Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Download files from Phantom case via REST API

hariomenkel
Explorer
‎04-16-2021 02:50 AM

Hello,

I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case.

One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files?

I'm currently using

https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API.

So long story short: How can I download files from Phantom via REST API if I know their document_id?

 

Thanks!

 

Mario

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

bongo
Explorer
‎08-03-2021 10:41 PM

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

View solution in original post

Reply
Solved! Jump to solution
Solution

bongo
Explorer
‎08-03-2021 10:41 PM

This is indeed possible.

You must start with the parent container ID to generate a list of all its related attachment IDs:

/rest/container/{container id}/attachments

For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download:

/rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc

This is the same process used by "EXPORT" menu on the investigation page.

I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

Reply
Solved! Jump to solution

hariomenkel
Explorer
‎08-18-2021 05:26 AM

Many thanks and sorry for the delayed response. This method indeed works! Awesome! Thanks!

0 Karma
Reply
Solved! Jump to solution

spotteddog
Engager
‎08-05-2021 04:36 AM

many thanks - this indeed look like a  viable option.  I hope this gets added to the official API specification as this is a very useful activity

 

0 Karma
Reply
Solved! Jump to solution

spotteddog
Engager
‎07-13-2021 01:23 PM

Hi is there any response to this?

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-14-2021 01:15 AM

@spotteddog I don't believe that this is possible at the moment but you could have automation in Phantom that could find a file and then "move" it somewhere (send via email, copy file to a location). 

What is the use case for downloading items from Phantom, from outside the platform?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...