Splunk SOAR

SOAR - Create File from Artifacts

mark_wymer
Path Finder

Hi all,

Does anyone know if it's possible to create a file from a field in an artifact?

Scenario:
We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR.
One of the fields is a comma delimited list of ID's - this could be 1 or several hundred
This kicks off a playbook to process this info and email the info to the 'owner'
The ID data must be added to the sent email as an attachment

I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but......
How do we get the ID data from the field in the artifact into a file?

Any help would be much appreciated.

Cheers,
Mark.

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@mark_wymer 

You can just use the python "open" to write the file to a tmp directory on the platform and then use phantom.vault_add() to load it into the container to then be used in any way you wish. You will need to do this in a custom function and you could output the vault_id(s) to then add to any subsequent email. 

https://www.kite.com/python/answers/how-to-write-a-file-to-a-specific-directory-in-python 

https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/VaultAPI#vault_add  

Hope this helps!

View solution in original post

mark_wymer
Path Finder

Hi Tom, hope your well. Not 'spoken' for ages.

So, if I understand....

Pass the ID data from the artifact into a custom code snippet to write the data to, effectively, a temporary file then use the Phantom Vault API to upload this into the container (can the temporary file be deleted then or is the 'upload' just a pointer to the physical location?)

This can then be attached to the email.

Mark.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mark_wymer I thought it was you 😀!! Yeah not bad thanks, still here 😉

Yes, you have it correct; write the file to the OS, add to the vault then use the vault_id to attach, or add to a list of vault_ids to attach. When you add to the vault it will be added to a separate location on the OS that is under vault control.

I'm not 100% sure if the file deletes when you add to the vault, however, you can delete the file if you wish but if it's in a "true" tmp directory then it will get flushed on reboot but if there is a chance there will be a lot of this activity it might be best to put something in place to clear the tmp directory, outside of a reboot, more regularly?

0 Karma

mark_wymer
Path Finder

Thanks Tom - perfect 😊

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mark_wymer 

You can just use the python "open" to write the file to a tmp directory on the platform and then use phantom.vault_add() to load it into the container to then be used in any way you wish. You will need to do this in a custom function and you could output the vault_id(s) to then add to any subsequent email. 

https://www.kite.com/python/answers/how-to-write-a-file-to-a-specific-directory-in-python 

https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/VaultAPI#vault_add  

Hope this helps!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...