Splunk SOAR (f.k.a. Phantom)

Download files from Phantom case via REST API

hariomenkel
Engager

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

 

Thanks!

 

Mario

Labels (1)
1 Solution

bongo
Explorer

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

View solution in original post

bongo
Explorer

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

View solution in original post

hariomenkel
Engager

Many thanks and sorry for the delayed response. This method indeed works! Awesome! Thanks!

0 Karma

spotteddog
Engager

many thanks - this indeed look like a  viable option.  I hope this gets added to the official API specification as this is a very useful activity

 

0 Karma

spotteddog
Engager

Hi is there any response to this?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@spotteddog I don't believe that this is possible at the moment but you could have automation in Phantom that could find a file and then "move" it somewhere (send via email, copy file to a location). 

What is the use case for downloading items from Phantom, from outside the platform?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!