Getting Data In

Handling file in custom commands

shub_loginsoft
Explorer

How can we send a file as input to an API endpoint from custom spl commands developed for both Splunk Enterprise and Splunk Cloud, ensuring the API endpoint returns the desired enrichment details?

Labels (4)
0 Karma

shub_loginsoft
Explorer

@marnall  We want this, OUT of Splunk into a service that takes the file and returns enrichment information about the file.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm thinking either an external lookup or a custom search command. But what confuses me here is that you're talking about a "file". What file do you have in mind?

0 Karma

shub_loginsoft
Explorer

@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that file to third party TI providers API as the query param.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok, what you're describing is more of a SOAR functionality. If you wanted to do something like that within Splunk Enterprise you'd have to implement it yourself. And I'm pretty sure an app doing that would not pass vetting on Cloud.

0 Karma

shub_loginsoft
Explorer

Thank you for your response! Could you please share your insights on how we can achieve this in a Splunk SOAR environment? Additionally, if there are any apps on Splunkbase that provide similar functionality, I would greatly appreciate your recommendations.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It highly depends on the components involved. But this is a fairly normal functionality for SOAR playbook to get an artifact, manipulate it, check it using configured external services and return a report or use the result of suhch check to modify behaviour in further part of a playbook. You can download the community version of Splunk SOAR and see for yourself.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (assuming that's where you want the enriched data).

0 Karma

marnall
Motivator

You would like to send a file INTO Splunk, or OUT of Splunk into a service that takes the file and returns enrichment information about the file?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...