phantomcyber / phantom-apps Goto Github PK

Name of the app
phtaniumrest

Is your feature request related to a problem? Please describe.
Need to run actions on a machine outside the context of an existing group

Describe the solution you'd like
Modify command execute_action to allow action targeting via Computer Name in addition to existing Computer Group and Action Group

Describe alternatives you've considered
None

Additional context

Name of the app
LDAP

Is your feature request related to a problem? Please describe.
I do not see a way to query on other attributes other than username. Would be nice to be able to query on any field available in ActiveDirectory.

Describe the solution you'd like
This could be solved a number of ways. You could provide a "Raw LDAP Query" function or you could modify the "Get User Attributes" function to accept a Field to Query and the Matching Value

Describe alternatives you've considered
I've considered writing a new app that does this.

Additional context
If you can provide the source code, I'd gladly attempt to submit a PR to add this functionality.

https://github.com/phantomcyber/phantom-apps/blob/next/Apps/phjira/jira.json#L1607

The link should look like this now: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/#editing-an-issue-examples

Name of the app
phrss

Is your feature request related to a problem? Please describe.
A lot of RSS feeds don't have matching charsets between the feed itself and the headers the server sends. This causes an error in the feedparser library which causes the app to abort. The feed data is actually still parsed correctly in most cases.

Describe the solution you'd like
Add a simple checkbox to ignore parsing errors. Defaults to false so the default matches what happens today.

Describe alternatives you've considered
Asking the server owner to fix the issue. With many feeds having the problem, it would be easier to fix on our side.

Additional context
N/A

This issue is being opened for a PR I will be submitting shortly. The issue was mentioned by Aaron Elyard in the Slack #general channel.

Name of the app
Cisco Catalyst

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
I am looking to add an action to restart the device and another action to run arbitrary commands that don't have dedicated actions yet.

Describe alternatives you've considered
Tried the SSH app but it does something when it runs the command that I can't run an arbitrary command on an IOS device.

Additional context
Sometimes the cellular interface on a router flaps and Cisco has never been able to resolve this for me through support. The fix is to restart the router. I am able to pull the events from Splunk when this happens but I have not been able to get an action to restart it. Rather than recreate the wheel, I'd prefer to just add the action to Cisco Catalyst or another existing Cisco app for IOS devices.

In order to match what we had on GitLab, we want to be able to trigger the Test/Build jobs on Jenkins upon pushing to branches.

Workflows:

1. User-made branch opens PR to Next branch --> Test Job Launches
2. User-made branch merges to Next branch --> Test and Build Jobs Launch

ciscothreatresponse

Is your feature request related to a problem? Please describe.
This feature is not related to a problem.

Describe the solution you'd like
Rename Cisco ThreatResponse App to Cisco SecureX Threat Response.

Describe alternatives you've considered
No alternative considered.

Additional context
We've changed the name and references at Cisco ThreatResponse App to Cisco SecureX Threat Response due to a new policy.

Name of the app
Cybereason

Is your feature request related to a problem? Please describe.
Not related to a problem. This is an upgrade to the old Cybereason app that appears in a fresh install of Splunk Phantom.

Describe the solution you'd like
Upgrade the old Cybereason app. The upgraded app will poll the Cybereason portal for new Malop and Malware events. In addition, there are a number of actions that have been implemented for exchanging data between the Splunk Phantom server and the Cybereason portal. Actions are documented in the cybereason.json file.

Describe alternatives you've considered
N/A

Additional context
N/A

Name of the app
AWS EC2

Is your feature request related to a problem? Please describe.
AWS released Traffic Mirror capabilities in mid-2019, and customers would like to use these capabilities with Phantom. Currently that's not possible and manual work in AWS is required, as the API calls are not in the 1.0.7 version of the Phantom AWS EC2 app.

Describe the solution you'd like
Ability to create, update and delete traffic mirror filters, sessions and targets using the existing EC2 app as it's using the same AWS APIs.

Describe alternatives you've considered
Manual work in AWS or external Python scripts, both defeating the purpose of using Phantom.

Additional context
Full detail of the API calls required here, all required calls can be found by searching for 'TrafficMirror'.

App: Have I been Pwned?

Description: API v3 broke backwards compatibility.

Reproduce: Try to use the app.

