*.ioc_id", + "data_type": "string" + } + ], + "parameters": { + "cbc_field": { + "contains": [], + "data_type": "string", + "default": "", + "description": "CBC IOC Field", + "key": "cbc_field", + "order": 3, + "primary": true, + "required": true, + "value_list": [] + }, + "feed_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Feed ID", + "key": "feed_id", + "order": 0, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC ID", + "key": "ioc_id", + "order": 2, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_value": { + "contains": [], + "data_type": "string", + "default": "", + "description": "CBC IOC Value", + "key": "ioc_value", + "order": 4, + "primary": true, + "required": true, + "value_list": [] + }, + "report_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Report ID", + "key": "report_id", + "order": 1, + "primary": true, + "required": true, + "value_list": [] + }, + "watchlist_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Watchlist ID", + "key": "watchlist_id", + "order": 0, + "primary": true, + "required": false, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "add ioc to feed or watchli..." + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def add_ioc_to_feed_or_watchlist_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('add_ioc_to_feed_or_watchlist_2() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'add_ioc_to_feed_or_watchlist_2' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_actor_sha256', 'artifact:*.id'])\n results_data_1 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results)\n results_data_2 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results)\n\n parameters = []\n \n # build parameters list for 'add_ioc_to_feed_or_watchlist_2' call\n for container_item in container_data:\n for results_item_1 in results_data_1:\n for results_item_2 in results_data_2:\n if container_item[0] and results_item_1[0]:\n parameters.append({\n 'ioc_id': \"\",\n 'feed_id': \"\",\n 'cbc_field': \"process_hash\",\n 'ioc_value': container_item[0],\n 'report_id': results_item_1[0],\n 'watchlist_id': results_item_2[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': container_item[1]},\n })\n\n phantom.act(action=\"add ioc to feed or watchlist\", parameters=parameters, assets=['test configuration asset'], name=\"add_ioc_to_feed_or_watchlist_2\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "f30f19d0-1c44-4679-b562-2fde5d00cc42", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 728, + "line_start": 696, + "message": "Configuring now", + "name": "add ioc to feed or watchlist", + "notes": "", + "number": 2, + "order": 25, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": 380 + }, + "previous_function": "", + "previous_name": "add_ioc_to_feed_or_watchlist_2", + "required_params": { + "cbc_field": true, + "ioc_value": true, + "report_id": true + }, + "reviewer": "", + "show_number": true, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 476 + }, + { + "action": "ban hash", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "process_hash": "get_process_metadata_1:action_result.data.*.details.process_sha256" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "ban hash", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "process_hash": "get_process_metadata_1:action_result.data.*.details.process_sha256" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "process_hash", + "column_order": 0, + "contains": [], + "data_path": "action_result.parameter.process_hash", + "data_type": "string" + }, + { + "column_name": "status", + "column_order": 1, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "process_hash": { + "contains": [ + "cbc process hash" + ], + "data_type": "string", + "default": "", + "description": "CBC Process Hash", + "key": "process_hash", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "ban hash" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def ban_hash_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('ban_hash_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'ban_hash_1' call\n results_data_1 = phantom.collect2(container=container, datapath=['get_process_metadata_1:action_result.data.*.details.process_sha256', 'get_process_metadata_1:action_result.parameter.context.artifact_id'], action_results=results)\n\n parameters = []\n \n # build parameters list for 'ban_hash_1' call\n for results_item_1 in results_data_1:\n if results_item_1[0]:\n parameters.append({\n 'process_hash': results_item_1[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': results_item_1[1]},\n })\n\n phantom.act(action=\"ban hash\", parameters=parameters, assets=['test configuration asset'], name=\"ban_hash_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_watchlist_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "7f7ec6da-de82-4fb6-a80f-aa865cd2ef8e", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 274, + "line_start": 251, + "message": "Configuring now", + "name": "ban hash", + "notes": "", + "number": 1, + "order": 8, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 740, + "y": 560 + }, + "previous_function": "", + "previous_name": "ban_hash_1", + "required_params": { + "process_hash": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 478 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "a8c19a19-463c-4b98-81c5-c0e18286e39d", + "router": { + "name": "metro" + }, + "source": { + "id": "cf324aa8-e3ee-4c85-9df3-4190945d5454", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "81962a42-f69e-49ba-9c46-6e08173dce50", + "selector": ".port-body[type=\"input\"]" + }, + "type": "link", + "z": 479 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "361020f9-34db-4015-b1af-bee6da5e9c70", + "router": { + "name": "metro" + }, + "source": { + "id": "81962a42-f69e-49ba-9c46-6e08173dce50", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(1) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "aeb80929-e747-4022-9a11-f7dc4c7a9c25", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 481 + }, + { + "action": "remove ioc from watchlist", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "ioc_id": "", + "ioc_value": "format_ioc_v2_watchlist:formatted_data.*", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "prompt_feed_watchlist_name:action_result.summary.responses.0" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "remove ioc from watchlist", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "ioc_id": "", + "ioc_value": "format_ioc_v2_watchlist:formatted_data.*", + "report_id": "prompt_report_name:action_result.summary.responses.0", + "watchlist_id": "prompt_feed_watchlist_name:action_result.summary.responses.0" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "status", + "column_order": 0, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "column_name": "message", + "column_order": 1, + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "ioc_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC ID", + "key": "ioc_id", + "order": 2, + "primary": true, + "required": false, + "value_list": [] + }, + "ioc_value": { + "contains": [], + "data_type": "string", + "default": "", + "description": "IOC Value", + "key": "ioc_value", + "order": 3, + "primary": true, + "required": false, + "value_list": [] + }, + "report_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Report ID", + "key": "report_id", + "order": 1, + "primary": true, + "required": true, + "value_list": [] + }, + "watchlist_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Watchlist ID", + "key": "watchlist_id", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "remove ioc from watchlist" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def remove_ioc_from_watchlist_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('remove_ioc_from_watchlist_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'remove_ioc_from_watchlist_1' call\n results_data_1 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results)\n results_data_2 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results)\n formatted_data_1 = phantom.get_format_data(name='format_ioc_v2_watchlist__as_list')\n\n parameters = []\n \n # build parameters list for 'remove_ioc_from_watchlist_1' call\n for formatted_part_1 in formatted_data_1:\n for results_item_1 in results_data_1:\n for results_item_2 in results_data_2:\n parameters.append({\n 'ioc_id': \"\",\n 'ioc_value': formatted_part_1,\n 'report_id': results_item_1[0],\n 'watchlist_id': results_item_2[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': results_item_1[1]},\n })\n\n phantom.act(action=\"remove ioc from watchlist\", parameters=parameters, assets=['test configuration asset'], name=\"remove_ioc_from_watchlist_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "aeb80929-e747-4022-9a11-f7dc4c7a9c25", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 675, + "line_start": 646, + "message": "Configuring now", + "name": "remove ioc from watchlist", + "notes": "", + "number": 1, + "order": 23, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": 520 + }, + "previous_function": "", + "previous_name": "remove_ioc_from_watchlist_1", + "required_params": {}, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 482 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".format": { + "text": "format_ioc_v2_watchlist" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "text": "Configuring now" + }, + ".outPorts>.port-out-1": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out-1>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".title": { + "text": "format" + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def format_ioc_v2_watchlist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('format_ioc_v2_watchlist() called')\n \n template = \"\"\"(process_hash:{0})\"\"\"\n\n # parameter list for template variable replacement\n parameters = [\n \"artifact:*.cef.threat_cause_actor_sha256\",\n ]\n\n phantom.format(container=container, template=template, parameters=parameters, name=\"format_ioc_v2_watchlist\")\n\n remove_ioc_from_watchlist_1(container=container)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "format_ioc_v2_watchlist", + "description": "", + "format": "format", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "81962a42-f69e-49ba-9c46-6e08173dce50", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 807, + "line_start": 791, + "message": "Configuring now", + "name": "format", + "notes": "", + "number": 4, + "order": 29, + "outPorts": [ + "out-1" + ], + "parameters": [ + { + "position": 0, + "type": "", + "value": "artifact:*.cef.threat_cause_actor_sha256" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1140, + "y": 520 + }, + "previous_function": "", + "previous_name": "format_ioc_v2_watchlist", + "show_number": true, + "size": { + "height": 100, + "width": 180 + }, + "state": "format", + "status": "", + "template": "(process_hash:{0})", + "title": "format", + "type": "coa.Format", + "warn": false, + "z": 483 + }, + { + ".scmName/text": "local", + "active": false, + "active_keys": {}, + "active_values": {}, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".customFunction": { + "text": "get_process_analysis_url" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".scmName": { + "text": "local" + }, + ".title": { + "text": "custom function" + }, + ".title-info": { + "text": "" + }, + "g.branch image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + } + }, + "block_code": "def cf_local_get_process_analysis_url_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('cf_local_get_process_analysis_url_1() called')\n \n parameters = []\n\n parameters.append({\n 'asset': None,\n 'alert_id': None,\n })\n ################################################################################\n ## Custom Code Start\n ################################################################################\n\n # Write your custom code here...\n\n ################################################################################\n ## Custom Code End\n ################################################################################ \n\n # call custom function \"local/get_process_analysis_url\", returns the custom_function_run_id\n phantom.custom_function(custom_function='local/get_process_analysis_url', parameters=parameters, name='cf_local_get_process_analysis_url_1', callback=prompt_confirm_process_analysis)\n\n return", + "callback_code": "", + "callback_start": 360, + "callsback": true, + "cfDisplayPath": "local/get_process_analysis_url", + "cfInputs": { + "alert_id": { + "dataPath": "", + "type": "list" + }, + "asset": { + "dataPath": "", + "type": "list" + } + }, + "color": "", + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "currentVersion": true, + "customCodeEndLineOffset": 7, + "customCodeStartLine": 12, + "customFunction": "local/get_process_analysis_url", + "customFunctionId": null, + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "draftMode": false, + "existingCF": true, + "functionBlock": "custom function", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "c2e27189-999d-4069-9939-e63c9c32fe02", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 347, + "line_start": 323, + "message": "Configuring now", + "name": "get_process_analysis_url", + "notes": "", + "number": 1, + "order": 11, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 220, + "y": 280 + }, + "previous_function": "", + "previous_name": "cf_local_get_process_analysis_url_1", + "selectedCustomFunction": { + "description": "Returns an URL to Process Analysis page on CBC", + "draftMode": false, + "id": 96, + "inputs": [ + { + "_pretty_custom_function": "get_process_analysis_url", + "contains_type": [ + "*" + ], + "custom_function": 96, + "description": "", + "id": 274, + "input_type": "list", + "name": "asset", + "placeholder": "Asset ID" + }, + { + "_pretty_custom_function": "get_process_analysis_url", + "contains_type": [ + "*" + ], + "custom_function": 96, + "description": "", + "id": 275, + "input_type": "list", + "name": "alert_id", + "placeholder": "Alert ID" + } + ], + "name": "get_process_analysis_url", + "outputs": [ + { + "_pretty_custom_function": "get_process_analysis_url", + "contains_type": [ + "*" + ], + "custom_function": 96, + "data_path": "console_url", + "description": "URL to process analysis page", + "id": 158 + } + ], + "playbooks": { + "draft_playbooks": [], + "draft_version_id": null, + "playbooks": [] + }, + "scmId": 2, + "scmName": "local" + }, + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "repo", + "status": "", + "title": "custom function", + "type": "coa.CustomFunctionBlock", + "userGeneratedCode": " # Write your custom code here...", + "warn": false, + "z": 486 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 10 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_feed_watchlist_name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_feed_watchlist_name() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Enter feed/watchlist name\"\"\"\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"message\",\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_feed_watchlist_name\", response_types=response_types, callback=prompt_report_name)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "prompt_feed_or_watchlist", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_feed_watchlist_name", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "e19070c1-88e2-44f0-bb91-4a6a043d3d63", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 696, + "line_start": 675, + "message": "Enter feed/watchlist name", + "name": "prompt", + "notes": "", + "number": 10, + "order": 24, + "outPorts": [ + "out" + ], + "parameters": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 780, + "y": 160 + }, + "previous_function": "", + "previous_name": "prompt_feed_watchlist_name", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Message", + "response_options": [], + "response_prompt": "", + "response_type": "message" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 493 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 11 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_report_name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_report_name() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Enter Report Name\"\"\"\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"message\",\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_report_name\", response_types=response_types, callback=decision_4)\n\n return", + "callback_code": "", + "callback_start": 723, + "callsback": true, + "connected_to_start": true, + "connection_name": "prompt_feed_watchlist_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_report_name", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "6f08db01-6259-422b-9bcd-72a33b75d2e0", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 749, + "line_start": 728, + "message": "Enter Report Name", + "name": "prompt", + "notes": "", + "number": 11, + "order": 26, + "outPorts": [ + "out" + ], + "parameters": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 780, + "y": 280 + }, + "previous_function": "", + "previous_name": "prompt_report_name", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Message", + "response_options": [], + "response_prompt": "", + "response_type": "message" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 505 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 8 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_device_policy(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_device_policy() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Enter device policy\"\"\"\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"message\",\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_device_policy\", response_types=response_types, callback=set_device_policy_1)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "prompt_choose_cbabalytics_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_device_policy", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "9d31dcf2-55ee-4e06-a667-293d54dc1fba", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 480, + "line_start": 459, + "message": "Enter device policy", + "name": "prompt", + "notes": "", + "number": 8, + "order": 16, + "outPorts": [ + "out" + ], + "parameters": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1140, + "y": -140 + }, + "previous_function": "", + "previous_name": "prompt_device_policy", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Message", + "response_options": [], + "response_prompt": "", + "response_type": "message" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 511 + }, + { + "action": "get enriched event", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "alert_id": "artifact:*.cef.id" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "get enriched event", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "alert_id": "artifact:*.cef.id" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "event_id", + "column_order": 0, + "data_path": "action_result.data.*.details.event_id", + "data_type": "string" + }, + { + "column_name": "event_type", + "column_order": 1, + "data_path": "action_result.data.*.details.event_type", + "data_type": "string" + }, + { + "column_name": "event_description", + "column_order": 2, + "data_path": "action_result.data.*.details.event_description", + "data_type": "string" + }, + { + "column_name": "alert_id", + "column_order": 3, + "data_path": "action_result.data.*.details.alert_id", + "data_type": "string" + }, + { + "column_name": "alert_category", + "column_order": 4, + "data_path": "action_result.data.