Splunk Phantom

Cofense Report Phishing - Extract zip files

Explorer

We currently use Cofense Report Phishing to provide users with the ability to report potential phishing emails. When ingesting into Phantom these don't work as there isn't any method to extract and analyse the attached zip file which contains the original email message and any associated attachments.

Does anyone have any experience with this product and any scripts or playbooks that would work to automate analysis?

Labels (2)
Tags (1)
0 Karma

Splunk Employee
Splunk Employee

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook:

https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item

If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook.

0 Karma

Explorer

Thanks for that, I have started creating a playbook for this (to feed into another existing playbook) but don't seem to have any applications that support the actions 'get attachment' or 'deflate item'.

Is there any way to actually search for applications by supported actions?

There doesn't seem to be any clear information out there having looked through the documentation and splunkbase, but maybe I am not looking in the right places.

0 Karma

Communicator

'deflate item' is available in 'phantom app'(Phantom App for Phantom)

0 Karma