Phantom App: 1.0.10

Name of the app
phwindowsdefenderatp

Is your feature request related to a problem? Please describe.
Currently it is not possible to filter results returned in the list devices action. Since the action hits the /machines REST endpoint, OData filter queries on the properties ComputerDnsName, LastSeen, HealthStatus, OsPlatform, RiskScore and RbacGroupId are supported. This is useful because in some scenarios, only a specific subset of devices needs to be collected.

For example, a query to /api/machines?$filter=riskScore+eq+'High' would limit the returned devices to those with a high risk score.

Describe the solution you'd like
Addition of an optional query parameter which is passed into the querystring that is constructed as part of the action when the /machines endpoint is requested.

This line can be changed to accomodate the extra parameter

input = param.get("query")
...  
...
url = "{0}{1}?$top={2}&{3}".format(DEFENDERATP_MSGRAPH_API_BASE_URL, endpoint, limit, query) 

Variable name query can be moved into windowsdefenderatp_consts.py (eg. DEFENDERATP_QUERY) to maintain style consistency.

Describe alternatives you've considered
Another alternative solution would be to create a separate action for filtered results, but this would duplicate concerns and since this parameter will be optional, it will not break compatibility with existing configured assets either way.

Name of the app
Phantom

Is your feature request related to a problem? Please describe.
The use of the "add artifact" action is not clear. This makes the action hard to use.

Describe the solution you'd like
The doc for this app should include examples of how to use the "CEF dictionary" parameter.

Describe alternatives you've considered
n/a

Additional context
n/a

Document Certified vs Uncertified Submission Process

Name of the app
Flashpoint

Is your feature request related to a problem? Please describe.
This is not associated with a problem. This is a submission for the new app for Flashpoint Phantom Integration. This app implements the investigative actions for the Flashpoint on the Phantom Platform.

Describe the solution you'd like
We want this app to be released on the Phantom portal through the open-source model.

Describe alternatives you've considered
Not Applicable

Additional context
Not Applicable

Document how to submit an app.

Name of the app
Phantom

Is your feature request related to a problem? Please describe.
We want to fetch API in custom view funtion, and we need get the current assert configuration which include the API token.

Describe the solution you'd like
We can get App instance from context['app'], but we don't know how can we get the asset?

Describe alternatives you've considered
alternative solution ,is store the encrypted token in action_result, and decrypt/use it in custom view function.
but when we update the assert setting, the exists old action_result is still include the old token.

Additional context
Need more documention on custim view python related class/method.

Name of the app
Symantec Management Center

Is your feature request related to a problem? Please describe.
Currently Symantec Management Center only allows for adding and remove URLs/Categories from local database file (symantec term). It needs to allow adding, removing URLs from URL_LIST Shared Objects as well as well.

Describe the solution you'd like
Add the functionality described above

Describe alternatives you've considered
Nope

Additional context
Add any other context or screenshots about the feature request here.

ciscothreatresponse

Is your feature request related to a problem? Please describe.
This feature is not related to a problem

Describe the solution you'd like
Add a new Cisco ThreatResponse app.

Describe alternatives you've considered
No alternative considered.

Additional context
We've completed a new Cisco ThreatResponse app for Splunk Phantom. It allows the user to get verdicts and contexts for observables, enriching information he gets on it.

Create and upload the initial CONTRIBUTING.md file.

Name of the app
Digital Guardian ARC

Is your feature request related to a problem? Please describe.
This is not associated with a problem. This is a submission for the new app for Digital Guardian - Phantom Integration.

Describe the solution you'd like
We want this app to be released on the Phantom portal through the open-source model.

Describe alternatives you've considered
N/A

Additional context
N/A

Name of the app
AWS Cloudtrail

Is your feature request related to a problem? Please describe.
Feature

Describe the solution you'd like
Add ip lookup action

Name of the app
Phantom App for Splunk IT Service Intelligence

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
This app integrates with Splunk IT Service Intelligence to provide operations on Splunk IT Service Intelligence episodes, services, entites, and object maintenance.

Describe alternatives you've considered
No alternatives

Additional context

Name of the app
AWS SecurityHub

Is your feature request related to a problem? Please describe.
Improve documentation.

Need a default README.md file for the main repo page with links to other documentation.

Microsoft Teams

Is your feature request related to a problem? Please describe.
The Teams app do not support these simple features (compared to Slack):

• Get user information
• Send direct message to users
• Upload file (to a channel or a user)

Describe the solution you'd like
This would be using to interact directly from Phantom to notify users / send report directly via Teams.

Describe alternatives you've considered
No alternative

Slack
The app this issue relates to.

Is your feature request related to a problem? Please describe.
In the Documentation, on integration guide is explained as below, but slack api was slightly changed.
"In the menu bar on the left, select Bot Users. On that page, click Add a Bot User."

Describe the solution you'd like
Please change screenshot and explanation like below.

Step1. Click "Add features and functionality" - "Bots"
Step2. Click "Review Scopes to Add"
Step3. On "Bot Token Scopes", Click "Add an OAuth Scope" then type below scopes.

• incoming-webhook
• chat:write
  Step4. Click "Install App to Workspace", chose appropriate slack workspace and channel
  Step5. Copy "Bot User OAuth Access Token"
  Step6. Move to "Basic Information" page then copy "Verification Token"
  Step7. On Slack channel, you need to add this app to channel member

Name of the app
Tanium

Is your feature request related to a problem? Please describe.
No, this is a feature request from a customer for expanded functionality.

Describe the solution you'd like
More actions (see below)

Describe alternatives you've considered
N/A

Additional context
Conns - Creates a local or remote connection
/plugin/products/trace/conns

Conns - Deletes connection
/plugin/products/trace/conns/:cid

Conns - Get list of connections
/plugin/products/trace/conns

Conns - Gets connection information
/plugin/products/trace/conns/:cid

EndpointMustGather - Download the endpoint must gather archive file
/plugin/products/trace/conns/:cid/mustgather/:fid

EndpointMustGather - Get the gather status for a connection
/plugin/products/trace/conns/:cid/mustgather

EndpointMustGather - Start a must gather on a remote connection
/plugin/products/trace/conns/:cid/mustgather

Exports - Delete an export
/plugin/products/trace/exports/:eid

Exports - Download an export
/plugin/products/trace/exports/:eid

Exports - Generate new export
/plugin/products/trace/exports

Exports - Get list of exports
/plugin/products/trace/exports

FileDownloads - Delete a file download
/plugin/products/trace/filedownloads/:fid

FileDownloads - Request a new file download
/plugin/products/trace/filedownloads

FileInfo - Get information about file from a remote connection
/plugin/products/trace/conn/:cid/fileinfo/:path

HostInfo - Get information about host from a remote connection
/plugin/products/trace/conn/:cid/hostinfo

Processes - Get information for a process
/plugin/products/trace/conns/:cid/processes/:ptid

ParentProcesses - Get parent process information
/plugin/products/trace/conns/:cid/parentprocesses/:ptid

ProcessTimelines - Get process timeline
/plugin/products/trace/conns/:cid/eprocessestimelines/:ptid

ProcessTrees - Get children of this process instance
/plugin/products/trace/conn/:cid/processtrees/:ptid/children

Fix license text in existing apps

Name of the app
Radar

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We would like to add an app that integrates with Radar privacy incident response management system: https://www.radarfirst.com/radar/
Basic functionality of the app thus far includes two actions:

1. create privacy incident
2. add note to privacy incident
   We do, however, plan to expand functionality in the near future.

Describe alternatives you've considered
None

Additional context

Name of the app
S/MIME

Is your feature request related to a problem? Please describe.
Some companies require:

• every email sent to be signed and/or encrypted, and
• every email received to be decrypted and/or verified opportunely

Describe the solution you'd like
This app provides support to S/MIME integrations to allow emails encryption, decryption, signing and verification.

Describe alternatives you've considered
No alternatives.

Additional context
This app is compatible with Phantom SMTP app for sending emails

Name of the app
AWS CloudTrail

Is your feature request related to a problem? Please describe.
IP Lookup Feature Add

Name of the app
Microsoft LDAP

Is your feature request related to a problem? Please describe.
No problem, just looking to extend the app.

Describe the solution you'd like
Someone is asking about adding users/computers to groups in Slack.

Describe alternatives you've considered
Windows Remote Management -> Run PowerShell script. Just requires a lot of extra steps and seems prone to error.