*.details.alert_category", + "data_type": "string" + }, + { + "column_name": "backend_timestamp", + "column_order": 5, + "data_path": "action_result.data.*.details.backend_timestamp", + "data_type": "string" + }, + { + "column_name": "device_id", + "column_order": 6, + "data_path": "action_result.data.*.details.device_id", + "data_type": "string" + }, + { + "column_name": "device_name", + "column_order": 7, + "data_path": "action_result.data.*.details.device_name", + "data_type": "string" + }, + { + "column_name": "device_os", + "column_order": 8, + "data_path": "action_result.data.*.details.device_os", + "data_type": "string" + }, + { + "column_name": "device_policy", + "column_order": 9, + "data_path": "action_result.data.*.details.device_policy", + "data_type": "string" + }, + { + "column_name": "process_name", + "column_order": 10, + "data_path": "action_result.data.*.details.process_name", + "data_type": "string" + }, + { + "column_name": "process_hash", + "column_order": 11, + "data_path": "action_result.data.*.details.process_hash", + "data_type": "string" + }, + { + "column_name": "parent_pid", + "column_order": 12, + "data_path": "action_result.data.*.details.parent_pid", + "data_type": "string" + }, + { + "column_name": "process_pid", + "column_order": 13, + "data_path": "action_result.data.*.details.process_pid", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "alert_id": { + "contains": [ + "cbc alert id" + ], + "data_type": "string", + "default": "", + "description": "CBC Alert ID", + "key": "alert_id", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "get enriched event" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def get_enriched_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('get_enriched_event_1() called')\n\n # collect data for 'get_enriched_event_1' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id'])\n\n parameters = []\n \n # build parameters list for 'get_enriched_event_1' call\n for container_item in container_data:\n if container_item[0]:\n parameters.append({\n 'alert_id': container_item[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': container_item[1]},\n })\n\n phantom.act(action=\"get enriched event\", parameters=parameters, assets=['test configuration asset'], callback=join_prompt_choose_cbabalytics_action, name=\"get_enriched_event_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "b069e84d-fb6e-448c-9e36-5ee243a7f983", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 402, + "line_start": 381, + "message": "Configuring now", + "name": "get enriched event", + "notes": "", + "number": 1, + "order": 13, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 360, + "y": -20 + }, + "previous_function": "", + "previous_name": "get_enriched_event_1", + "required_params": { + "alert_id": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 515 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 6 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_6(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_6() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Add to watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n add_ioc_to_feed_or_watchlist_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 2\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Remove from watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 2 matched\n if matched:\n format_ioc_v2_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": false, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "cf324aa8-e3ee-4c85-9df3-4190945d5454", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 646, + "line_start": 615, + "name": "decision", + "notes": "", + "number": 6, + "order": 22, + "outPorts": [ + "out-1", + "out-2" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Add to watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Remove from watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1040, + "y": 380 + }, + "previous_function": "", + "previous_name": "decision_6", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 528 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 5 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_5() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Add to watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n add_ioc_to_feed_or_watchlist_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 2\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Remove from watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 2 matched\n if matched:\n format_ioc_v2_feed(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": false, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "664451f5-e03e-42fe-aa7c-2fcec22b6d8d", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 594, + "line_start": 563, + "name": "decision", + "notes": "", + "number": 5, + "order": 20, + "outPorts": [ + "out-1", + "out-2" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Add to watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Remove from watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1040, + "y": 40 + }, + "previous_function": "", + "previous_name": "decision_5", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 529 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 4 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_4() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Feed\", \"==\", \"prompt_feed_or_watchlist:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n decision_5(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 2\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Watchlist\", \"==\", \"prompt_feed_or_watchlist:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 2 matched\n if matched:\n decision_6(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_report_name", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": false, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "dbc42c66-b230-4f11-b90b-dfbdf22f5b97", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 563, + "line_start": 532, + "name": "decision", + "notes": "", + "number": 4, + "order": 19, + "outPorts": [ + "out-1", + "out-2" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Feed", + "value": "prompt_feed_or_watchlist:action_result.summary.responses.0" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Watchlist", + "value": "prompt_feed_or_watchlist:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 900, + "y": 280 + }, + "previous_function": "", + "previous_name": "decision_4", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 530 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 9 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_feed_or_watchlist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_feed_or_watchlist() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Choose a feed or a watchlist\"\"\"\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"list\",\n \"choices\": [\n \"Feed\",\n \"Watchlist\",\n ]\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_feed_or_watchlist\", response_types=response_types, callback=prompt_feed_watchlist_name)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "prompt_watchlist_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_feed_or_watchlist", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "2c9cb4bd-7409-4cab-9420-71b56e35dac7", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 532, + "line_start": 507, + "message": "Choose a feed or a watchlist", + "name": "prompt", + "notes": "", + "number": 9, + "order": 18, + "outPorts": [ + "out" + ], + "parameters": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 780, + "y": 40 + }, + "previous_function": "", + "previous_name": "prompt_feed_or_watchlist", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Custom List", + "response_options": [ + "Feed", + "Watchlist" + ], + "response_prompt": "", + "response_type": "list" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 537 + }, + { + "attrs": { + ".connection": { + "stroke": "#818D99", + "stroke-width": 2 + }, + ".marker-target": { + "d": "M 10 0 L 0 5 L 10 10 z", + "fill": "#818D99", + "stroke": "#818D99" + } + }, + "connector": { + "args": { + "radius": 5 + }, + "name": "rounded" + }, + "endDirections": [ + "left" + ], + "id": "3505b011-3ebd-42de-8e03-1f4841218043", + "router": { + "name": "metro" + }, + "source": { + "id": "3e6d370f-63de-4581-a06f-b6605e338b27", + "port": "out-2", + "selector": "> g:nth-child(1) > g:nth-child(2) > g:nth-child(2) > circle:nth-child(1)" + }, + "startDirections": [ + "right" + ], + "target": { + "id": "9090f6d7-ab07-41eb-9fff-ffc732897b3e", + "selector": "> g:nth-child(1) > g:nth-child(1) > g:nth-child(1) > circle:nth-child(1)" + }, + "type": "link", + "z": 538 + }, + { + "action": "dismiss alert", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "alert_id": "artifact:*.cef.id" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "dismiss alert", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "alert_id": "artifact:*.cef.id" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "alert_id", + "column_order": 0, + "contains": [], + "data_path": "action_result.parameter.alert_id", + "data_type": "string" + }, + { + "column_name": "status", + "column_order": 1, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "alert_id": { + "contains": [ + "cbc alert id" + ], + "data_type": "string", + "default": "", + "description": "Carbon Black Cloud Alert ID", + "key": "alert_id", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "dismiss alert" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def dismiss_alert_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('dismiss_alert_2() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'dismiss_alert_2' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id'])\n\n parameters = []\n \n # build parameters list for 'dismiss_alert_2' call\n for container_item in container_data:\n if container_item[0]:\n parameters.append({\n 'alert_id': container_item[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': container_item[1]},\n })\n\n phantom.act(action=\"dismiss alert\", parameters=parameters, assets=['test configuration asset'], name=\"dismiss_alert_2\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_watchlist_action, prompt_choose_cbabalytics_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": "0", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "9090f6d7-ab07-41eb-9fff-ffc732897b3e", + "inPorts": [ + "in" + ], + "join_code": "def join_dismiss_alert_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):\n phantom.debug('join_dismiss_alert_2() called')\n \n # if the joined function has already been called, do nothing\n if phantom.get_run_data(key='join_dismiss_alert_2_called'):\n return\n\n # no callbacks to check, call connected block \"dismiss_alert_2\"\n phantom.save_run_data(key='join_dismiss_alert_2_called', value='dismiss_alert_2', auto=True)\n\n dismiss_alert_2(container=container, handle=handle)\n \n return", + "join_optional": [ + "prompt_watchlist_action", + "prompt_choose_cbabalytics_action" + ], + "join_start": 205, + "line_end": 219, + "line_start": 182, + "message": "Configuring now", + "name": "dismiss alert", + "notes": "", + "number": 2, + "order": 6, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": -20 + }, + "previous_function": "", + "previous_name": "dismiss_alert_2", + "required_params": { + "alert_id": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 543 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 3 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_3() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Set device policy\", \"==\", \"prompt_choose_cbabalytics_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n prompt_device_policy(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # call connected blocks for 'else' condition 2\n join_dismiss_alert_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_choose_cbabalytics_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": true, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "3e6d370f-63de-4581-a06f-b6605e338b27", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 459, + "line_start": 438, + "name": "decision", + "notes": "", + "number": 3, + "order": 15, + "outPorts": [ + "out-1", + "out-2" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Set device policy", + "value": "prompt_choose_cbabalytics_action:action_result.summary.responses.0" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "", + "value": "" + } + ], + "display": "Else", + "logic": "and", + "type": "else" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 880, + "y": -140 + }, + "previous_function": "", + "previous_name": "decision_3", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 545 + }, + { + "action": "get process metadata", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "process_guid": "artifact:*.cef.threat_cause_process_guid" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "get process metadata", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "process_guid": "artifact:*.cef.threat_cause_process_guid" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "process_name", + "column_order": 0, + "data_path": "action_result.data.*.details.process_name", + "data_type": "string" + }, + { + "column_name": "process_sha256", + "column_order": 1, + "data_path": "action_result.data.*.details.process_sha256", + "data_type": "string" + }, + { + "column_name": "process_pid", + "column_order": 2, + "data_path": "action_result.data.*.details.process_pid", + "data_type": "string" + }, + { + "column_name": "process_cmdline", + "column_order": 3, + "data_path": "action_result.data.*.details.process_cmdline", + "data_type": "string" + }, + { + "column_name": "parent_pid", + "column_order": 4, + "data_path": "action_result.data.*.details.parent_pid", + "data_type": "string" + }, + { + "column_name": "alert_id", + "column_order": 5, + "data_path": "action_result.data.*.details.alert_id", + "data_type": "string" + }, + { + "column_name": "alert_category", + "column_order": 6, + "data_path": "action_result.data.*.details.alert_category", + "data_type": "string" + }, + { + "column_name": "backend_timestamp", + "column_order": 7, + "data_path": "action_result.data.*.details.backend_timestamp", + "data_type": "string" + }, + { + "column_name": "device_id", + "column_order": 8, + "data_path": "action_result.data.*.details.device_id", + "data_type": "string" + }, + { + "column_name": "device_name", + "column_order": 9, + "data_path": "action_result.data.*.details.device_name", + "data_type": "string" + }, + { + "column_name": "device_os", + "column_order": 10, + "data_path": "action_result.data.*.details.device_os", + "data_type": "string" + }, + { + "column_name": "device_policy", + "column_order": 11, + "data_path": "action_result.data.*.details.device_policy", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "process_guid": { + "contains": [ + "cbc process guid" + ], + "data_type": "string", + "default": "", + "description": "Process GUID", + "key": "process_guid", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "get process metadata" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def get_process_metadata_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('get_process_metadata_1() called')\n\n # collect data for 'get_process_metadata_1' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_process_guid', 'artifact:*.id'])\n\n parameters = []\n \n # build parameters list for 'get_process_metadata_1' call\n for container_item in container_data:\n if container_item[0]:\n parameters.append({\n 'process_guid': container_item[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': container_item[1]},\n })\n\n phantom.act(action=\"get process metadata\", parameters=parameters, assets=['test configuration asset'], callback=join_prompt_watchlist_action, name=\"get_process_metadata_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "", + "connection_type": "", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "bacb77a7-8e9a-4700-9112-35ff0ad174a6", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 68, + "line_start": 47, + "message": "Configuring now", + "name": "get process metadata", + "notes": "", + "number": 1, + "order": 3, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 220, + "y": 160 + }, + "previous_function": "", + "previous_name": "get_process_metadata_1", + "required_params": { + "process_guid": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 546 + }, + { + "action": "set device policy", + "action_type": "contain", + "active": false, + "active_keys": {}, + "active_values": { + "device_id": "artifact:*.cef.device_id", + "policy_id": "", + "policy_name": "prompt_device_policy:action_result.parameter.message" + }, + "angle": 0, + "app": "Carbon Black Cloud", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "approver": "", + "assets": [ + { + "action": "set device policy", + "actions": [ + "update watchlist", + "update feed", + "retrieve iocs", + "retrieve feed", + "retrieve watchlist", + "delete watchlist", + "delete feed", + "create watchlist", + "create feed", + "delete report", + "create report", + "execute command", + "list processes", + "remove ioc from feed", + "remove ioc from watchlist", + "add ioc to feed or watchlist", + "set device policy", + "list policies", + "unban hash", + "ban hash", + "unquarantine device", + "quarantine device", + "get process metadata", + "get binary metadata", + "kill process", + "get binary file", + "delete file", + "get file", + "get enriched event", + "dismiss alert", + "normalize artifact", + "on poll", + "test connectivity" + ], + "active": true, + "app_name": "Carbon Black Cloud", + "app_version": "1.0.0", + "appid": "d1896254-78f3-4c75-aa7b-d48359699641", + "asset_name": "example asset name", + "config_type": "asset", + "count": 0, + "fields": { + "device_id": "artifact:*.cef.device_id", + "policy_id": "", + "policy_name": "prompt_device_policy:action_result.parameter.message" + }, + "has_app": true, + "id": 33, + "loaded": false, + "missing": false, + "name": "test configuration asset", + "output": [ + { + "column_name": "policy_id", + "column_order": 0, + "contains": [], + "data_path": "action_result.data.*.policy_id", + "data_type": "string" + }, + { + "column_name": "policy_name", + "column_order": 1, + "contains": [], + "data_path": "action_result.data.*.policy_name", + "data_type": "string" + }, + { + "column_name": "device_id", + "column_order": 2, + "contains": [], + "data_path": "action_result.data.*.device_id", + "data_type": "string" + }, + { + "column_name": "status", + "column_order": 3, + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "action_result.status", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + } + ], + "parameters": { + "device_id": { + "contains": [ + "cbc device id" + ], + "data_type": "string", + "default": "", + "description": "CBC Device ID", + "key": "device_id", + "order": 0, + "primary": true, + "required": true, + "value_list": [] + }, + "policy_id": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Policy ID", + "key": "policy_id", + "order": 1, + "primary": true, + "required": false, + "value_list": [] + }, + "policy_name": { + "contains": [], + "data_type": "string", + "default": "", + "description": "Policy Name", + "key": "policy_name", + "order": 2, + "primary": true, + "required": false, + "value_list": [] + } + }, + "product_name": "Carbon Black Cloud", + "product_vendor": "VMware", + "targets": "33", + "type": "endpoint" + } + ], + "attrs": { + ".action": { + "text": "set device policy" + }, + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".color-band": { + "fill": "#3C444D" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".message": { + "opacity": 0, + "ref-x": 5, + "ref-y": 105, + "text": "Configuring now" + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + ".title": { + "text": "Contain" + }, + "g.approver image": { + "opacity": 1 + }, + "g.code image": { + "opacity": 1 + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.icon image": { + "xlink:href": "/inc/coa/img/block_icon_contain.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + }, + "g.timer image": { + "opacity": 1 + } + }, + "block_code": "def set_device_policy_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('set_device_policy_1() called')\n \n #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))\n \n # collect data for 'set_device_policy_1' call\n container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.device_id', 'artifact:*.id'])\n results_data_1 = phantom.collect2(container=container, datapath=['prompt_device_policy:action_result.parameter.message', 'prompt_device_policy:action_result.parameter.context.artifact_id'], action_results=results)\n\n parameters = []\n \n # build parameters list for 'set_device_policy_1' call\n for container_item in container_data:\n for results_item_1 in results_data_1:\n if container_item[0]:\n parameters.append({\n 'device_id': container_item[0],\n 'policy_id': \"\",\n 'policy_name': results_item_1[0],\n # context (artifact id) is added to associate results with the artifact\n 'context': {'artifact_id': container_item[1]},\n })\n\n phantom.act(action=\"set device policy\", parameters=parameters, assets=['test configuration asset'], name=\"set_device_policy_1\")\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "color": "", + "connected_to_start": true, + "connection_name": "prompt_device_policy", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "delay": 0, + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "4757e8e7-da2b-4ce3-a4f3-2410fd547836", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 507, + "line_start": 480, + "message": "Configuring now", + "name": "set device policy", + "notes": "", + "number": 1, + "order": 17, + "outPorts": [ + "out" + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 1480, + "y": -140 + }, + "previous_function": "", + "previous_name": "set_device_policy_1", + "required_params": { + "device_id": true + }, + "reviewer": "", + "show_number": false, + "size": { + "height": 100, + "width": 180 + }, + "state": "app_action_assets", + "status": "", + "title": "Contain", + "type": "coa.Action", + "warn": false, + "z": 547 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 1 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_watchlist_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_watchlist_action() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Select action to perform on process hash {0}\"\"\"\n\n # parameter list for template variable replacement\n parameters = [\n \"get_process_metadata_1:action_result.data.*.details.process_sha256\",\n ]\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"list\",\n \"choices\": [\n \"Add to watchlist/feed\",\n \"Remove from watchlist/feed\",\n \"Ban hash\",\n \"Unban hash\",\n \"Dismiss alert\",\n ]\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_watchlist_action\", parameters=parameters, response_types=response_types, callback=decision_2)\n\n return", + "callback_code": "", + "callback_start": 124, + "callsback": true, + "connected_to_start": true, + "connection_name": "get process metadata, prompt_confirm_process_analysis", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_watchlist_action", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "69230e67-d63f-40a9-95a2-e1639e90e594", + "inPorts": [ + "in" + ], + "join_code": "def join_prompt_watchlist_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):\n phantom.debug('join_prompt_watchlist_action() called')\n\n # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed\n if phantom.completed(action_names=['get_process_metadata_1', 'prompt_confirm_process_analysis']):\n \n # call connected block \"prompt_watchlist_action\"\n prompt_watchlist_action(container=container, handle=handle)\n \n return", + "join_optional": [], + "join_start": 101, + "line_end": 112, + "line_start": 68, + "message": "Select action to perform on process hash {0}", + "name": "prompt", + "notes": "", + "number": 1, + "order": 4, + "outPorts": [ + "out" + ], + "parameters": [ + { + "position": 0, + "type": "", + "value": "get_process_metadata_1:action_result.data.*.details.process_sha256" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 480, + "y": 160 + }, + "previous_function": "", + "previous_name": "prompt_watchlist_action", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Custom List", + "response_options": [ + "Add to watchlist/feed", + "Remove from watchlist/feed", + "Ban hash", + "Unban hash", + "Dismiss alert" + ], + "response_prompt": "", + "response_type": "list" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 549 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 12 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_confirm_process_analysis(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_confirm_process_analysis() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Please click [Here]({0}) for Process Analysis. Add a comment below.{0}\"\"\"\n\n # parameter list for template variable replacement\n parameters = [\n \"cf_local_get_process_analysis_url_1:custom_function_result.data.console_url\",\n ]\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"message\",\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_confirm_process_analysis\", parameters=parameters, response_types=response_types, callback=join_prompt_watchlist_action)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "get_process_analysis_url", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_confirm_process_analysis", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "3c5ce8bf-a446-4c4c-a94a-e6fb6abf1fed", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 775, + "line_start": 749, + "message": "Please click [Here]({0}) for Process Analysis. Add a comment below.{0}", + "name": "prompt", + "notes": "", + "number": 12, + "order": 27, + "outPorts": [ + "out" + ], + "parameters": [ + { + "position": 0, + "type": "", + "value": "cf_local_get_process_analysis_url_1:custom_function_result.data.console_url" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 480, + "y": 280 + }, + "previous_function": "", + "previous_name": "prompt_confirm_process_analysis", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Message", + "response_options": [], + "response_prompt": "", + "response_type": "message" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 550 + }, + { + "active": false, + "angle": 0, + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#637282", + "transform": "rotate(45 30 70)" + }, + ".inPorts>.port-0>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 2 + }, + ".outPorts>.port-0": { + "port": { + "id": "out-1", + "type": "out" + }, + "ref-x": 83, + "ref-y": 40 + }, + ".outPorts>.port-0>.port-body": { + "port": { + "id": "out-1", + "type": "out" + } + }, + ".outPorts>.port-1": { + "port": { + "id": "out-2", + "type": "out" + }, + "ref-x": 41, + "ref-y": 82 + }, + ".outPorts>.port-1>.port-body": { + "port": { + "id": "out-2", + "type": "out" + } + }, + ".outPorts>.port-2": { + "port": { + "id": "out-3", + "type": "out" + }, + "ref-x": 41, + "ref-y": -2 + }, + ".outPorts>.port-2>.port-body": { + "port": { + "id": "out-3", + "type": "out" + } + }, + ".outPorts>.port-3": { + "port": { + "id": "out-4", + "type": "out" + }, + "ref-x": 67, + "ref-y": 16 + }, + ".outPorts>.port-3>.port-body": { + "port": { + "id": "out-4", + "type": "out" + } + }, + ".outPorts>.port-4": { + "port": { + "id": "out-5", + "type": "out" + }, + "ref-x": 67, + "ref-y": 63 + }, + ".outPorts>.port-4>.port-body": { + "port": { + "id": "out-5", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.delete image": { + "x": 5 + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def decision_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('decision_2() called')\n\n # check for 'if' condition 1\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Remove from watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 1 matched\n if matched:\n prompt_feed_or_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 2\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Unban hash\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 2 matched\n if matched:\n unban_hash_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 3\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Dismiss alert\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 3 matched\n if matched:\n join_dismiss_alert_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 4\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Add to watchlist/feed\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 4 matched\n if matched:\n prompt_feed_or_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n # check for 'elif' condition 5\n matched = phantom.decision(\n container=container,\n action_results=results,\n conditions=[\n [\"Ban hash\", \"==\", \"prompt_watchlist_action:action_result.summary.responses.0\"],\n ])\n\n # call connected blocks if condition 5 matched\n if matched:\n ban_hash_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function)\n return\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": false, + "connected_to_start": true, + "connection_name": "prompt_watchlist_action", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "", + "description": "", + "hasElse": false, + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "e982b85a-e8dc-4aac-990f-d2f55963dea1", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 1, + "line_end": 182, + "line_start": 112, + "name": "decision", + "notes": "", + "number": 2, + "order": 5, + "outPorts": [ + "out-1", + "out-2", + "out-3", + "out-4", + "out-5" + ], + "outputs": [ + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Remove from watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "If", + "logic": "and", + "type": "if" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Unban hash", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Dismiss alert", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Add to watchlist/feed", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + }, + { + "conditions": [ + { + "comparison": "==", + "data_type": "", + "param": "Ban hash", + "value": "prompt_watchlist_action:action_result.summary.responses.0" + } + ], + "display": "Else If", + "logic": "and", + "type": "elif" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 640, + "y": 60 + }, + "previous_function": "", + "previous_name": "decision_2", + "show_number": true, + "size": { + "height": 82, + "width": 82 + }, + "state": "decision", + "status": "", + "type": "coa.Decision", + "warn": "", + "z": 551 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 6 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_alert_triage_confirm(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_alert_triage_confirm() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Click [Here]({0}) to view Alert Triage page in CBC. Add a comment below.\"\"\"\n\n # parameter list for template variable replacement\n parameters = [\n \"cf_local_get_alert_triage_url_4:custom_function_result.data.console_url\",\n ]\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"message\",\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_alert_triage_confirm\", parameters=parameters, response_types=response_types, callback=join_prompt_choose_cbabalytics_action)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "get_alert_triage_url", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_alert_triage_confirm", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "4bc6f85d-635b-4158-ae1e-cd587ca38867", + "inPorts": [ + "in" + ], + "join_code": "", + "join_optional": [], + "join_start": 357, + "line_end": 323, + "line_start": 297, + "message": "Click [Here]({0}) to view Alert Triage page in CBC. Add a comment below.", + "name": "prompt", + "notes": "", + "number": 6, + "order": 10, + "outPorts": [ + "out" + ], + "parameters": [ + { + "position": 0, + "type": "", + "value": "cf_local_get_alert_triage_url_4:custom_function_result.data.console_url" + } + ], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 600, + "y": -140 + }, + "previous_function": "", + "previous_name": "prompt_alert_triage_confirm", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Message", + "response_options": [ + "", + "" + ], + "response_prompt": "", + "response_type": "message" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 552 + }, + { + "active": false, + "angle": 0, + "approver": "Administrator", + "approver_display": "Administrator", + "attrs": { + ".background": { + "fill": "#000000", + "stroke": "#5C6773" + }, + ".inPorts>.port-in": { + "ref": ".background", + "ref-x": 0.5 + }, + ".inPorts>.port-in>.port-body": { + "port": { + "id": "in", + "type": "in" + } + }, + ".number": { + "text": 7 + }, + ".outPorts>.port-out": { + "ref": ".background", + "ref-x": 0.5 + }, + ".outPorts>.port-out>.port-body": { + "port": { + "id": "out", + "type": "out" + } + }, + "g.delete": { + "display": "none" + }, + "g.error": { + "opacity": 0 + }, + "g.error image": { + "xlink:href": "/inc/coa/img/block_icon_warn.svg" + }, + "g.notes": { + "display": "block" + }, + "g.notes image": { + "opacity": 1 + } + }, + "block_code": "def prompt_choose_cbabalytics_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):\n phantom.debug('prompt_choose_cbabalytics_action() called')\n \n # set user and message variables for phantom.prompt call\n user = \"Administrator\"\n message = \"\"\"Select an action\"\"\"\n\n #responses:\n response_types = [\n {\n \"prompt\": \"\",\n \"options\": {\n \"type\": \"list\",\n \"choices\": [\n \"Set device policy\",\n \"Dismiss alert\",\n ]\n },\n },\n ]\n\n phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name=\"prompt_choose_cbabalytics_action\", response_types=response_types, callback=decision_3)\n\n return", + "callback_code": "", + "callback_start": 1, + "callsback": true, + "connected_to_start": true, + "connection_name": "prompt_alert_triage_confirm, get enriched event", + "connection_type": "action", + "custom_callback": "", + "custom_code": "", + "custom_join": "", + "custom_name": "prompt_choose_cbabalytics_action", + "description": "", + "has_custom": false, + "has_custom_block": false, + "has_custom_callback": false, + "has_custom_join": false, + "id": "1973b2bc-65d6-4f7b-9a84-41bd493d9d39", + "inPorts": [ + "in" + ], + "join_code": "def join_prompt_choose_cbabalytics_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None):\n phantom.debug('join_prompt_choose_cbabalytics_action() called')\n\n # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed\n if phantom.completed(action_names=['prompt_alert_triage_confirm', 'get_enriched_event_1']):\n \n # call connected block \"prompt_choose_cbabalytics_action\"\n prompt_choose_cbabalytics_action(container=container, handle=handle)\n \n return", + "join_optional": [], + "join_start": 427, + "line_end": 438, + "line_start": 402, + "message": "Select an action", + "name": "prompt", + "notes": "", + "number": 7, + "order": 14, + "outPorts": [ + "out" + ], + "parameters": [], + "ports": { + "groups": { + "in": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "left" + } + }, + "position": { + "name": "left" + } + }, + "out": { + "attrs": { + ".port-body": { + "fill": "#fff", + "magnet": true, + "r": 10, + "stroke": "#000" + }, + ".port-label": { + "fill": "#000" + } + }, + "label": { + "position": { + "args": { + "y": 10 + }, + "name": "right" + } + }, + "position": { + "name": "right" + } + } + } + }, + "position": { + "x": 740, + "y": -140 + }, + "previous_function": "", + "previous_name": "prompt_choose_cbabalytics_action", + "respond_in": "30", + "response_key": "Message", + "response_options": [], + "response_type": "list", + "responses": [ + { + "response_key": "Custom List", + "response_options": [ + "Set device policy", + "Dismiss alert" + ], + "response_prompt": "", + "response_type": "list" + } + ], + "show_number": true, + "size": { + "height": 80, + "width": 80 + }, + "state": "prompt", + "status": "", + "type": "coa.Prompt", + "warn": false, + "z": 553 + } + ] + }, + "notes": "" + }, + "python_version": "3", + "schema": 4, + "version": "4.10.2.47587" + }, + "create_time": "2023-01-19T14:17:58.852803+00:00", + "draft_mode": false, + "labels": [ + "events" + ], + "tags": [] +} \ No newline at end of file diff --git a/cbc_alerts.py b/cbc_alerts.py new file mode 100644 index 00000000..f701c554 --- /dev/null +++ b/cbc_alerts.py @@ -0,0 +1,820 @@ +""" +Carbon Black Cloud alerts playbook +""" + +import phantom.rules as phantom +import json +from datetime import datetime, timedelta +def on_start(container): + phantom.debug('on_start() called') + + # call 'decision_1' block + decision_1(container=container) + + return + +def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_1() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + conditions=[ + ["artifact:*.cef.type", "==", "CB_ANALYTICS"], + ]) + + # call connected blocks if condition 1 matched + if matched: + cf_local_get_alert_triage_url_4(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + get_enriched_event_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 2 + matched = phantom.decision( + container=container, + conditions=[ + ["artifact:*.cef.type", "==", "WATCHLIST"], + ]) + + # call connected blocks if condition 2 matched + if matched: + cf_local_get_process_analysis_url_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + get_process_metadata_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + return + +def get_process_metadata_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('get_process_metadata_1() called') + + # collect data for 'get_process_metadata_1' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_process_guid', 'artifact:*.id']) + + parameters = [] + + # build parameters list for 'get_process_metadata_1' call + for container_item in container_data: + if container_item[0]: + parameters.append({ + 'process_guid': container_item[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': container_item[1]}, + }) + + phantom.act(action="get process metadata", parameters=parameters, assets=['test configuration asset'], callback=join_prompt_watchlist_action, name="get_process_metadata_1") + + return + +def prompt_watchlist_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_watchlist_action() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Select action to perform on process hash {0}""" + + # parameter list for template variable replacement + parameters = [ + "get_process_metadata_1:action_result.data.*.details.process_sha256", + ] + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "list", + "choices": [ + "Add to watchlist/feed", + "Remove from watchlist/feed", + "Ban hash", + "Unban hash", + "Dismiss alert", + ] + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_watchlist_action", parameters=parameters, response_types=response_types, callback=decision_2) + + return + +def join_prompt_watchlist_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): + phantom.debug('join_prompt_watchlist_action() called') + + # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed + if phantom.completed(action_names=['get_process_metadata_1', 'prompt_confirm_process_analysis']): + + # call connected block "prompt_watchlist_action" + prompt_watchlist_action(container=container, handle=handle) + + return + +def decision_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_2() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Remove from watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 1 matched + if matched: + prompt_feed_or_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 2 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Unban hash", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 2 matched + if matched: + unban_hash_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 3 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Dismiss alert", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 3 matched + if matched: + join_dismiss_alert_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 4 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Add to watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 4 matched + if matched: + prompt_feed_or_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 5 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Ban hash", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 5 matched + if matched: + ban_hash_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + return + +def dismiss_alert_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('dismiss_alert_2() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'dismiss_alert_2' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id']) + + parameters = [] + + # build parameters list for 'dismiss_alert_2' call + for container_item in container_data: + if container_item[0]: + parameters.append({ + 'alert_id': container_item[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': container_item[1]}, + }) + + phantom.act(action="dismiss alert", parameters=parameters, assets=['test configuration asset'], name="dismiss_alert_2") + + return + +def join_dismiss_alert_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): + phantom.debug('join_dismiss_alert_2() called') + + # if the joined function has already been called, do nothing + if phantom.get_run_data(key='join_dismiss_alert_2_called'): + return + + # no callbacks to check, call connected block "dismiss_alert_2" + phantom.save_run_data(key='join_dismiss_alert_2_called', value='dismiss_alert_2', auto=True) + + dismiss_alert_2(container=container, handle=handle) + + return + +def add_ioc_to_feed_or_watchlist_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('add_ioc_to_feed_or_watchlist_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'add_ioc_to_feed_or_watchlist_1' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_actor_sha256', 'artifact:*.id']) + results_data_1 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results) + results_data_2 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results) + + parameters = [] + + # build parameters list for 'add_ioc_to_feed_or_watchlist_1' call + for container_item in container_data: + for results_item_1 in results_data_1: + for results_item_2 in results_data_2: + if container_item[0] and results_item_2[0]: + parameters.append({ + 'ioc_id': "", + 'feed_id': results_item_1[0], + 'cbc_field': "process_hash", + 'ioc_value': container_item[0], + 'report_id': results_item_2[0], + 'watchlist_id': "", + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': results_item_1[1]}, + }) + + phantom.act(action="add ioc to feed or watchlist", parameters=parameters, assets=['test configuration asset'], name="add_ioc_to_feed_or_watchlist_1") + + return + +def ban_hash_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('ban_hash_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'ban_hash_1' call + results_data_1 = phantom.collect2(container=container, datapath=['get_process_metadata_1:action_result.data.*.details.process_sha256', 'get_process_metadata_1:action_result.parameter.context.artifact_id'], action_results=results) + + parameters = [] + + # build parameters list for 'ban_hash_1' call + for results_item_1 in results_data_1: + if results_item_1[0]: + parameters.append({ + 'process_hash': results_item_1[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': results_item_1[1]}, + }) + + phantom.act(action="ban hash", parameters=parameters, assets=['test configuration asset'], name="ban_hash_1") + + return + +def unban_hash_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('unban_hash_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'unban_hash_1' call + results_data_1 = phantom.collect2(container=container, datapath=['get_process_metadata_1:action_result.data.*.details.process_sha256', 'get_process_metadata_1:action_result.parameter.context.artifact_id'], action_results=results) + + parameters = [] + + # build parameters list for 'unban_hash_1' call + for results_item_1 in results_data_1: + if results_item_1[0]: + parameters.append({ + 'process_hash': results_item_1[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': results_item_1[1]}, + }) + + phantom.act(action="unban hash", parameters=parameters, assets=['test configuration asset'], name="unban_hash_1") + + return + +def prompt_alert_triage_confirm(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_alert_triage_confirm() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Click [Here]({0}) to view Alert Triage page in CBC. Add a comment below.""" + + # parameter list for template variable replacement + parameters = [ + "cf_local_get_alert_triage_url_4:custom_function_result.data.console_url", + ] + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "message", + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_alert_triage_confirm", parameters=parameters, response_types=response_types, callback=join_prompt_choose_cbabalytics_action) + + return + +def cf_local_get_process_analysis_url_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('cf_local_get_process_analysis_url_1() called') + + parameters = [] + + parameters.append({ + 'asset': None, + 'alert_id': None, + }) + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + # call custom function "local/get_process_analysis_url", returns the custom_function_run_id + phantom.custom_function(custom_function='local/get_process_analysis_url', parameters=parameters, name='cf_local_get_process_analysis_url_1', callback=prompt_confirm_process_analysis) + + return + +def cf_local_get_alert_triage_url_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('cf_local_get_alert_triage_url_4() called') + + container_data_0 = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id']) + container_property_0 = [ + [ + container.get("asset_name"), + ], + ] + + parameters = [] + + container_property_0_0 = [item[0] for item in container_property_0] + container_data_0_0 = [item[0] for item in container_data_0] + + parameters.append({ + 'asset': container_property_0_0, + 'alert_id': container_data_0_0, + }) + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + # call custom function "local/get_alert_triage_url", returns the custom_function_run_id + phantom.custom_function(custom_function='local/get_alert_triage_url', parameters=parameters, name='cf_local_get_alert_triage_url_4', callback=prompt_alert_triage_confirm) + + return + +def get_enriched_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('get_enriched_event_1() called') + + # collect data for 'get_enriched_event_1' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.id', 'artifact:*.id']) + + parameters = [] + + # build parameters list for 'get_enriched_event_1' call + for container_item in container_data: + if container_item[0]: + parameters.append({ + 'alert_id': container_item[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': container_item[1]}, + }) + + phantom.act(action="get enriched event", parameters=parameters, assets=['test configuration asset'], callback=join_prompt_choose_cbabalytics_action, name="get_enriched_event_1") + + return + +def prompt_choose_cbabalytics_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_choose_cbabalytics_action() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Select an action""" + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "list", + "choices": [ + "Set device policy", + "Dismiss alert", + ] + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_choose_cbabalytics_action", response_types=response_types, callback=decision_3) + + return + +def join_prompt_choose_cbabalytics_action(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None): + phantom.debug('join_prompt_choose_cbabalytics_action() called') + + # check if all connected incoming playbooks, actions, or custom functions are done i.e. have succeeded or failed + if phantom.completed(action_names=['prompt_alert_triage_confirm', 'get_enriched_event_1']): + + # call connected block "prompt_choose_cbabalytics_action" + prompt_choose_cbabalytics_action(container=container, handle=handle) + + return + +def decision_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_3() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Set device policy", "==", "prompt_choose_cbabalytics_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 1 matched + if matched: + prompt_device_policy(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # call connected blocks for 'else' condition 2 + join_dismiss_alert_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + + return + +def prompt_device_policy(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_device_policy() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Enter device policy""" + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "message", + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_device_policy", response_types=response_types, callback=set_device_policy_1) + + return + +def set_device_policy_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('set_device_policy_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'set_device_policy_1' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.device_id', 'artifact:*.id']) + results_data_1 = phantom.collect2(container=container, datapath=['prompt_device_policy:action_result.parameter.message', 'prompt_device_policy:action_result.parameter.context.artifact_id'], action_results=results) + + parameters = [] + + # build parameters list for 'set_device_policy_1' call + for container_item in container_data: + for results_item_1 in results_data_1: + if container_item[0]: + parameters.append({ + 'device_id': container_item[0], + 'policy_id': "", + 'policy_name': results_item_1[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': container_item[1]}, + }) + + phantom.act(action="set device policy", parameters=parameters, assets=['test configuration asset'], name="set_device_policy_1") + + return + +def prompt_feed_or_watchlist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_feed_or_watchlist() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Choose a feed or a watchlist""" + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "list", + "choices": [ + "Feed", + "Watchlist", + ] + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_feed_or_watchlist", response_types=response_types, callback=prompt_feed_watchlist_name) + + return + +def decision_4(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_4() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Feed", "==", "prompt_feed_or_watchlist:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 1 matched + if matched: + decision_5(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 2 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Watchlist", "==", "prompt_feed_or_watchlist:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 2 matched + if matched: + decision_6(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + return + +def decision_5(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_5() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Add to watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 1 matched + if matched: + add_ioc_to_feed_or_watchlist_1(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 2 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Remove from watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 2 matched + if matched: + format_ioc_v2_feed(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + return + +def remove_ioc_from_feed_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('remove_ioc_from_feed_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'remove_ioc_from_feed_1' call + + parameters = [] + + # build parameters list for 'remove_ioc_from_feed_1' call + parameters.append({ + 'ioc_id': "", + 'feed_id': "", + 'ioc_value': "", + 'report_id': "", + }) + + phantom.act(action="remove ioc from feed", parameters=parameters, assets=['test configuration asset'], name="remove_ioc_from_feed_1") + + return + +def decision_6(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('decision_6() called') + + # check for 'if' condition 1 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Add to watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 1 matched + if matched: + add_ioc_to_feed_or_watchlist_2(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + # check for 'elif' condition 2 + matched = phantom.decision( + container=container, + action_results=results, + conditions=[ + ["Remove from watchlist/feed", "==", "prompt_watchlist_action:action_result.summary.responses.0"], + ]) + + # call connected blocks if condition 2 matched + if matched: + format_ioc_v2_watchlist(action=action, success=success, container=container, results=results, handle=handle, custom_function=custom_function) + return + + return + +def remove_ioc_from_watchlist_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('remove_ioc_from_watchlist_1() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'remove_ioc_from_watchlist_1' call + results_data_1 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results) + results_data_2 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results) + formatted_data_1 = phantom.get_format_data(name='format_ioc_v2_watchlist__as_list') + + parameters = [] + + # build parameters list for 'remove_ioc_from_watchlist_1' call + for formatted_part_1 in formatted_data_1: + for results_item_1 in results_data_1: + for results_item_2 in results_data_2: + parameters.append({ + 'ioc_id': "", + 'ioc_value': formatted_part_1, + 'report_id': results_item_1[0], + 'watchlist_id': results_item_2[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': results_item_1[1]}, + }) + + phantom.act(action="remove ioc from watchlist", parameters=parameters, assets=['test configuration asset'], name="remove_ioc_from_watchlist_1") + + return + +def prompt_feed_watchlist_name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_feed_watchlist_name() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Enter feed/watchlist name""" + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "message", + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_feed_watchlist_name", response_types=response_types, callback=prompt_report_name) + + return + +def add_ioc_to_feed_or_watchlist_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('add_ioc_to_feed_or_watchlist_2() called') + + #phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + # collect data for 'add_ioc_to_feed_or_watchlist_2' call + container_data = phantom.collect2(container=container, datapath=['artifact:*.cef.threat_cause_actor_sha256', 'artifact:*.id']) + results_data_1 = phantom.collect2(container=container, datapath=['prompt_report_name:action_result.summary.responses.0', 'prompt_report_name:action_result.parameter.context.artifact_id'], action_results=results) + results_data_2 = phantom.collect2(container=container, datapath=['prompt_feed_watchlist_name:action_result.summary.responses.0', 'prompt_feed_watchlist_name:action_result.parameter.context.artifact_id'], action_results=results) + + parameters = [] + + # build parameters list for 'add_ioc_to_feed_or_watchlist_2' call + for container_item in container_data: + for results_item_1 in results_data_1: + for results_item_2 in results_data_2: + if container_item[0] and results_item_1[0]: + parameters.append({ + 'ioc_id': "", + 'feed_id': "", + 'cbc_field': "process_hash", + 'ioc_value': container_item[0], + 'report_id': results_item_1[0], + 'watchlist_id': results_item_2[0], + # context (artifact id) is added to associate results with the artifact + 'context': {'artifact_id': container_item[1]}, + }) + + phantom.act(action="add ioc to feed or watchlist", parameters=parameters, assets=['test configuration asset'], name="add_ioc_to_feed_or_watchlist_2") + + return + +def prompt_report_name(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_report_name() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Enter Report Name""" + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "message", + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_report_name", response_types=response_types, callback=decision_4) + + return + +def prompt_confirm_process_analysis(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('prompt_confirm_process_analysis() called') + + # set user and message variables for phantom.prompt call + user = "Administrator" + message = """Please click [Here]({0}) for Process Analysis. Add a comment below.{0}""" + + # parameter list for template variable replacement + parameters = [ + "cf_local_get_process_analysis_url_1:custom_function_result.data.console_url", + ] + + #responses: + response_types = [ + { + "prompt": "", + "options": { + "type": "message", + }, + }, + ] + + phantom.prompt2(container=container, user=user, message=message, respond_in_mins=30, name="prompt_confirm_process_analysis", parameters=parameters, response_types=response_types, callback=join_prompt_watchlist_action) + + return + +def format_ioc_v2_feed(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('format_ioc_v2_feed() called') + + template = """(process_hash:{0})""" + + # parameter list for template variable replacement + parameters = [ + "artifact:*.cef.threat_cause_actor_sha256", + ] + + phantom.format(container=container, template=template, parameters=parameters, name="format_ioc_v2_feed") + + remove_ioc_from_feed_1(container=container) + + return + +def format_ioc_v2_watchlist(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug('format_ioc_v2_watchlist() called') + + template = """(process_hash:{0})""" + + # parameter list for template variable replacement + parameters = [ + "artifact:*.cef.threat_cause_actor_sha256", + ] + + phantom.format(container=container, template=template, parameters=parameters, name="format_ioc_v2_watchlist") + + remove_ioc_from_watchlist_1(container=container) + + return + +def on_finish(container, summary): + phantom.debug('on_finish() called') + # This function is called after all actions are completed. + # summary of all the action and/or all details of actions + # can be collected here. + + # summary_json = phantom.get_summary() + # if 'result' in summary_json: + # for action_result in summary_json['result']: + # if 'action_run_id' in action_result: + # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False) + # phantom.debug(action_results) + + return \ No newline at end of file