phantomcyber / phantom-apps Goto Github PK
View Code? Open in Web Editor NEWPhantom Apps Repo
License: Apache License 2.0
Phantom Apps Repo
License: Apache License 2.0
Name of the app
phtaniumrest
Is your feature request related to a problem? Please describe.
Need to run actions on a machine outside the context of an existing group
Describe the solution you'd like
Modify command execute_action to allow action targeting via Computer Name in addition to existing Computer Group and Action Group
Describe alternatives you've considered
None
Additional context
Name of the app
LDAP
Is your feature request related to a problem? Please describe.
I do not see a way to query on other attributes other than username. Would be nice to be able to query on any field available in ActiveDirectory.
Describe the solution you'd like
This could be solved a number of ways. You could provide a "Raw LDAP Query" function or you could modify the "Get User Attributes" function to accept a Field to Query and the Matching Value
Describe alternatives you've considered
I've considered writing a new app that does this.
Additional context
If you can provide the source code, I'd gladly attempt to submit a PR to add this functionality.
Name of the app
phrss
Is your feature request related to a problem? Please describe.
A lot of RSS feeds don't have matching charsets between the feed itself and the headers the server sends. This causes an error in the feedparser library which causes the app to abort. The feed data is actually still parsed correctly in most cases.
Describe the solution you'd like
Add a simple checkbox to ignore parsing errors. Defaults to false so the default matches what happens today.
Describe alternatives you've considered
Asking the server owner to fix the issue. With many feeds having the problem, it would be easier to fix on our side.
Additional context
N/A
This issue is being opened for a PR I will be submitting shortly. The issue was mentioned by Aaron Elyard in the Slack #general channel.
Name of the app
Cisco Catalyst
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
I am looking to add an action to restart the device and another action to run arbitrary commands that don't have dedicated actions yet.
Describe alternatives you've considered
Tried the SSH app but it does something when it runs the command that I can't run an arbitrary command on an IOS device.
Additional context
Sometimes the cellular interface on a router flaps and Cisco has never been able to resolve this for me through support. The fix is to restart the router. I am able to pull the events from Splunk when this happens but I have not been able to get an action to restart it. Rather than recreate the wheel, I'd prefer to just add the action to Cisco Catalyst or another existing Cisco app for IOS devices.
In order to match what we had on GitLab, we want to be able to trigger the Test/Build jobs on Jenkins upon pushing to branches.
Workflows:
ciscothreatresponse
Is your feature request related to a problem? Please describe.
This feature is not related to a problem.
Describe the solution you'd like
Rename Cisco ThreatResponse App to Cisco SecureX Threat Response.
Describe alternatives you've considered
No alternative considered.
Additional context
We've changed the name and references at Cisco ThreatResponse App to Cisco SecureX Threat Response due to a new policy.
Name of the app
Cybereason
Is your feature request related to a problem? Please describe.
Not related to a problem. This is an upgrade to the old Cybereason app that appears in a fresh install of Splunk Phantom.
Describe the solution you'd like
Upgrade the old Cybereason app. The upgraded app will poll the Cybereason portal for new Malop and Malware events. In addition, there are a number of actions that have been implemented for exchanging data between the Splunk Phantom server and the Cybereason portal. Actions are documented in the cybereason.json
file.
Describe alternatives you've considered
N/A
Additional context
N/A
Name of the app
AWS EC2
Is your feature request related to a problem? Please describe.
AWS released Traffic Mirror capabilities in mid-2019, and customers would like to use these capabilities with Phantom. Currently that's not possible and manual work in AWS is required, as the API calls are not in the 1.0.7 version of the Phantom AWS EC2 app.
Describe the solution you'd like
Ability to create, update and delete traffic mirror filters, sessions and targets using the existing EC2 app as it's using the same AWS APIs.
Describe alternatives you've considered
Manual work in AWS or external Python scripts, both defeating the purpose of using Phantom.
Additional context
Full detail of the API calls required here, all required calls can be found by searching for 'TrafficMirror'.
App: Have I been Pwned?
Description: API v3 broke backwards compatibility.
Reproduce: Try to use the app.
Phantom App: 1.0.10
Name of the app
phwindowsdefenderatp
Is your feature request related to a problem? Please describe.
Currently it is not possible to filter results returned in the list devices action. Since the action hits the /machines
REST endpoint, OData filter queries on the properties ComputerDnsName, LastSeen, HealthStatus, OsPlatform, RiskScore and RbacGroupId
are supported. This is useful because in some scenarios, only a specific subset of devices needs to be collected.
For example, a query to /api/machines?$filter=riskScore+eq+'High'
would limit the returned devices to those with a high risk score.
Describe the solution you'd like
Addition of an optional query
parameter which is passed into the querystring that is constructed as part of the action when the /machines
endpoint is requested.
This line can be changed to accomodate the extra parameter
input = param.get("query")
...
...
url = "{0}{1}?$top={2}&{3}".format(DEFENDERATP_MSGRAPH_API_BASE_URL, endpoint, limit, query)
Variable name query can be moved into windowsdefenderatp_consts.py
(eg. DEFENDERATP_QUERY) to maintain style consistency.
Describe alternatives you've considered
Another alternative solution would be to create a separate action for filtered results, but this would duplicate concerns and since this parameter will be optional, it will not break compatibility with existing configured assets either way.
Name of the app
Phantom
Is your feature request related to a problem? Please describe.
The use of the "add artifact" action is not clear. This makes the action hard to use.
Describe the solution you'd like
The doc for this app should include examples of how to use the "CEF dictionary" parameter.
Describe alternatives you've considered
n/a
Additional context
n/a
Document Certified vs Uncertified Submission Process
Name of the app
Flashpoint
Is your feature request related to a problem? Please describe.
This is not associated with a problem. This is a submission for the new app for Flashpoint Phantom Integration. This app implements the investigative actions for the Flashpoint on the Phantom Platform.
Describe the solution you'd like
We want this app to be released on the Phantom portal through the open-source model.
Describe alternatives you've considered
Not Applicable
Additional context
Not Applicable
Document how to submit an app.
Name of the app
Phantom
Is your feature request related to a problem? Please describe.
We want to fetch API in custom view funtion, and we need get the current assert configuration which include the API token.
Describe the solution you'd like
We can get App instance from context['app'], but we don't know how can we get the asset?
Describe alternatives you've considered
alternative solution ,is store the encrypted token in action_result, and decrypt/use it in custom view function.
but when we update the assert setting, the exists old action_result is still include the old token.
Additional context
Need more documention on custim view python related class/method.
Name of the app
Symantec Management Center
Is your feature request related to a problem? Please describe.
Currently Symantec Management Center only allows for adding and remove URLs/Categories from local database file (symantec term). It needs to allow adding, removing URLs from URL_LIST Shared Objects as well as well.
Describe the solution you'd like
Add the functionality described above
Describe alternatives you've considered
Nope
Additional context
Add any other context or screenshots about the feature request here.
ciscothreatresponse
Is your feature request related to a problem? Please describe.
This feature is not related to a problem
Describe the solution you'd like
Add a new Cisco ThreatResponse app.
Describe alternatives you've considered
No alternative considered.
Additional context
We've completed a new Cisco ThreatResponse app for Splunk Phantom. It allows the user to get verdicts and contexts for observables, enriching information he gets on it.
Create and upload the initial CONTRIBUTING.md file.
Name of the app
Digital Guardian ARC
Is your feature request related to a problem? Please describe.
This is not associated with a problem. This is a submission for the new app for Digital Guardian - Phantom Integration.
Describe the solution you'd like
We want this app to be released on the Phantom portal through the open-source model.
Describe alternatives you've considered
N/A
Additional context
N/A
Name of the app
AWS Cloudtrail
Is your feature request related to a problem? Please describe.
Feature
Describe the solution you'd like
Add ip lookup action
Name of the app
Phantom App for Splunk IT Service Intelligence
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
This app integrates with Splunk IT Service Intelligence to provide operations on Splunk IT Service Intelligence episodes, services, entites, and object maintenance.
Describe alternatives you've considered
No alternatives
Additional context
Name of the app
AWS SecurityHub
Is your feature request related to a problem? Please describe.
Improve documentation.
Need a default README.md file for the main repo page with links to other documentation.
Microsoft Teams
Is your feature request related to a problem? Please describe.
The Teams app do not support these simple features (compared to Slack):
Describe the solution you'd like
This would be using to interact directly from Phantom to notify users / send report directly via Teams.
Describe alternatives you've considered
No alternative
Slack
The app this issue relates to.
Is your feature request related to a problem? Please describe.
In the Documentation, on integration guide is explained as below, but slack api was slightly changed.
"In the menu bar on the left, select Bot Users. On that page, click Add a Bot User."
Describe the solution you'd like
Please change screenshot and explanation like below.
Step1. Click "Add features and functionality" - "Bots"
Step2. Click "Review Scopes to Add"
Step3. On "Bot Token Scopes", Click "Add an OAuth Scope" then type below scopes.
Name of the app
Tanium
Is your feature request related to a problem? Please describe.
No, this is a feature request from a customer for expanded functionality.
Describe the solution you'd like
More actions (see below)
Describe alternatives you've considered
N/A
Additional context
Conns - Creates a local or remote connection
/plugin/products/trace/conns
Conns - Deletes connection
/plugin/products/trace/conns/:cid
Conns - Get list of connections
/plugin/products/trace/conns
Conns - Gets connection information
/plugin/products/trace/conns/:cid
EndpointMustGather - Download the endpoint must gather archive file
/plugin/products/trace/conns/:cid/mustgather/:fid
EndpointMustGather - Get the gather status for a connection
/plugin/products/trace/conns/:cid/mustgather
EndpointMustGather - Start a must gather on a remote connection
/plugin/products/trace/conns/:cid/mustgather
Exports - Delete an export
/plugin/products/trace/exports/:eid
Exports - Download an export
/plugin/products/trace/exports/:eid
Exports - Generate new export
/plugin/products/trace/exports
Exports - Get list of exports
/plugin/products/trace/exports
FileDownloads - Delete a file download
/plugin/products/trace/filedownloads/:fid
FileDownloads - Request a new file download
/plugin/products/trace/filedownloads
FileInfo - Get information about file from a remote connection
/plugin/products/trace/conn/:cid/fileinfo/:path
HostInfo - Get information about host from a remote connection
/plugin/products/trace/conn/:cid/hostinfo
Processes - Get information for a process
/plugin/products/trace/conns/:cid/processes/:ptid
ParentProcesses - Get parent process information
/plugin/products/trace/conns/:cid/parentprocesses/:ptid
ProcessTimelines - Get process timeline
/plugin/products/trace/conns/:cid/eprocessestimelines/:ptid
ProcessTrees - Get children of this process instance
/plugin/products/trace/conn/:cid/processtrees/:ptid/children
Fix license text in existing apps
Name of the app
Radar
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We would like to add an app that integrates with Radar privacy incident response management system: https://www.radarfirst.com/radar/
Basic functionality of the app thus far includes two actions:
Describe alternatives you've considered
None
Additional context
Name of the app
S/MIME
Is your feature request related to a problem? Please describe.
Some companies require:
Describe the solution you'd like
This app provides support to S/MIME integrations to allow emails encryption, decryption, signing and verification.
Describe alternatives you've considered
No alternatives.
Additional context
This app is compatible with Phantom SMTP app for sending emails
Name of the app
AWS CloudTrail
Is your feature request related to a problem? Please describe.
IP Lookup Feature Add
Name of the app
Microsoft LDAP
Is your feature request related to a problem? Please describe.
