Cofense Report Phishing - Extract zip files

maxywalker1 · ‎01-06-2020

We currently use Cofense Report Phishing to provide users with the ability to report potential phishing emails. When ingesting into Phantom these don't work as there isn't any method to extract and analyse the attached zip file which contains the original email message and any associated attachments.

Does anyone have any experience with this product and any scripts or playbooks that would work to automate analysis?

cblumer_splunk · ‎01-07-2020

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook:

https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item

If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook.

maxywalker1 · ‎01-07-2020

Thanks for that, I have started creating a playbook for this (to feed into another existing playbook) but don't seem to have any applications that support the actions 'get attachment' or 'deflate item'.

Is there any way to actually search for applications by supported actions?

There doesn't seem to be any clear information out there having looked through the documentation and splunkbase, but maybe I am not looking in the right places.

ansusabu · ‎01-07-2020

'deflate item' is available in 'phantom app'(Phantom App for Phantom)

Cofense Report Phishing - Extract zip files

configuration

development

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!