Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add vault in an event, from NFS share?

SGI
Engager
‎07-04-2023 11:08 AM

Hi all,
We have zip files (password protected) dropped on an NFS share.
We want to collect them automaticaly into Splunk SOAR, to push automated analysis on them.
How do you manage to connect the NFS share to SOAR, unzip it and add each new file in a vault/event? Cherry on the cake : delete the zip file from NFS !
(sorry if it seems to easy for some of you : I am new in splunk soar...)
Thanks

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎07-05-2023 09:27 AM

@SGI 

If you can SSH to your NFS then you can pull the file onto the platform with the SSH app in SOAR. I am not aware of an app that can unzip the password protected zip but you could develop an app/action to do it. 

Once you can get the file on the system and then extracted you can simply use the phantom.vault_add() API to add any files to the vault and then pass them to other apps to do whatever you want. 

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/PlaybookAPI/VaultAPI 

 

-- If this solved your issue please mark as a solution! Happy SOARing --

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top