From a11ba87961ccdb3e9bb84ff1b7f5ef9f553319ab Mon Sep 17 00:00:00 2001 From: tccontre Date: Mon, 3 Jul 2023 14:14:52 +0200 Subject: [PATCH 1/2] Splunk_Attack_Analyzer_Dynamic_Analysis_Fix_Bug --- ...lunk_Attack_Analyzer_Dynamic_Analysis.json | 24 +++++++-------- ...Splunk_Attack_Analyzer_Dynamic_Analysis.py | 30 +++++++++++-------- 2 files changed, 29 insertions(+), 25 deletions(-) diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json index 83bccbcefe..f5c4981c8f 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json @@ -156,7 +156,7 @@ "targetPort": "15_in" } ], - "hash": "d3278e0db9a8761705897f1307e410d32a715c77", + "hash": "13864bdc7ea935acde9ad6f1be501217c7197c4f", "nodes": { "0": { "data": { @@ -171,8 +171,8 @@ "id": "0", "type": "start", "warnings": {}, - "x": 190, - "y": -7.673861546209082e-13 + "x": 200, + "y": -6.394884621840902e-14 }, "1": { "data": { @@ -265,7 +265,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -308,7 +308,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -317,7 +317,7 @@ "id": "15", "parameters": { "job_id": "filtered-data:detonation_status_filter:condition_1:file_detonation:action_result.data.*.JobID", - "timeout": "10" + "timeout": "3" }, "requiredParameters": [ { @@ -367,7 +367,7 @@ "errors": {}, "id": "17", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id):\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n\n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", "warnings": {}, "x": 340, "y": 1260 @@ -571,7 +571,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -652,7 +652,7 @@ }, "connector": "Splunk Attack Analyzer", "connectorConfigs": [ - "splunk_attack_analyzer" + "splunk attack analyzer" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -661,7 +661,7 @@ "id": "6", "parameters": { "job_id": "filtered-data:url_status_filter:condition_1:url_detonation:action_result.data.*.JobID", - "timeout": "5" + "timeout": "2" }, "requiredParameters": [ { @@ -747,7 +747,7 @@ "errors": {}, "id": "8", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_url_forensic_output__url_score_object = []\n normalized_url_forensic_output__scores = []\n normalized_url_forensic_output__categories = []\n normalized_url_forensic_output__score_id = []\n normalized_url_forensic_output__url = []\n normalized_url_forensic_output__job_id = []\n\n ## pair forensic job results with url detonated\n job_url_dict = {}\n for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id):\n if orig_job == filtered_job:\n job_url_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n url = job_url_dict[job]\n categories = [item.get('Description') for item in detections]\n \n # Attach final object\n normalized_url_forensic_output__url_score_object.append({'value': url, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_url_forensic_output__scores.append(score)\n normalized_url_forensic_output__categories.append(\", \".join(categories))\n normalized_url_forensic_output__score_id.append(score_id)\n normalized_url_forensic_output__url.append(url)\n normalized_url_forensic_output__job_id.append(job)\n\n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_url_forensic_output__url_score_object = []\n normalized_url_forensic_output__scores = []\n normalized_url_forensic_output__categories = []\n normalized_url_forensic_output__score_id = []\n normalized_url_forensic_output__url = []\n normalized_url_forensic_output__job_id = []\n\n ## pair forensic job results with url detonated\n job_url_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_url_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n url = job_url_dict[job]\n categories = [item.get('Description') for item in detections]\n \n # Attach final object\n normalized_url_forensic_output__url_score_object.append({'value': url, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_url_forensic_output__scores.append(score)\n normalized_url_forensic_output__categories.append(\", \".join(categories))\n normalized_url_forensic_output__score_id.append(score_id)\n normalized_url_forensic_output__url.append(url)\n normalized_url_forensic_output__job_id.append(job)\n\n", "warnings": {}, "x": 0, "y": 1260 @@ -800,7 +800,7 @@ "schema": "5.0.9", "version": "6.0.0.114895" }, - "create_time": "2023-04-29T01:27:41.839151+00:00", + "create_time": "2023-07-03T11:44:44.497724+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py index b0c7fbba89..bf00f75984 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py @@ -83,7 +83,7 @@ def url_detonation(action=None, success=None, container=None, results=None, hand ## Custom Code End ################################################################################ - phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk_attack_analyzer"], callback=url_status_filter) + phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer"], callback=url_status_filter) return @@ -131,7 +131,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= if filtered_result_0_item_url_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_url_status_filter[0], - "timeout": 5, + "timeout": 2, }) ################################################################################ @@ -152,7 +152,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk_attack_analyzer"], callback=get_jobid_forensic_filter) + phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer"], callback=get_jobid_forensic_filter) return @@ -234,10 +234,12 @@ def normalized_url_forensic_output(action=None, success=None, container=None, re ## pair forensic job results with url detonated job_url_dict = {} - for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id): - if orig_job == filtered_job: - job_url_dict[filtered_job] = orig_url - + + for orig_url, orig_job in zip(filtered_result_0_parameter_url, filtered_result_0_data___jobid): + for filtered_job in filtered_result_0_data___jobid: + if orig_job == filtered_job: + job_url_dict[filtered_job] = orig_url + for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): ## translate scores @@ -403,7 +405,7 @@ def file_detonation(action=None, success=None, container=None, results=None, han ## Custom Code End ################################################################################ - phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk_attack_analyzer"], callback=detonation_status_filter) + phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer"], callback=detonation_status_filter) return @@ -428,7 +430,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results if filtered_result_0_item_detonation_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_detonation_status_filter[0], - "timeout": 10, + "timeout": 3, }) ################################################################################ @@ -449,7 +451,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk_attack_analyzer"], callback=file_forensics_filter) + phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer"], callback=file_forensics_filter) return @@ -508,10 +510,12 @@ def normalized_file_forensic_output(action=None, success=None, container=None, r ## pair forensic job results with url detonated job_file_dict = {} - for orig_url, orig_job, filtered_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid, filtered_result_1_parameter_job_id): - if orig_job == filtered_job: - job_file_dict[filtered_job] = orig_url + for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): + for filtered_job in filtered_result_0_data___jobid: + if orig_job == filtered_job: + job_file_dict[filtered_job] = orig_url + for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): ## translate scores From bcb28ec561bf9696c7aac65bb22dae78c2c4bbc6 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 16 Aug 2023 17:30:08 +0200 Subject: [PATCH 2/2] Splunk_Attack_Analyzer_Dynamic_Analysis_Fix_Bug --- ...lunk_Attack_Analyzer_Dynamic_Analysis.json | 64 +++++++++---------- ...Splunk_Attack_Analyzer_Dynamic_Analysis.py | 50 ++++++++------- 2 files changed, 59 insertions(+), 55 deletions(-) diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json index f5c4981c8f..b9e343bec0 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.json @@ -156,7 +156,7 @@ "targetPort": "15_in" } ], - "hash": "13864bdc7ea935acde9ad6f1be501217c7197c4f", + "hash": "cb5ebab4cfc30aa2e25d82bca5228e99b9153608", "nodes": { "0": { "data": { @@ -172,7 +172,7 @@ "type": "start", "warnings": {}, "x": 200, - "y": -6.394884621840902e-14 + "y": -1.2789769243681803e-13 }, "1": { "data": { @@ -263,9 +263,9 @@ "join": [], "note": "Queries SAA for information about the provided vault_id(s)" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -273,7 +273,7 @@ "functionName": "file_detonation", "id": "12", "parameters": { - "file": "playbook_input:vault_id" + "file": "filtered-data:saa_input_filter:condition_2:playbook_input:vault_id" }, "requiredParameters": [ { @@ -286,11 +286,7 @@ "errors": {}, "id": "12", "type": "action", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 340, "y": 320 }, @@ -306,9 +302,9 @@ "join": [], "note": "Queries SAA Forensics data relative to the JobID of URL(s) or File(s) needs to be detonated." }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -317,7 +313,7 @@ "id": "15", "parameters": { "job_id": "filtered-data:detonation_status_filter:condition_1:file_detonation:action_result.data.*.JobID", - "timeout": "3" + "timeout": "2" }, "requiredParameters": [ { @@ -367,7 +363,7 @@ "errors": {}, "id": "17", "type": "code", - "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_url\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", + "userCode": "\n # Write your custom code here...\n score_id =0\n score_table = {\n \"0\":\"Unknown\",\n \"1\":\"Very_Safe\",\n \"2\":\"Safe\",\n \"3\":\"Probably_Safe\",\n \"4\":\"Leans_Safe\",\n \"5\":\"May_not_be_Safe\",\n \"6\":\"Exercise_Caution\",\n \"7\":\"Suspicious_or_Risky\",\n \"8\":\"Possibly_Malicious\",\n \"9\":\"Probably_Malicious\",\n \"10\":\"Malicious\"\n }\n \n normalized_file_forensic_output__file_score_object = []\n normalized_file_forensic_output__scores = []\n normalized_file_forensic_output__categories = []\n normalized_file_forensic_output__score_id = []\n normalized_file_forensic_output__file = []\n normalized_file_forensic_output__job_id = []\n \n ## pair forensic job results with url detonated\n job_file_dict = {}\n\n for orig_file, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid):\n for filtered_job in filtered_result_0_data___jobid:\n if orig_job == filtered_job:\n job_file_dict[filtered_job] = orig_file\n \n for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections):\n \n ## translate scores\n score_id = int(score_num/10) if score_num > 0 else 0\n score = score_table[str(score_id)]\n file = job_file_dict[job]\n categories = [item.get('Description') for item in detections]\n \n normalized_file_forensic_output__file_score_object.append({'value': file, 'base_score': score_num, 'score': score, 'score_id': score_id, 'categories': categories})\n normalized_file_forensic_output__scores.append(score)\n normalized_file_forensic_output__categories.append(\", \".join(categories))\n normalized_file_forensic_output__score_id.append(score_id)\n normalized_file_forensic_output__file.append(file)\n normalized_file_forensic_output__job_id.append(job)\n \n", "warnings": {}, "x": 340, "y": 1260 @@ -427,7 +423,7 @@ "errors": {}, "id": "19", "type": "code", - "userCode": "\n # Write your custom code here...\n build_file_output__observable_array = []\n\n for _vault_id, external_id, file_object in zip(normalized_file_forensic_output__file, normalized_file_forensic_output__job_id, normalized_file_forensic_output__file_score_object):\n #phantom.debug(\"vault: {} id: {}\".format(_vault_id, external_id))\n observable_object = {\n\n \"value\": _vault_id,\n \"type\": \"hash\",\n \"reputation\": {\n \"base_score\": file_object['base_score'],\n \"score\": file_object['score'],\n \"score_id\": file_object['score_id'],\n \"confidence\": file_object['base_score'] #Attack Analyzer's score has confidence baked in.\n },\n \"classifications\": file_object['categories'],\n \"source\": \"Splunk Attack Analyzer\",\n \"source_link\":f\"https://app.twinwave.io/job/{external_id}\"\n }\n build_file_output__observable_array.append(observable_object)\n \n", + "userCode": "\n # Write your custom code here...\n build_file_output__observable_array = []\n\n for _vault_id, external_id, file_object in zip(normalized_file_forensic_output__file, normalized_file_forensic_output__job_id, normalized_file_forensic_output__file_score_object):\n #phantom.debug(\"vault: {} id: {}\".format(_vault_id, external_id))\n observable_object = {\n\n \"value\": _vault_id,\n \"type\": \"hash\",\n \"reputation\": {\n \"base_score\": file_object['base_score'],\n \"score\": file_object['score'],\n \"score_id\": file_object['score_id'],\n \"confidence\": file_object['base_score'] #Attack Analyzer's score has confidence baked in.\n },\n \"classifications\": file_object['categories'],\n \"source\": \"Splunk Attack Analyzer\",\n \"source_link\":f\"https://app.twinwave.io/job/{external_id}\"\n }\n build_file_output__observable_array.append(observable_object)\n #phantom.debug(\"build_file_output__observable_array: {}\".format(build_file_output__observable_array))\n", "warnings": {}, "x": 340, "y": 1620 @@ -437,6 +433,8 @@ "advanced": { "customName": "saa input filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Determine branches based on provided inputs.", "join": [], "note": "Determine branches based on provided inputs." @@ -477,11 +475,7 @@ "errors": {}, "id": "2", "type": "filter", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 230, "y": 148 }, @@ -490,6 +484,8 @@ "advanced": { "customName": "url status filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters url detonation results.", "join": [], "note": "Filters url