Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add vault in an event, from NFS share?

SGI
Engager
‎07-04-2023 11:08 AM

Hi all,
We have zip files (password protected) dropped on an NFS share.
We want to collect them automaticaly into Splunk SOAR, to push automated analysis on them.
How do you manage to connect the NFS share to SOAR, unzip it and add each new file in a vault/event? Cherry on the cake : delete the zip file from NFS !
(sorry if it seems to easy for some of you : I am new in splunk soar...)
Thanks

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎07-05-2023 09:27 AM

@SGI 

If you can SSH to your NFS then you can pull the file onto the platform with the SSH app in SOAR. I am not aware of an app that can unzip the password protected zip but you could develop an app/action to do it. 

Once you can get the file on the system and then extracted you can simply use the phantom.vault_add() API to add any files to the vault and then pass them to other apps to do whatever you want. 

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/PlaybookAPI/VaultAPI 

 

-- If this solved your issue please mark as a solution! Happy SOARing --

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top