topic Re: Download files from Phantom case via REST API in Splunk SOAR

Download files from Phantom case via REST API

hariomenkel — Fri, 16 Apr 2021 09:50:53 GMT

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

Thanks!

Mario

Re: Download files from Phantom case via REST API

spotteddog — Tue, 13 Jul 2021 20:23:31 GMT

Hi is there any response to this?

Re: Download files from Phantom case via REST API

phanTom — Wed, 14 Jul 2021 08:15:10 GMT

@spotteddog I don't believe that this is possible at the moment but you could have automation in Phantom that could find a file and then "move" it somewhere (send via email, copy file to a location).

What is the use case for downloading items from Phantom, from outside the platform?

Re: Download files from Phantom case via REST API

bongo — Wed, 04 Aug 2021 05:41:34 GMT

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

Re: Download files from Phantom case via REST API

spotteddog — Thu, 05 Aug 2021 11:36:22 GMT

many thanks - this indeed look like a viable option. I hope this gets added to the official API specification as this is a very useful activity

Re: Download files from Phantom case via REST API

hariomenkel — Wed, 18 Aug 2021 12:26:33 GMT

Many thanks and sorry for the delayed response. This method indeed works! Awesome! Thanks!