Splunk Phantom

Download files from Phantom case via REST API

hariomenkel
New Member

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

 

Thanks!

 

Mario

Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!