Splunk SOAR

How to unzip and parse an email attachment in Phantom

AlexBryant
Path Finder

Phantom is monitoring an email box for me, and every email will have exactly one attachment: a zipped .msg file. I need to unzip that .msg file and parse the body of it. I'm a little stuck.

All I can get so far is the vault id of the attached .zip file. I imagine I need to get the filepath and filename of the file from the vault and unzip it in a custom Python block - I can handle the unzipping part if I can just open the file in my custon block, but the filepath of the artifact is null, so although the zipped email attachment shows up as a vault artifact, I'm not sure how to open it.

What do I need to do in order to open this .zip file / email attachment in a custom Python block?
Thanks!
--Alex

Labels (1)
Tags (1)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

View solution in original post

sam_splunk
Splunk Employee
Splunk Employee

The 'Phantom' app has a 'deflate Item' that does the work for you. You just have to pass the vault and container ids, and whether or not you want it to decompress recursively.

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...