Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add vault in an event, from NFS share?

SGI
Engager
‎07-04-2023 11:08 AM

Hi all,
We have zip files (password protected) dropped on an NFS share.
We want to collect them automaticaly into Splunk SOAR, to push automated analysis on them.
How do you manage to connect the NFS share to SOAR, unzip it and add each new file in a vault/event? Cherry on the cake : delete the zip file from NFS !
(sorry if it seems to easy for some of you : I am new in splunk soar...)
Thanks

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎07-05-2023 09:27 AM

@SGI 

If you can SSH to your NFS then you can pull the file onto the platform with the SSH app in SOAR. I am not aware of an app that can unzip the password protected zip but you could develop an app/action to do it. 

Once you can get the file on the system and then extracted you can simply use the phantom.vault_add() API to add any files to the vault and then pass them to other apps to do whatever you want. 

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/PlaybookAPI/VaultAPI 

 

-- If this solved your issue please mark as a solution! Happy SOARing --

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...