Here is the list of External Playbook Functions:

1. PROTECTi

2. VirusTotal

3. URLCAT

4. URLhaus

5. Jira Incident Creation

6. EDR Remediation

7. O365 Response

8. O365 PS Response

9. Google Workspace Response

10. Checkpoint Response

11. FortiGate Response

12. AWS Guardduty Response

 

Function Details

 

1. PROTECTi

1.1 getFileReputation Function

Description:

Computes the MD5 reputation value.

Parameters:

• fileMD5 (string[]): MD5 value(s). [processMD5 / fileMD5 / moduleMD5 / childMD5 / ehpMD5]

Returns:

• fileReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

1.2 updateFileReputation Function

Description:

Updates the file MD5 reputation value.

Parameters:

• fileMD5 (string[]): File MD5 value(s).

Returns:

• fileReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

1.3 updateProcessReputation Function

Description:

Updates the process MD5 reputation value.

Parameters:

• processMD5 (string[]): Process MD5 value(s).

Returns:

• processReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

 

2. VirusTotal

2.1 getFileReputation Function

Description:

Computes the MD5 reputation value.

Parameters:

• fileMD5 (string[]): MD5 value(s). [processMD5 / fileMD5 / moduleMD5 / childMD5 / ehpMD5]

Returns:

• fileReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

Example Usage

# Example of using the getFileReputation function:
import requests

fileMD5_list = ["abc123", "def456", "ghi789"]
response =# Example of using the notification function requests.post("https://api.example.com/getFileReputation", json={"fileMD5": fileMD5_list})
fileReputation = response.json()
print(fileReputation)

2.2 updateFileReputation Function

Description:

Updates the file MD5 reputation value.

Parameters:

• fileMD5 (string[]): File MD5 value(s).

Returns:

• fileReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

Example Usage

# Example of using the updateFileReputation function:
import requests

fileMD5_list = ["abc123", "def456", "ghi789"]
response = requests.post("https://api.example.com/updateFileReputation", json={"fileMD5": fileMD5_list})
fileReputation = response.json()
print(fileReputation)

2.3 updateProcessReputation Function

Description:

Updates the process MD5 reputation value.

Parameters:

• processMD5 (string[]): Process MD5 value(s).

Returns:

• processReputation (pair): Array of {MD5: Reputation value } pair. Reputation values for every MD5 are in the range of 1-10. 1 – clean, 10 – malicious.

Example Usage

# Example of using the updateProcessReputation function
import requests

processMD5_list = ["abc123", "def456", "ghi789"]
response = requests.post("https://api.example.com/updateProcessReputation", json={"processMD5": processMD5_list})
processReputation = response.json()
print(processReputation)

 

3. URLCAT

3.1 getURLReputation Function

Description

Computes URL Reputation value.

Parameters

• url (string[]) – URL. [nwURL / emailURL]

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair

  • Reputation values for every URL are in the range of 1-10. 1 – clean, 10 – malicious.

Example Usage

# Example of using the getURLReputation function

from url_reputation_api import getURLReputation

# Example usage with a list of URLs
urls_to_check = ['https://example.com', 'https://malicious-site.com']
reputation_results = getURLReputation(urls_to_check)

print("URL Reputation Results:")
for url, reputation in reputation_results.items():
    print(f"{url}: {reputation}")

---

3.2 updateNwURLReputation Function

Description

Updates nwURL Reputation value.

Parameters

• url (string[]) – nwURL.

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair.

  • Reputation values for every URL are in the range of 1-10. 1 – clean, 10 – malicious.

Example Usage

# Example of using the updateNwURLReputation function

from url_reputation_api import updateNwURLReputation

# Example usage with a list of nwURLs
nw_urls_to_update = ['https://network-site1.com', 'https://network-site2.com']
updated_reputation_results = updateNwURLReputation(nw_urls_to_update)

print("Updated NWURL Reputation Results:")
for url, reputation in updated_reputation_results.items():
    print(f"{url}: {reputation}")

---

3.3 updateEmailURLReputation Function

Description

Updates emailURL Reputation value.

Parameters

• url (string[]) – emailURL.

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair

Example Usage

# Example of using the updateEmailURLReputation function

from url_reputation_api import updateEmailURLReputation

# Example usage with a list of emailURLs
email_urls_to_update = ['https://email-site1.com', 'https://email-site2.com']
updated_email_reputation_results = updateEmailURLReputation(email_urls_to_update)

print("Updated EmailURL Reputation Results:")
for url, reputation in updated_email_reputation_results.items():
    print(f"{url}: {reputation}")

 

4. URLhaus

4.1 getURLReputation Function

Description

Computes URL Reputation value.

Parameters

• url (string[]) – URL. [nwURL / emailURL]

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair.

  • Reputation values for every URL are in the range of 1-10. 1 – clean, 10 – malicious.

Sample Usage

# Example of using the getURLReputation function

from reputation_api import getURLReputation

# Example usage with a list of URLs
urls_to_check = ['https://example.com', 'https://malicious-site.com']
reputation_results = getURLReputation(urls_to_check)

print("URL Reputation Results:")
for url, reputation in reputation_results.items():
    print(f"{url}: {reputation}")

---

4.2 updateNwURLReputation Function

Description

Updates nwURL Reputation value.

Parameters

• url (string[]) – nwURL.

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair.

  • Reputation values for every URL are in the range of 1-10. 1 – clean, 10 – malicious.

Sample Usage

# Example of using the updateNwURLReputation function

from reputation_api import updateNwURLReputation

# Example usage with a list of nwURLs
nw_urls_to_update = ['https://network-site1.com', 'https://network-site2.com']
updated_reputation_results = updateNwURLReputation(nw_urls_to_update)

print("Updated NWURL Reputation Results:")
for url, reputation in updated_reputation_results.items():
    print(f"{url}: {reputation}")

---

4.3 updateEmailURLReputation Function

Description

Computes URL Reputation value.

Parameters

• url (string[]) – URL. [nwURL / emailURL]

Returns

• urlReputation
  

  (pair) – Array of {URL: Reputation value } pair.

  • Reputation values for every URL are in the range of 1-10. 1 – clean, 10 – malicious.

Sample Usage

# Example of using the updateEmailURLReputation function

from reputation_api import updateEmailURLReputation

# Example usage with a list of emailURLs
email_urls_to_update = ['https://email-site1.com', 'https://email-site2.com']
updated_email_reputation_results = updateEmailURLReputation(email_urls_to_update)

print("Updated EmailURL Reputation Results:")
for url, reputation in updated_email_reputation_results.items():
    print(f"{url}: {reputation}")

 

5. Jira Incident Creation

5.1 createJiraIncident Function

Description

This function creates a Jira ticket for an incident.

Parameters

• name (string): Incident name.
• id (string): Incident ID.
• type (string): Incident type.
• severity (string): Incident severity.
• impact (string): Incident impact.
• status (string): Incident status.
• endpoints (string): List of endpoints under the incident.

Returns

• status (pair): Jira ticket creation status. The function returns a status pair, indicating the Jira ticket creation status. If successful, it includes the URL of the created ticket.

Example Usage

# Example of using the createJiraIncident function

result = createJiraIncident(name="Sample Incident", id="INC001", type="Security", severity="High", impact="Critical", status="Open", endpoints="Endpoint1, Endpoint2")
print(result)

 

EDR Remediation

6.1 hostIsolation Function

Description

This function isolates a host from the network as part of Endpoint Detection and Response (EDR) remediation.

Parameters

• endpointId (string[]): Machine ID from the incident.

Returns

• status (pair): Host isolation status.

Example Usage

# Example of using the hostIsolation function

result = hostIsolation(endpointId=["MachineID1", "MachineID2"])
print(result)

6.2 hostReconnect Function

Description

This function facilitates the reconnection of a host to the network.

Parameters

• endpointId (string[]): The unique machine ID associated with the incident.

Returns

• status (pair): Provides the status of the host connection operation.

Example Usage

# Example of using the hostReconnect function

result = hostReconnect(endpointId=["MachineID1", "MachineID2"])
print(result)

6.3 hostReboot Function

Description

This function initiates a reboot for the specified host.

Parameters

• endpointId (string[]): The unique machine ID associated with the incident.

Returns

• status (pair): Provides the status of the host reboot operation.

Example Usage

# Example of using the hostReboot function

result = hostReboot(endpointId=["MachineID1", "MachineID2"])
print(result)

6.4 killProcessByMD5 Function

Description

This function terminates a process on the host machine based on the provided MD5 hash.

Parameters

• processMD5 (string[]): The MD5 hash associated with the process from the incident.

Returns

• status (pair): Provides the status of the process termination.

Example Usage

# Example of using the killProcessByMD5 function

result = killProcessByMD5(processMD5=["MD5Value1", "MD5Value2"])
print(result)

6.5 quarantineProcessByMD5 Function

Description

This function quarantines a process on the host machine based on the provided MD5 hash.

Parameters

• processMD5 (string[]): The MD5 hash associated with the process from the incident.

Returns

• status (pair): Provides the status of the process quarantine.

Example Usage

# Example of using the quarantineProcessByMD5 function

result = quarantineProcessByMD5(processMD5=["MD5Value1", "MD5Value2"])
print(result)

6.6 quarantineProcessByMD5 Function

Description

This function quarantines a file on the host machine based on the provided file path.

Parameters

• filePath (string[]): The file path associated with the file from the incident.

Returns

• status (pair): Provides the status of the file quarantine.

Example Usage

# Example of using the quarantineFileByFilePath function

result = quarantineFileByFilePath(filePath=["Path1", "Path2"])
print(result)

6.7 deleteRegistryKey Function

Description

This function deletes a registry key on the host machine.

Parameters

• regKey (string[]): The registry key from the incident.

Returns

• status (pair): Provides the status of the registry key deletion.

Example Usage

# Example of using the deleteRegistryKey function

result = deleteRegistryKey(regKey=["RegistryKey1", "RegistryKey2"])
print(result)

 

7. O365 Response

7.1 temporaryDeleteEmail Function

Description

This function temporarily deletes an email conversation.

Parameters

• userId (string): The email ID associated with the user.
• conversationId (string): The conversation ID to be deleted for the given email ID.

Returns

• status (pair): Provides the status of the conversation deletion, along with the count of remaining emails.

Example Usage

# Example of using the temporaryDeleteEmail function

result = temporaryDeleteEmail(userId="user@example.com", conversationId="123456789")
print(result)

7.2 recoverDeletedEmail Function

Description

This function recovers a temporarily deleted email conversation.

Parameters

• userId (string): The email ID associated with the user.
• conversationId (string): The conversation ID to be recovered for the given email ID.

Returns

• status (pair): Provides the status of the conversation recovery, along with the updated email count.

Example Usage

# Example of using the recoverDeletedEmail function

result = recoverDeletedEmail(userId="user@example.com", conversationId="123456789")
print(result)

7.3 permanentlyDeleteEmail Function

Description

This function permanently deletes an email conversation.

Parameters

• userId (string): The email ID associated with the user.
• conversationId (string): The conversation ID to be permanently deleted for the given email ID.

Returns

• status (pair): Provides the status of the conversation permanent deletion, along with the updated email count.

Example Usage

# Example of using the permanentlyDeleteEmail function

result = permanentlyDeleteEmail(userId="user@example.com", conversationId="123456789")
print(result)

8. O365 PS Response

8.1 addTenantSenderEmailBlockItem Function

Description

This function adds a list of sender email IDs to the Tenant Allow/Block Lists.

Parameters

• emailId (string[]): List of email IDs to be blocked.

Returns

• status (pair): Provides the status of the email IDs block operation.

Example Usage

# Example of using the addTenantSenderEmailBlockItem function

result = addTenantSenderEmailBlockItem(emailId=["sender1@example.com", "sender2@example.com"])
print(result)

 

9. Google Workspace Response

9.1 temporaryDeleteEmail Function

Description:

This function temporarily deletes an email message.

Parameters

• userId (string): The email ID associated with the user.
• internetMessageId (string): The message ID to be deleted for the given email ID.

Returns:

• status (pair): Provides the status of the message ID deletion.

Example Usage

# Example of using the temporaryDeleteEmail function

result = temporaryDeleteEmail(userId="user@example.com", internetMessageId="123456789")
print(result)

9.2 permanentlyDeleteEmail Function

Description

This function permanently deletes an email message.

Parameters

• userId (string): The email ID associated with the user.
• internetMessageId (string): The message ID to be permanently deleted for the given email ID.

Returns

• status (pair): Provides the status of the message ID permanent deletion.

Example Usage:

# Example of using the permanentlyDeleteEmail function

result = permanentlyDeleteEmail(userId="user@example.com", internetMessageId="123456789")
print(result)

9.3 recoverDeletedEmail Function

Description

This function recovers a temporarily deleted email message.

Parameters

• userId (string): The email ID associated with the user.
• internetMessageId (string): The message ID to be recovered for the given email ID.

Returns

• status (pair): Provides the status of the message ID recovery.

Example Usage

# Example of using the recoverTemporaryDeletedEmail function

result = recoverTemporaryDeletedEmail(userId="user@example.com", internetMessageId="123456789")
print(result)

 

10. Checkpoint Response

10.1 blockIp Function

Description

This function blocks a suspicious IP address.

Parameters

• ip (string[]): The IP address to be blocked.

Returns

• status (pair): Provides the status of the IP address block operation.

Example Usage

# Example of using the blockIp function

result = blockIp(ip=["192.168.1.1", "10.0.0.2"])
print(result)

10.2 blockIp Function

Description

This function blocks a suspicious URL.

Parameters

• url (string[]): The URL to be blocked.

Returns

• status (pair): Provides the status of the URL block operation.

Example Usage

# Example of using the blockUrl function

result = blockUrl(url=["http://suspicious1.com", "https://suspicious2.com"])
print(result)

10.3 blockIp Function

Description

This function blocks a file with a suspicious MD5 hash.

Parameters

• MD5 (string[]): The MD5 hash of the file to be blocked.

Returns

• status (pair): Provides the status of the MD5 block operation.

Example Usage

# Example of using the blockMd5 function

result = blockMd5(MD5=["MD5Value1", "MD5Value2"])
print(result)

 

11. FortiGate Response

11.1 blockIp Function

Description

This function blocks a suspicious IP address.

Parameters

• ip (string[]): The IP address to be blocked.

Returns

• status (pair): Provides the status of the IP address block operation.

Example Usage:

# Example of using the blockIPs function

result = blockIPs(ip=["192.168.1.1", "10.0.0.2"])
print(result)

11.2 blockURLs Function

Description

This function blocks a suspicious URL.

Parameters

• url (string[]): The URL to be blocked.

Returns

• status (pair): Provides the status of the URL block operation.

Example Usage

# Example of using the blockURLs function

result = blockURLs(url=["http://suspicious1.com", "https://suspicious2.com"])
print(result)

11.3 blockHashes Function

Description

This function blocks a file with a suspicious MD5 hash.

Parameters

• MD5 (string[]): The MD5 hash of the file to be blocked.

Returns

• status (pair): Provides the status of the MD5 block operation.

Example Usage

# Example of using the blockHashes function

result = blockHashes(MD5=["MD5Value1", "MD5Value2"])
print(result)

11.4 unblockIPs Function

Description

This function unblocks a previously blocked suspicious IP address.

Parameters

• ip (string[]): The IP address to be unblocked.

Returns

• status (pair): Provides the status of the IP address unblock operation.

Example Usage

# Example of using the unblockIPs function

result = unblockIPs(ip=["192.168.1.1", "10.0.0.2"])
print(result)

11.5 unblockURLs Function

Description

This function unblocks a previously blocked suspicious URL.

Parameters

• url (string[]): The URL to be unblocked.

Returns

• status (pair): Provides the status of the URL unblock operation.

Example Usage

# Example of using the unblockURLs function

result = unblockURLs(url=["http://suspicious1.com", "https://suspicious2.com"])
print(result)

11.6 unblockHashes Function

Description

This function unblocks a previously blocked file with a suspicious MD5 hash.

Parameters

• MD5 (string[]): The MD5 hash of the file to be unblocked.

Returns

• status (pair): Provides the status of the MD5 unblock operation.

Example Usage

# Example of using the unblockHashes function

result = unblockHashes(MD5=["MD5Value1", "MD5Value2"])
print(result)

12. AWS Guardduty Response

12.1 stopEc2Instance Function

Description

This function stops suspicious EC2 instances.

Parameters

• ec2Instance (string[]): The IDs of the suspicious EC2 instances to be stopped.

Returns

• status (pair): Provides the status of the EC2 instance stop operation.

Example Usage

# Example of using the stopEc2Instance function

result = stopEc2Instance(ec2Instance=["i-1234567890abcdef0", "i-0987654321fedcba0"])
print(result)

12.2 restartEc2Instance Function

Description

This function restarts suspicious EC2 instances.

Parameters

• ec2Instance (string[]): The IDs of the suspicious EC2 instances to be restarted.

Returns

• status (pair): Provides the status of the EC2 instance restart operation.

Example Usage

# Example of using the restartEc2Instance function

result = restartEc2Instance(ec2Instance=["i-1234567890abcdef0", "i-0987654321fedcba0"])
print(result)

12.3 stopEksCluster Function

Description

This function stops suspicious Amazon Elastic Kubernetes Service (EKS) clusters.

Parameters

• eksCluster (string[]): The IDs of the suspicious EKS clusters to be stopped.

Returns

• status (pair): Provides the status of the EKS cluster stop operation.

Example Usage

# Example of using the stopEksCluster function

result = stopEksCluster(eksCluster=["eks-cluster-1", "eks-cluster-2"])
print(result)

12.4 restartEksCluster Function

Description

This function restarts suspicious Amazon Elastic Kubernetes Service (EKS) clusters.

Parameters

• eksCluster (string[]): The IDs of the suspicious EKS clusters to be restarted.

Returns

• status (pair): Provides the status of the EKS cluster restart operation.

Example Usage

# Example of using the restartEksCluster function

result = restartEksCluster(eksCluster=["eks-cluster-1", "eks-cluster-2"])
print(result)