Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Phantom SOAR Vault tmp Directory Clean Up

splunk4days
Engager
‎12-05-2023 11:45 AM

Hello,

 

In short, I have to transmute a file, and I leverage the /vault/tmp/ directory.

 

I'm able to do what I want, but I'm wondering if I have to 'clean up' this /vault/tmp/ directory.

 

ex - I have a file I want to XOR bit by bit. I read unxord.exe bit by bit, write to /vault/tmp/xord.exe, then I do a phantom.vault_add(file_location="/vault/tmp/xord.exe"). This works fine.

 

Do I have to do any removal of the "/vault/tmp/xord.exe"?

 

I've tried to do something like:

import os

os.remove("/vault/tmp/xord.exe")

 

However, I get a path not found error.

 

 So, how often does Phantom SOAR clean up the /vault/tmp/ directory, and can/should I remove the temp file myself?

 

Thanks!

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎12-06-2023 12:43 AM

@splunk4days i believe that by using the phantom.vault_add() API the file is "moved" from the tmp dir into the relevant file location on the platform where the vault storage is, rather than copied.

I have not tested this but have also never had to clear the /tmp dir when using it for vault_add() API calls. 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...