Splunk SOAR (f.k.a. Phantom)

Splunk SOAR vault file update: How to write custom code to read/write vault files?

sirajnp
Path Finder

Hi,

I'm trying to load a excel file from phantom vault for updating the data inside. I'm able to fetch file but couldn't open it for updating the cell values. Can anyone help me with the custom code to read and write the vault files.

Labels (2)
Tags (1)
0 Karma

Dave_Burns
Path Finder

There are the two different python modules for working with xls files, openpyxl and xlrd. I dont remember off  the top of my head which does which version of the file. 

That being said, unless you want to add the modules to the master package list, you're more likely have to go the app route. That way you're able to side load the modules into csv files or something more "common"

0 Karma

sirajnp
Path Finder

Hi @Dave_Burns ,

I'm using json_excel_convertor [xlsxwriter] package to convert json input to excel file. My issue is I'm able to convert to excel and attach to vault. However, I can't read the excel file from vault to update it later on. 

I fetched the vault_info() using vault_id but looking for a method to open that file in the original format and update it since it is stored in vault.

0 Karma

Dave_Burns
Path Finder

How are you using xlsxwriter? I'm assuming that in through an app? But either way, are you fixed on using an excel file?

The reason I ask:

1) looks like json_excel_convertor can output to a csv file.

2) the csv module is standard in Soar/phantom. Then you can manipulate the file as need w/o additional modules in custom functions.

0 Karma

sirajnp
Path Finder

Hi @Dave_Burns ,

Yes, I need the output in excel format hence I have created an app to support this. 

I'm looking for that piece of code to read/write the vault document in the original format. I have the output of  vault api info(). Let's say we have the name of the file and location where it is stored. I'm stuck here on how to open this document in original format from vault to write/read this file. 

Ex: file "name" = test.xlsx

file "path" = $PHANTOM_HOME/vault/1d/53/1232876KJHDFKJDGSWQ8EWDJSSDJH

I think it should be the same way you can modify the excel file like you do for .csv. It will be great if you can share me that code on how to edit a .csv file.

 

0 Karma

Dave_Burns
Path Finder

I'm a wee bit confused by your statement of original format. But... 

I think I can share something that will help clear things up. 

The item in the path is the excel file.  

Meaning if you have the code to open the excel file for modification and do what you need, you'd just drop the value stored in path from your example. Phantom/Soar doesnt do anything to a file before storing it in the vault natively.

It's non obvious, but makes alot of sense once you see it.

 

0 Karma

sirajnp
Path Finder

@Dave_Burns 

By saying in original format, my understanding was phantom changes the format while storing into vault. Thanks for correcting it.

My job will be done if I can open the vault document to modify it. Kindly share if you have any example on how to do it. Either csv or excel.

0 Karma

Dave_Burns
Path Finder

@sirajnp I'm not sure I get where you're stuck now. 

The file hasn't been modified in anyway and you are able to reference like I indicated. It all depends on the module you decide to use to do the work. 

Here's a list of some that came up in a quick google search.


0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...