detonation results." @@ -526,6 +522,8 @@ "advanced": { "customName": "file forensics filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful file detonation job forensic results.", "join": [], "note": "Filters successful file detonation job forensic results." @@ -569,9 +567,9 @@ "join": [], "note": "Queries SAA for information about the provided URL(s)" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -579,7 +577,7 @@ "functionName": "url_detonation", "id": "3", "parameters": { - "url": "playbook_input:url" + "url": "filtered-data:saa_input_filter:condition_1:playbook_input:url" }, "requiredParameters": [ { @@ -593,11 +591,7 @@ "id": "3", "type": "action", "userCode": "\n # Write your custom code here...\n\n", - "warnings": { - "config": [ - "Reconfigure invalid datapath." - ] - }, + "warnings": {}, "x": 0, "y": 320 }, @@ -606,6 +600,8 @@ "advanced": { "customName": "detonation status filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful file detonation results.", "join": [], "note": "Filters successful file detonation results." @@ -650,9 +646,9 @@ "note": "Queries SAA Forensics data relative to the JobID of URL(s) or File(s) needs to be detonated.", "reviewer": "" }, - "connector": "Splunk Attack Analyzer", + "connector": "Splunk Attack Analyzer Connector for Splunk SOAR", "connectorConfigs": [ - "splunk attack analyzer" + "splunk attack analyzer app" ], "connectorId": "de681fee-c552-45bf-9212-827b1c7529f8", "connectorVersion": "v1", @@ -684,6 +680,8 @@ "advanced": { "customName": "get jobid forensic filter", "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": true, "description": "Filters successful url detonation job forensic results.", "join": [], "note": "Filters successful url detonation job forensic results." @@ -797,10 +795,10 @@ ], "playbook_type": "data", "python_version": "3", - "schema": "5.0.9", - "version": "6.0.0.114895" + "schema": "5.0.10", + "version": "6.1.0.131" }, - "create_time": "2023-07-03T11:44:44.497724+00:00", + "create_time": "2023-08-16T15:27:27.772206+00:00", "draft_mode": false, "labels": [ "*" diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py index bf00f75984..4521a5252c 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.py @@ -31,7 +31,8 @@ def saa_input_filter(action=None, success=None, container=None, results=None, ha conditions=[ ["playbook_input:url", "!=", ""] ], - name="saa_input_filter:condition_1") + name="saa_input_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -43,7 +44,8 @@ def saa_input_filter(action=None, success=None, container=None, results=None, ha conditions=[ ["playbook_input:vault_id", "!=", ""] ], - name="saa_input_filter:condition_2") + name="saa_input_filter:condition_2", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_2 or matched_results_2: @@ -62,15 +64,15 @@ def url_detonation(action=None, success=None, container=None, results=None, hand # Queries SAA for information about the provided URL(s) ################################################################################ - playbook_input_url = phantom.collect2(container=container, datapath=["playbook_input:url"]) + filtered_input_0_url = phantom.collect2(container=container, datapath=["filtered-data:saa_input_filter:condition_1:playbook_input:url"]) parameters = [] # build parameters list for 'url_detonation' call - for playbook_input_url_item in playbook_input_url: - if playbook_input_url_item[0] is not None: + for filtered_input_0_url_item in filtered_input_0_url: + if filtered_input_0_url_item[0] is not None: parameters.append({ - "url": playbook_input_url_item[0], + "url": filtered_input_0_url_item[0], }) ################################################################################ @@ -83,7 +85,7 @@ def url_detonation(action=None, success=None, container=None, results=None, hand ## Custom Code End ################################################################################ - phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer"], callback=url_status_filter) + phantom.act("detonate url", parameters=parameters, name="url_detonation", assets=["splunk attack analyzer app"], callback=url_status_filter) return @@ -102,7 +104,8 @@ def detonation_status_filter(action=None, success=None, container=None, results= conditions=[ ["file_detonation:action_result.status", "==", "success"] ], - name="detonation_status_filter:condition_1") + name="detonation_status_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -152,7 +155,7 @@ def get_url_forensics_output(action=None, success=None, container=None, results= ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer"], callback=get_jobid_forensic_filter) + phantom.act("get