Splunk SOAR

How can I update function in Phantom to handle potential phish email message (getting body parsing error)?

brandylee1993
Explorer

When parsing the email message body for inclusion in the ticket in Jira, parsing fails on special characters or non-ASCII text. How can I update function in Phantom to properly handle the message body in cases where the error is being thrown. 

<error in expanding custom_function_1:custom_function:C1_email>

 

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@brandylee1993 I hope you found your answer,  but just in-case and for any others viewing this question, the handling of non-ascii needs to be handled with python `.decode()`:

<value>.decode("UTF-8")

The variable will be the field/data that likely contains the non-ascii text. I have seen this a lot with Phishing use cases and have had to use the .decode() a few times to get around it. 

If this helped, please pop a like below.

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@brandylee1993 I hope you found your answer,  but just in-case and for any others viewing this question, the handling of non-ascii needs to be handled with python `.decode()`:

<value>.decode("UTF-8")

The variable will be the field/data that likely contains the non-ascii text. I have seen this a lot with Phishing use cases and have had to use the .decode() a few times to get around it. 

If this helped, please pop a like below.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...