No problem, just looking to extend the app.
Describe the solution you'd like
Someone is asking about adding users/computers to groups in Slack.
Describe alternatives you've considered
Windows Remote Management -> Run PowerShell script. Just requires a lot of extra steps and seems prone to error.
Additional context
NA
Name of the app
GitLab
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
I would like a Splunk>Phantom app that can integrate with a GitLab deployment. This app could provide basic investigative and issue-based actions similar to the GitHub Phantom App. In addition, the GitLab Phantom App could also enable various DevOps related use cases, like automatically triggering a GitLab pipeline. Looking through GitLab's REST API documentation, it seems there are many useful actions that could be included in the GitLab Phantom App.
Describe alternatives you've considered
NA
Additional context
Some initial actions for the GitLab Phantom App could include:
Name of the app
Arbor Sightline
Is your feature request related to a problem? Please describe.
No.
Describe the solution you'd like
This app integrates with Arbor Sightline 7.0 to retrieve DOS alerts.
Describe alternatives you've considered
No alternatives.
Additional context
DOS Alerts successfully ingested in Phantom from Arbor Sightline during a demonstration.
Name of the app
AWS Cloud Trail
Is your feature request related to a problem? Please describe.
IP Lookup feature addition
Name of the app
ServiceNow
Is your feature request related to a problem? Please describe.
no
Describe the solution you'd like
Add service catalog related functionality to the app.
Need to fix the version number auto-increment code when merging with Master.
Issue: When submitting a URL or File sample to threatgrid, Phantom no longer waits for the analysis to complete and provide the results. Instead, when it checks the link of the sample it just created, it returns a 404 error message:
"Error on HTTP request to 'https://panacea.threatgrid.com/api/v2/samples/aabe16409b22d2a2870ec11f744104e7?api_key=xxxxxxxxxxxxxxxxxxxxx' code 404"
Upon logging into threatgrid, I can see the sample was successfully submitted in each case.
This started occurring approximately 1-2 weeks ago, around the beginning of December.
It's almost as if there is a lag when between when threatgrid creates the sample link and when phantom queries the sample link.
Name of the app
Splunk app on Phantom
Is your feature request related to a problem? Please describe.
Add interactions with the Splunk KV Store to the app. For example, add value to kv store; update kv store; etc.
Name of the app
McAfee Web Gateway - phmcafeewebgateway
Is your feature request related to a problem? Please describe.
An app didn't exist for McAfee Web Gateway
Describe the solution you'd like
Create a new app
Describe alternatives you've considered
N/A
Additional context
N/A
Name of the app
phokta
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
N/A
Describe alternatives you've considered
N/A
Additional context
Feature: Added 'send push notification' to Phantom Okta App.
Name of the app
Digital Shadows App
Describe the bug
There are a couple of issues in the Digital Shadows app:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The app should be able to poll for new incidents
Phantom Version (please complete the following information):
Name of the app
Expanse
Is your feature request related to a problem? Please describe.
Not related to a problem, adding a new App.
Describe the solution you'd like
Add a new Expanse app to provide ip, domain, and certificate enrichment.
Describe alternatives you've considered
N/A
Additional context
Mistakenly submitted via my.phantom.us
phmimecast from GitLab
Name of the app
CrowdStrike OAuth API
Is your feature request related to a problem? Please describe.
Need to add functionality for the CrowdStrike Incident API.
Describe the solution you'd like
App updated to provide functionality for these endpoints.
Describe alternatives you've considered
N/A
Additional context
Name of the app
Microsoft SQL Server
Is your feature request related to a problem? Please describe.
We would like to manage SQL logins as action from Phantom playbooks. We are willing to work on this extension and share with community.
Describe the solution you'd like
Add Microsoft SQL Server Phantom app to GitHub repo.
Name of the app
Crowdstrike Oauth
Is your feature request related to a problem? Please describe.
Feature
Describe the solution you'd like
Add Real Time Response capabilities to the app.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.