Splunk SOAR (f.k.a. Phantom)

Cofense Report Phishing - Extract zip files

maxywalker1
Explorer

We currently use Cofense Report Phishing to provide users with the ability to report potential phishing emails. When ingesting into Phantom these don't work as there isn't any method to extract and analyse the attached zip file which contains the original email message and any associated attachments.

Does anyone have any experience with this product and any scripts or playbooks that would work to automate analysis?

Labels (2)
Tags (1)
0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook:

https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item

If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook.

0 Karma

maxywalker1
Explorer

Thanks for that, I have started creating a playbook for this (to feed into another existing playbook) but don't seem to have any applications that support the actions 'get attachment' or 'deflate item'.

Is there any way to actually search for applications by supported actions?

There doesn't seem to be any clear information out there having looked through the documentation and splunkbase, but maybe I am not looking in the right places.

0 Karma

ansusabu
Communicator

'deflate item' is available in 'phantom app'(Phantom App for Phantom)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...