job forensics", parameters=parameters, name="get_url_forensics_output", assets=["splunk attack analyzer app"], callback=get_jobid_forensic_filter) return @@ -171,7 +174,8 @@ def get_jobid_forensic_filter(action=None, success=None, container=None, results conditions=[ ["get_url_forensics_output:action_result.status", "==", "success"] ], - name="get_jobid_forensic_filter:condition_1") + name="get_jobid_forensic_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -384,15 +388,15 @@ def file_detonation(action=None, success=None, container=None, results=None, han # Queries SAA for information about the provided vault_id(s) ################################################################################ - playbook_input_vault_id = phantom.collect2(container=container, datapath=["playbook_input:vault_id"]) + filtered_input_0_vault_id = phantom.collect2(container=container, datapath=["filtered-data:saa_input_filter:condition_2:playbook_input:vault_id"]) parameters = [] # build parameters list for 'file_detonation' call - for playbook_input_vault_id_item in playbook_input_vault_id: - if playbook_input_vault_id_item[0] is not None: + for filtered_input_0_vault_id_item in filtered_input_0_vault_id: + if filtered_input_0_vault_id_item[0] is not None: parameters.append({ - "file": playbook_input_vault_id_item[0], + "file": filtered_input_0_vault_id_item[0], }) ################################################################################ @@ -405,7 +409,7 @@ def file_detonation(action=None, success=None, container=None, results=None, han ## Custom Code End ################################################################################ - phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer"], callback=detonation_status_filter) + phantom.act("detonate file", parameters=parameters, name="file_detonation", assets=["splunk attack analyzer app"], callback=detonation_status_filter) return @@ -430,7 +434,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results if filtered_result_0_item_detonation_status_filter[0] is not None: parameters.append({ "job_id": filtered_result_0_item_detonation_status_filter[0], - "timeout": 3, + "timeout": 2, }) ################################################################################ @@ -451,7 +455,7 @@ def get_file_forensics_output(action=None, success=None, container=None, results ## Custom Code End ################################################################################ - phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer"], callback=file_forensics_filter) + phantom.act("get job forensics", parameters=parameters, name="get_file_forensics_output", assets=["splunk attack analyzer app"], callback=file_forensics_filter) return @@ -511,10 +515,10 @@ def normalized_file_forensic_output(action=None, success=None, container=None, r ## pair forensic job results with url detonated job_file_dict = {} - for orig_url, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): + for orig_file, orig_job in zip(filtered_result_0_parameter_file, filtered_result_0_data___jobid): for filtered_job in filtered_result_0_data___jobid: if orig_job == filtered_job: - job_file_dict[filtered_job] = orig_url + job_file_dict[filtered_job] = orig_file for job, score_num, detections in zip(filtered_result_1_parameter_job_id, filtered_result_1_data___displayscore, filtered_result_1_data___detections): @@ -622,7 +626,7 @@ def build_file_output(action=None, success=None, container=None, results=None, h "source_link":f"https://app.twinwave.io/job/{external_id}" } build_file_output__observable_array.append(observable_object) - + #phantom.debug("build_file_output__observable_array: {}".format(build_file_output__observable_array)) ################################################################################ ## Custom Code End ################################################################################ @@ -646,7 +650,8 @@ def url_status_filter(action=None, success=None, container=None, results=None, h conditions=[ ["url_detonation:action_result.status", "==", "success"] ], - name="url_status_filter:condition_1") + name="url_status_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: @@ -669,7 +674,8 @@ def file_forensics_filter(action=None, success=None, container=None, results=Non conditions=[ ["get_file_forensics_output:action_result.status", "==", "success"] ], - name="file_forensics_filter:condition_1") + name="file_forensics_filter:condition_1", + delimiter=",") # call connected blocks if filtered artifacts or results if matched_artifacts_1 or matched_results_1: