Solved: Download files from Phantom case via REST API

hariomenkel · ‎04-16-2021

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

Thanks!

Mario

bongo · ‎08-03-2021

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

View solution in original post

bongo · ‎08-03-2021

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

hariomenkel · ‎08-18-2021

Many thanks and sorry for the delayed response. This method indeed works! Awesome! Thanks!

spotteddog · ‎08-05-2021

many thanks - this indeed look like a viable option. I hope this gets added to the official API specification as this is a very useful activity

spotteddog · ‎07-13-2021

Hi is there any response to this?

phanTom · ‎07-14-2021

@spotteddog I don't believe that this is possible at the moment but you could have automation in Phantom that could find a file and then "move" it somewhere (send via email, copy file to a location).

What is the use case for downloading items from Phantom, from outside the platform?

Download files from Phantom case via REST API

development

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...