Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add vault in an event, from NFS share?

SGI
Engager
‎07-04-2023 11:08 AM

Hi all,
We have zip files (password protected) dropped on an NFS share.
We want to collect them automaticaly into Splunk SOAR, to push automated analysis on them.
How do you manage to connect the NFS share to SOAR, unzip it and add each new file in a vault/event? Cherry on the cake : delete the zip file from NFS !
(sorry if it seems to easy for some of you : I am new in splunk soar...)
Thanks

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎07-05-2023 09:27 AM

@SGI 

If you can SSH to your NFS then you can pull the file onto the platform with the SSH app in SOAR. I am not aware of an app that can unzip the password protected zip but you could develop an app/action to do it. 

Once you can get the file on the system and then extracted you can simply use the phantom.vault_add() API to add any files to the vault and then pass them to other apps to do whatever you want. 

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/PlaybookAPI/VaultAPI 

 

-- If this solved your issue please mark as a solution! Happy SOARing --

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...