CrowdStrike app in SOAR: Why does Detonate File re...

TheGovernor21 · ‎08-15-2023

I am using the CrowdStrike App in my playbook and trying to run the detonate file action. One of the required parameters is Vault ID, which supposedly the Vault ID of the file. I am not quite sure what the vault id means.

phanTom · ‎08-15-2023

@TheGovernor21 the vault_id is a hash value assigned to the file when ingested into SOAR. Generally it's a SHA1 of the file so if you already know that you should be able to pass it into the action.

Otherwise you will need to grab the id by using the vault API in a custom function to retrieve the value and pass it into the action: https://docs.splunk.com/Documentation/SOARonprem/6.1.0/PlaybookAPI/VaultAPI

- Hopefully this helped! If it's a solution please mark it for others to see! Happy SOARing -

TheGovernor21 · ‎08-16-2023

The vault id can be found in the file part of the container.

phanTom · ‎08-16-2023

Yes but you can only get that manually. If you need to use it in a playbook then you need to get it via the API 1st then pass the value you need into the action input.

CrowdStrike app in SOAR: Why does Detonate File requires Vault ID?

using SOAR ⁄ Phantom

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

CrowdStrike app in SOAR: Why does Detonate File requires Vault ID?

using SOAR ⁄ Phantom

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!