Splunk SOAR (f.k.a. Phantom)

SOAR - Create File from Artifacts

mark_wymer
Path Finder

Hi all,

Does anyone know if it's possible to create a file from a field in an artifact?

Scenario:
We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR.
One of the fields is a comma delimited list of ID's - this could be 1 or several hundred
This kicks off a playbook to process this info and email the info to the 'owner'
The ID data must be added to the sent email as an attachment

I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but......
How do we get the ID data from the field in the artifact into a file?

Any help would be much appreciated.

Cheers,
Mark.

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@mark_wymer 

You can just use the python "open" to write the file to a tmp directory on the platform and then use phantom.vault_add() to load it into the container to then be used in any way you wish. You will need to do this in a custom function and you could output the vault_id(s) to then add to any subsequent email. 

https://www.kite.com/python/answers/how-to-write-a-file-to-a-specific-directory-in-python 

https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/VaultAPI#vault_add  

Hope this helps!

View solution in original post

mark_wymer
Path Finder

Hi Tom, hope your well. Not 'spoken' for ages.

So, if I understand....

Pass the ID data from the artifact into a custom code snippet to write the data to, effectively, a temporary file then use the Phantom Vault API to upload this into the container (can the temporary file be deleted then or is the 'upload' just a pointer to the physical location?)

This can then be attached to the email.

Mark.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mark_wymer I thought it was you 😀!! Yeah not bad thanks, still here 😉

Yes, you have it correct; write the file to the OS, add to the vault then use the vault_id to attach, or add to a list of vault_ids to attach. When you add to the vault it will be added to a separate location on the OS that is under vault control.

I'm not 100% sure if the file deletes when you add to the vault, however, you can delete the file if you wish but if it's in a "true" tmp directory then it will get flushed on reboot but if there is a chance there will be a lot of this activity it might be best to put something in place to clear the tmp directory, outside of a reboot, more regularly?

0 Karma

mark_wymer
Path Finder

Thanks Tom - perfect 😊

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mark_wymer 

You can just use the python "open" to write the file to a tmp directory on the platform and then use phantom.vault_add() to load it into the container to then be used in any way you wish. You will need to do this in a custom function and you could output the vault_id(s) to then add to any subsequent email. 

https://www.kite.com/python/answers/how-to-write-a-file-to-a-specific-directory-in-python 

https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/VaultAPI#vault_add  

Hope this helps!

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...