Solved: How to unzip and parse an email attachment in Phan...

AlexBryant · ‎03-24-2020

Phantom is monitoring an email box for me, and every email will have exactly one attachment: a zipped .msg file. I need to unzip that .msg file and parse the body of it. I'm a little stuck.

All I can get so far is the vault id of the attached .zip file. I imagine I need to get the filepath and filename of the file from the vault and unzip it in a custom Python block - I can handle the unzipping part if I can just open the file in my custon block, but the filepath of the artifact is null, so although the zipped email attachment shows up as a vault artifact, I'm not sure how to open it.

What do I need to do in order to open this .zip file / email attachment in a custom Python block?
Thanks!
--Alex

sam_splunk · ‎03-25-2020

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

View solution in original post

sam_splunk · ‎03-25-2020

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

How to unzip and parse an email attachment in Phantom

using Phantom

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...