topic SOAR - Create File from Artifacts in Splunk SOAR

SOAR - Create File from Artifacts

mark_wymer — Wed, 19 Jan 2022 14:51:28 GMT

Hi all,

Does anyone know if it's possible to create a file from a field in an artifact?

Scenario:
We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR.
One of the fields is a comma delimited list of ID's - this could be 1 or several hundred
This kicks off a playbook to process this info and email the info to the 'owner'
The ID data must be added to the sent email as an attachment

I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but......
How do we get the ID data from the field in the artifact into a file?

Any help would be much appreciated.

Cheers,
Mark.

Re: SOAR - Create File from Artifacts

phanTom — Wed, 19 Jan 2022 14:56:44 GMT

@mark_wymer

You can just use the python "open" to write the file to a tmp directory on the platform and then use phantom.vault_add() to load it into the container to then be used in any way you wish. You will need to do this in a custom function and you could output the vault_id(s) to then add to any subsequent email.

https://www.kite.com/python/answers/how-to-write-a-file-to-a-specific-directory-in-python

https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/VaultAPI#vault_add

Hope this helps!

Re: SOAR - Create File from Artifacts

mark_wymer — Wed, 19 Jan 2022 15:04:56 GMT

Hi Tom, hope your well. Not 'spoken' for ages.

So, if I understand....

Pass the ID data from the artifact into a custom code snippet to write the data to, effectively, a temporary file then use the Phantom Vault API to upload this into the container (can the temporary file be deleted then or is the 'upload' just a pointer to the physical location?)

This can then be attached to the email.

Mark.

Re: SOAR - Create File from Artifacts

phanTom — Wed, 19 Jan 2022 15:10:02 GMT

@mark_wymer I thought it was you 😀!! Yeah not bad thanks, still here 😉

Yes, you have it correct; write the file to the OS, add to the vault then use the vault_id to attach, or add to a list of vault_ids to attach. When you add to the vault it will be added to a separate location on the OS that is under vault control.

I'm not 100% sure if the file deletes when you add to the vault, however, you can delete the file if you wish but if it's in a "true" tmp directory then it will get flushed on reboot but if there is a chance there will be a lot of this activity it might be best to put something in place to clear the tmp directory, outside of a reboot, more regularly?

Re: SOAR - Create File from Artifacts

mark_wymer — Wed, 19 Jan 2022 15:14:16 GMT

Thanks Tom - perfect 😊