Merge pull request #2846 from splunk/fix-automated-enrichment

patel-bhavin · web-flow · commit db69bf006008 · 2023-09-15T14:52:57.000-07:00
Fixed automated enrichment to reference renamed playbooks
diff --git a/playbooks/Automated_Enrichment.json b/playbooks/Automated_Enrichment.json
@@ -4,7 +4,7 @@
     "category": "Enrichment",
     "coa": {
         "data": {
-            "description": "Moves the status to open and then launches the Dynamic playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.",
+            "description": "Moves the status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.",
             "edges": [
                 {
                     "id": "port_2_to_port_3",
@@ -42,7 +42,7 @@
                     "targetPort": "2_in"
                 }
             ],
-            "hash": "4146fe0c2400673f09352662ce5bfd3438a80b71",
+            "hash": "adfc98a6d4636d6c91f53bcdbe09e7cf6398c8c2",
             "nodes": {
                 "0": {
                     "data": {
@@ -58,7 +58,7 @@
                     "type": "start",
                     "warnings": {},
                     "x": 19.999999999999986,
-                    "y": -6.394884621840902e-14
+                    "y": -1.9184653865522705e-13
                 },
                 "1": {
                     "data": {
@@ -79,40 +79,40 @@
                 "2": {
                     "data": {
                         "advanced": {
-                            "customName": "Dynamic Identifier Reputation Analysis",
+                            "customName": "Identifier Reputation Analysis Dispatch",
                             "customNameId": 0,
                             "join": []
                         },
                         "functionId": 1,
-                        "functionName": "dynamic_identifier_reputation_analysis",
+                        "functionName": "identifier_reputation_analysis_dispatch",
                         "id": "2",
                         "inputs": {},
-                        "playbookName": "Dynamic_Identifier_Reputation_Analysis",
+                        "playbookName": "Identifier_Activity_Analysis_Dispatch",
                         "playbookRepo": 2,
                         "playbookRepoName": "local",
                         "playbookType": "automation",
-                        "synchronous": false,
+                        "synchronous": true,
                         "type": "playbook"
                     },
                     "errors": {},
                     "id": "2",
                     "type": "playbook",
                     "warnings": {},
                     "x": -1.4210854715202004e-14,
-                    "y": 325.99999999999994
+                    "y": 325.99999999999966
                 },
                 "3": {
                     "data": {
                         "advanced": {
-                            "customName": "Dynamic Attribute Lookup",
+                            "customName": "Attribute Lookup Dispatch",
                             "customNameId": 0,
                             "join": []
                         },
                         "functionId": 1,
-                        "functionName": "dynamic_attribute_lookup",
+                        "functionName": "attribute_lookup_dispatch",
                         "id": "3",
                         "inputs": {},
-                        "playbookName": "Dynamic_Attribute_Lookup",
+                        "playbookName": "Attribute_Lookup_Dispatch",
                         "playbookRepo": 2,
                         "playbookRepoName": "local",
                         "playbookType": "automation",
@@ -129,15 +129,15 @@
                 "4": {
                     "data": {
                         "advanced": {
-                            "customName": "Dynamic Related Ticket Search",
+                            "customName": "Related Ticket Search Dispatch",
                             "customNameId": 0,
                             "join": []
                         },
                         "functionId": 1,
-                        "functionName": "dynamic_related_ticket_search",
+                        "functionName": "related_ticket_search_dispatch",
                         "id": "4",
                         "inputs": {},
-                        "playbookName": "Dynamic_Related_Tickets_Search",
+                        "playbookName": "Related_Tickets_Search_Dispatch",
                         "playbookRepo": 2,
                         "playbookRepoName": "local",
                         "playbookType": "automation",
@@ -148,7 +148,7 @@
                     "id": "4",
                     "type": "playbook",
                     "warnings": {},
-                    "x": 0,
+                    "x": -1.4210854715202004e-14,
                     "y": 660
                 },
                 "5": {
@@ -215,16 +215,16 @@
                     "y": 148
                 }
             },
-            "notes": "Actions:\nDynamic Identifier Reputation Analysis\nDynamic Attribute Lookup\nDynamic Related Ticket Search"
+            "notes": "Actions:\nDispatch Identifier Reputation Analysis\nDispatch Attribute Lookup\nDispatch Related Ticket Search"
         },
         "input_spec": null,
         "output_spec": null,
         "playbook_type": "automation",
         "python_version": "3",
-        "schema": "5.0.9",
-        "version": "6.0.0.114895"
+        "schema": "5.0.10",
+        "version": "6.1.0.131"
     },
-    "create_time": "2023-03-06T21:07:35.539177+00:00",
+    "create_time": "2023-09-08T19:06:44.883418+00:00",
     "draft_mode": false,
     "labels": [
         "*"
diff --git a/playbooks/Automated_Enrichment.png b/playbooks/Automated_Enrichment.png
diff --git a/playbooks/Automated_Enrichment.py b/playbooks/Automated_Enrichment.py
@@ -1,5 +1,5 @@
 """
-Moves the status to open and then launches the Dynamic playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.
+Moves the status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.
 """
 
