topic Re: Cofense Report Phishing - Extract zip files in Splunk SOAR

Cofense Report Phishing - Extract zip files

maxywalker1 — Sun, 07 Jun 2020 17:17:09 GMT

We currently use Cofense Report Phishing to provide users with the ability to report potential phishing emails. When ingesting into Phantom these don't work as there isn't any method to extract and analyse the attached zip file which contains the original email message and any associated attachments.

Does anyone have any experience with this product and any scripts or playbooks that would work to automate analysis?

Re: Cofense Report Phishing - Extract zip files

cblumer_splunk — Tue, 07 Jan 2020 19:05:52 GMT

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook:

https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item

If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook.

Re: Cofense Report Phishing - Extract zip files

maxywalker1 — Tue, 07 Jan 2020 22:45:39 GMT

Thanks for that, I have started creating a playbook for this (to feed into another existing playbook) but don't seem to have any applications that support the actions 'get attachment' or 'deflate item'.

Is there any way to actually search for applications by supported actions?

There doesn't seem to be any clear information out there having looked through the documentation and splunkbase, but maybe I am not looking in the right places.

Re: Cofense Report Phishing - Extract zip files

ansusabu — Wed, 08 Jan 2020 06:47:17 GMT

'deflate item' is available in 'phantom app'(Phantom App for Phantom)