Splunk SOAR (f.k.a. Phantom)

Download files from Phantom case via REST API

hariomenkel
Explorer

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

 

Thanks!

 

Mario

Labels (1)
1 Solution

bongo
Explorer

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

View solution in original post

bongo
Explorer

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

hariomenkel
Explorer

Many thanks and sorry for the delayed response. This method indeed works! Awesome! Thanks!

0 Karma

spotteddog
Engager

many thanks - this indeed look like a  viable option.  I hope this gets added to the official API specification as this is a very useful activity

 

0 Karma

spotteddog
Engager

Hi is there any response to this?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@spotteddog I don't believe that this is possible at the moment but you could have automation in Phantom that could find a file and then "move" it somewhere (send via email, copy file to a location). 

What is the use case for downloading items from Phantom, from outside the platform?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...