Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to extract file from application/x-7z-compressed format

SOAR_098
Loves-to-Learn Lots
3 weeks ago

Hi Support Community,
Currently I am facing issues to extract file from application/x-7z-compressed format in SOAR.
Sequence of steps:
1. Use the get session action from CrowdStrike OAuth API App to pull the file for the specified session and sha256 and add it to the vault.
2. The file format added is "application/x-7z-compressed".
3. I am trying to use "deflate item" action from "Phantom" app to extract the original file but "application/x-7z-compressed" file format is not supported.

Any other ways to extract the file rather than using deflate item? Else any different action block within crowdstrike oauth api to pull the file in original format?

Also a follow up question, after extracting the file is it possible to convert it into .txt format?

System specifications:
SOAR version 6.4.1.361

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
3 weeks ago

Hey @SOAR_098 ,

Have you checked out the community Custom Functions, specifically the zip_extract one?
https://github.com/phantomcyber/playbooks/blob/7.1/custom_functions/zip_extract.py 

Seems like it should do what you need!

As for converting to text, it depends on the file type it spits out and you may need to build a custom function to read, then write it out to txt file then add to the vault. 

-- If this helped please add some Karma. If it resolved your issue please mark as a solution for others to see. Happy SOARing!! --

0 Karma
Reply

SOAR_098
Loves-to-Learn Lots
3 weeks ago

This custom function does not support .7zip format

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @SOAR_098 

You may be able to modify the zip example and use py7zr library to unzip the 7z file - check out the docs at https://py7zr.readthedocs.io/en/latest/user_guide.html

Hopefully you can re-use the logic in https://github.com/phantomcyber/playbooks/blob/7.1/custom_functions/zip_extract.py

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...