 
@@ -18,8 +18,8 @@ def on_start(container):
     return
 
 @phantom.playbook_block()
-def dynamic_identifier_reputation_analysis(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
-    phantom.debug("dynamic_identifier_reputation_analysis() called")
+def identifier_reputation_analysis_dispatch(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
+    phantom.debug("identifier_reputation_analysis_dispatch() called")
 
     ################################################################################
     ## Custom Code Start
@@ -31,17 +31,15 @@ def dynamic_identifier_reputation_analysis(action=None, success=None, container=
     ## Custom Code End
     ################################################################################
 
-    # call playbook "local/Dynamic_Identifier_Reputation_Analysis", returns the playbook_run_id
-    playbook_run_id = phantom.playbook("local/Dynamic_Identifier_Reputation_Analysis", container=container)
-
-    dynamic_attribute_lookup(container=container)
+    # call playbook "local/Identifier_Activity_Analysis_Dispatch", returns the playbook_run_id
+    playbook_run_id = phantom.playbook("local/Identifier_Activity_Analysis_Dispatch", container=container, name="identifier_reputation_analysis_dispatch", callback=attribute_lookup_dispatch)
 
     return
 
 
 @phantom.playbook_block()
-def dynamic_attribute_lookup(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
-    phantom.debug("dynamic_attribute_lookup() called")
+def attribute_lookup_dispatch(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
+    phantom.debug("attribute_lookup_dispatch() called")
 
     ################################################################################
     ## Custom Code Start
@@ -53,17 +51,17 @@ def dynamic_attribute_lookup(action=None, success=None, container=None, results=
     ## Custom Code End
     ################################################################################
 
-    # call playbook "local/Dynamic_Attribute_Lookup", returns the playbook_run_id
-    playbook_run_id = phantom.playbook("local/Dynamic_Attribute_Lookup", container=container)
+    # call playbook "local/Attribute_Lookup_Dispatch", returns the playbook_run_id
+    playbook_run_id = phantom.playbook("local/Attribute_Lookup_Dispatch", container=container)
 
-    dynamic_related_ticket_search(container=container)
+    related_ticket_search_dispatch(container=container)
 
     return
 
 
 @phantom.playbook_block()
-def dynamic_related_ticket_search(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
-    phantom.debug("dynamic_related_ticket_search() called")
+def related_ticket_search_dispatch(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs):
+    phantom.debug("related_ticket_search_dispatch() called")
 
     ################################################################################
     ## Custom Code Start
@@ -75,8 +73,8 @@ def dynamic_related_ticket_search(action=None, success=None, container=None, res
     ## Custom Code End
     ################################################################################
 
-    # call playbook "local/Dynamic_Related_Tickets_Search", returns the playbook_run_id
-    playbook_run_id = phantom.playbook("local/Dynamic_Related_Tickets_Search", container=container)
+    # call playbook "local/Related_Tickets_Search_Dispatch", returns the playbook_run_id
+    playbook_run_id = phantom.playbook("local/Related_Tickets_Search_Dispatch", container=container)
 
     return
 
@@ -103,7 +101,7 @@ def set_open_status(action=None, success=None, container=None, results=None, han
 
     container = phantom.get_container(container.get('id', None))
 
-    dynamic_identifier_reputation_analysis(container=container)
+    identifier_reputation_analysis_dispatch(container=container)
 
     return
 
diff --git a/playbooks/Automated_Enrichment.yml b/playbooks/Automated_Enrichment.yml
@@ -1,12 +1,12 @@
 name: Automated Enrichment
 id: fc0edc96-ff1b-65e0-9a4d-64da6783fd64
-version: 1
+version: 2
 date: '2023-03-06'
 author: Kelby Shelton, Patrick Bareiss, Teoderick Contreras, Lou Stella Splunk
 type: Investigation
-description: "Moves the event status to open and then launches the Dynamic playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets."
+description: "Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets."
 playbook: Automated_Enrichment
-how_to_implement: This playbook relies on local versions of the Dynamic Identifier Reputation Analysis, Dynamic Attributed Lookup, and Dynamic Related Tickets Search playbooks, as well as compatible input playbooks for those.  
+how_to_implement: 1. Ensure you have a reputation analysis playbook (e.g. VirusTotal v3), an attribute lookup playbook (e.g. Azure AD), and a related ticket search playbook (e.g. ServiceNow).\n2. Download local versions of Identifier Reputation Analysis Dispatch, Attribute Lookup Dispatch, and Related Tickets Search Dispatch playbooks.
 references: []
 app_list: []
 tags:
