Hi i want create simple playbook to detect data from Incident Response it can send to SOAR to automate analyze like Virustotal. I just want VirusTotal to analyze it and write the result in comment and with status "In Progress" or "Pending" i SS the flow and i think it very possible. but i got confused error "The supplied status is invalid"
Also here my python sourcecode
"""
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
@phantom.playbook_block()
def on_start(container):
phantom.debug('on_start() called')
# call 'update_event_1' block
update_event_1(container=container)
return
@phantom.playbook_block()
def update_event_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
parameters = []
# build parameters list for 'update_event_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"status": "in progress",
"comment": "Tahap analisa via SOAR",
"event_ids": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_1", assets=["soar_es"], callback=ip_reputation_1)
return
@phantom.playbook_block()
def ip_reputation_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("ip_reputation_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.src","artifact:*.id"])
parameters = []
# build parameters list for 'ip_reputation_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"ip": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("ip reputation", parameters=parameters, name="ip_reputation_1", assets=["virtotv3-trialzake"], callback=decision_1)
return
@phantom.playbook_block()
def decision_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("decision_1() called")
# check for 'if' condition 1
found_match_1 = phantom.decision(
container=container,
conditions=[
["ip_reputation_1:action_result.summary.malicious", ">", 0]
],
delimiter=None)
# call connected blocks if condition 1 matched
if found_match_1:
update_event_2(action=action, success=success, container=container, results=results, handle=handle)
return
# check for 'else' condition 2
update_event_3(action=action, success=success, container=container, results=results, handle=handle)
return
@phantom.playbook_block()
def update_event_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_2() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
comment_formatted_string = phantom.format(
container=container,
template="""Information from SOAR : \nSource : {0}\nHarmles : {1} \nMalicious : {2}""",
parameters=[
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious"
])
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
ip_reputation_1_result_data = phantom.collect2(container=container, datapath=["ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source","ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless","ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious","ip_reputation_1:action_result.parameter.context.artifact_id"], action_results=results)
parameters = []
# build parameters list for 'update_event_2' call
for container_artifact_item in container_artifact_data:
for ip_reputation_1_result_item in ip_reputation_1_result_data:
if container_artifact_item[0] is not None:
parameters.append({
"event_ids": container_artifact_item[0],
"status": "Pending",
"comment": comment_formatted_string,
"context": {'artifact_id': ip_reputation_1_result_item[3]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_2", assets=["soar_es"])
return
@phantom.playbook_block()
def lookup_ip_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("lookup_ip_1() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.src","artifact:*.id"])
parameters = []
# build parameters list for 'lookup_ip_1' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"days": 10,
"ip": container_artifact_item[0],
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("lookup ip", parameters=parameters, name="lookup_ip_1", assets=["abuseipdb"])
return
@phantom.playbook_block()
def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("format_1() called")
template = """Detail : {0}\nSeverity : {1}\nSource : {2}\nHarmles : {3}\nMalicious : {4}\n"""
# parameter list for template variable replacement
parameters = [
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.detail",
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.severity",
"ip_reputation_1:action_result.data.*.attributes.crowdsourced_context.*.source",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.harmless",
"ip_reputation_1:action_result.data.*.attributes.last_analysis_stats.malicious"
]
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.format(container=container, template=template, parameters=parameters, name="format_1")
return
@phantom.playbook_block()
def update_event_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):
phantom.debug("update_event_3() called")
# phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED')))
container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.event_id","artifact:*.id"])
parameters = []
# build parameters list for 'update_event_3' call
for container_artifact_item in container_artifact_data:
if container_artifact_item[0] is not None:
parameters.append({
"event_ids": container_artifact_item[0],
"status": "Pending",
"comment": "Safe from Virus Total",
"context": {'artifact_id': container_artifact_item[1]},
})
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
phantom.act("update event", parameters=parameters, name="update_event_3", assets=["soar_es"])
return
@phantom.playbook_block()
def on_finish(container, summary):
phantom.debug("on_finish() called")
################################################################################
## Custom Code Start
################################################################################
# Write your custom code here...
################################################################################
## Custom Code End
################################################################################
return
1 Solution
I don't have any trouble in the first update event, the trouble only in the second. in the first status can be changed perfectly also the comment is fine.
