Re: Add vault in an event, from NFS share

SGI · ‎07-04-2023

Hi all,
We have zip files (password protected) dropped on an NFS share.
We want to collect them automaticaly into Splunk SOAR, to push automated analysis on them.
How do you manage to connect the NFS share to SOAR, unzip it and add each new file in a vault/event? Cherry on the cake : delete the zip file from NFS !
(sorry if it seems to easy for some of you : I am new in splunk soar...)
Thanks

phanTom · ‎07-05-2023

@SGI

If you can SSH to your NFS then you can pull the file onto the platform with the SSH app in SOAR. I am not aware of an app that can unzip the password protected zip but you could develop an app/action to do it.

Once you can get the file on the system and then extracted you can simply use the phantom.vault_add() API to add any files to the vault and then pass them to other apps to do whatever you want.

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/PlaybookAPI/VaultAPI

-- If this solved your issue please mark as a solution! Happy SOARing --

Add vault in an event, from NFS share?

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation