Splunk SOAR (f.k.a. Phantom)

How to unzip and parse an email attachment in Phantom

AlexBryant
Path Finder

Phantom is monitoring an email box for me, and every email will have exactly one attachment: a zipped .msg file. I need to unzip that .msg file and parse the body of it. I'm a little stuck.

All I can get so far is the vault id of the attached .zip file. I imagine I need to get the filepath and filename of the file from the vault and unzip it in a custom Python block - I can handle the unzipping part if I can just open the file in my custon block, but the filepath of the artifact is null, so although the zipped email attachment shows up as a vault artifact, I'm not sure how to open it.

What do I need to do in order to open this .zip file / email attachment in a custom Python block?
Thanks!
--Alex

Labels (1)
Tags (1)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

View solution in original post

sam_splunk
Splunk Employee
Splunk Employee

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...