Additional context
NA

Name of the app
GitLab

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
I would like a Splunk>Phantom app that can integrate with a GitLab deployment. This app could provide basic investigative and issue-based actions similar to the GitHub Phantom App. In addition, the GitLab Phantom App could also enable various DevOps related use cases, like automatically triggering a GitLab pipeline. Looking through GitLab's REST API documentation, it seems there are many useful actions that could be included in the GitLab Phantom App.

Describe alternatives you've considered
NA

Additional context
Some initial actions for the GitLab Phantom App could include:

• get users
• get projects
• get branches
• create project trigger
• list project triggers
• trigger pipeline

Name of the app
Arbor Sightline

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
This app integrates with Arbor Sightline 7.0 to retrieve DOS alerts.

Describe alternatives you've considered
No alternatives.

Additional context
DOS Alerts successfully ingested in Phantom from Arbor Sightline during a demonstration.

Name of the app
AWS Cloud Trail

Is your feature request related to a problem? Please describe.
IP Lookup feature addition

Name of the app
ServiceNow

Is your feature request related to a problem? Please describe.
no

Describe the solution you'd like
Add service catalog related functionality to the app.

Need to fix the version number auto-increment code when merging with Master.

Issue: When submitting a URL or File sample to threatgrid, Phantom no longer waits for the analysis to complete and provide the results. Instead, when it checks the link of the sample it just created, it returns a 404 error message:

"Error on HTTP request to 'https://panacea.threatgrid.com/api/v2/samples/aabe16409b22d2a2870ec11f744104e7?api_key=xxxxxxxxxxxxxxxxxxxxx' code 404"

Upon logging into threatgrid, I can see the sample was successfully submitted in each case.

This started occurring approximately 1-2 weeks ago, around the beginning of December.

It's almost as if there is a lag when between when threatgrid creates the sample link and when phantom queries the sample link.

Name of the app
Splunk app on Phantom

Is your feature request related to a problem? Please describe.
Add interactions with the Splunk KV Store to the app. For example, add value to kv store; update kv store; etc.

Name of the app
McAfee Web Gateway - phmcafeewebgateway

Is your feature request related to a problem? Please describe.
An app didn't exist for McAfee Web Gateway

Describe the solution you'd like
Create a new app

Describe alternatives you've considered
N/A

Additional context
N/A

Name of the app
phokta

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
N/A

Describe alternatives you've considered
N/A

Additional context
Feature: Added 'send push notification' to Phantom Okta App.

Name of the app
Digital Shadows App

Describe the bug
There are a couple of issues in the Digital Shadows app:

1. There is an error when polling for incidents
2. The app exists in an older repository and uses Python 2. We would like to bring it into this repo and upgrade to Python 3.

To Reproduce
Steps to reproduce the behavior:

1. Create a new asset with the Digital Shadows app
2. In the app settings, enter your Digital Shadows credentials
3. Save the settings
4. Click "Poll Now". There is an error and no new incidents get polled

Expected behavior
The app should be able to poll for new incidents

Phantom Version (please complete the following information):

• OVA - Phantom VM 4.8.24304
• App Version - 1.1.0

Name of the app
Expanse

Is your feature request related to a problem? Please describe.
Not related to a problem, adding a new App.

Describe the solution you'd like
Add a new Expanse app to provide ip, domain, and certificate enrichment.

Describe alternatives you've considered
N/A

Additional context
Mistakenly submitted via my.phantom.us

phmimecast from GitLab

Name of the app
CrowdStrike OAuth API

Is your feature request related to a problem? Please describe.
Need to add functionality for the CrowdStrike Incident API.

Describe the solution you'd like
App updated to provide functionality for these endpoints.

Describe alternatives you've considered
N/A

Additional context

Name of the app
Microsoft SQL Server

Is your feature request related to a problem? Please describe.
We would like to manage SQL logins as action from Phantom playbooks. We are willing to work on this extension and share with community.

Describe the solution you'd like
Add Microsoft SQL Server Phantom app to GitHub repo.

Name of the app
Crowdstrike Oauth

Is your feature request related to a problem? Please describe.
Feature

Describe the solution you'd like
Add Real Time Response capabilities to the app.

See doc at https://falcon.crowdstrike.com/support/documentation/46/crowdstrike-api-user-guide#interact-with-hosts-via-real-time-response