How can we send a file as input to an API endpoint from custom spl commands developed for both Splunk Enterprise and Splunk Cloud, ensuring the API endpoint returns the desired enrichment details?
@marnall We want this, OUT of Splunk into a service that takes the file and returns enrichment information about the file.
I'm thinking either an external lookup or a custom search command. But what confuses me here is that you're talking about a "file". What file do you have in mind?
@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that file to third party TI providers API as the query param.
Ok, what you're describing is more of a SOAR functionality. If you wanted to do something like that within Splunk Enterprise you'd have to implement it yourself. And I'm pretty sure an app doing that would not pass vetting on Cloud.
Thank you for your response! Could you please share your insights on how we can achieve this in a Splunk SOAR environment? Additionally, if there are any apps on Splunkbase that provide similar functionality, I would greatly appreciate your recommendations.
It highly depends on the components involved. But this is a fairly normal functionality for SOAR playbook to get an artifact, manipulate it, check it using configured external services and return a report or use the result of suhch check to modify behaviour in further part of a playbook. You can download the community version of Splunk SOAR and see for yourself.
If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (assuming that's where you want the enriched data).
You would like to send a file INTO Splunk, or OUT of Splunk into a service that takes the file and returns enrichment information about the file?