Getting Data In

Handling file in custom commands

shub_loginsoft
Explorer

How can we send a file as input to an API endpoint from custom spl commands developed for both Splunk Enterprise and Splunk Cloud, ensuring the API endpoint returns the desired enrichment details?

Labels (4)
0 Karma

shub_loginsoft
Explorer

@marnall  We want this, OUT of Splunk into a service that takes the file and returns enrichment information about the file.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm thinking either an external lookup or a custom search command. But what confuses me here is that you're talking about a "file". What file do you have in mind?

0 Karma

shub_loginsoft
Explorer

@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that file to third party TI providers API as the query param.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok, what you're describing is more of a SOAR functionality. If you wanted to do something like that within Splunk Enterprise you'd have to implement it yourself. And I'm pretty sure an app doing that would not pass vetting on Cloud.

0 Karma

shub_loginsoft
Explorer

Thank you for your response! Could you please share your insights on how we can achieve this in a Splunk SOAR environment? Additionally, if there are any apps on Splunkbase that provide similar functionality, I would greatly appreciate your recommendations.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It highly depends on the components involved. But this is a fairly normal functionality for SOAR playbook to get an artifact, manipulate it, check it using configured external services and return a report or use the result of suhch check to modify behaviour in further part of a playbook. You can download the community version of Splunk SOAR and see for yourself.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (assuming that's where you want the enriched data).

0 Karma

marnall
Motivator

You would like to send a file INTO Splunk, or OUT of Splunk into a service that takes the file and returns enrichment information about the file?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...