Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cofense Report Phishing - Extract zip files

maxywalker1
Explorer
‎01-06-2020 08:09 PM

We currently use Cofense Report Phishing to provide users with the ability to report potential phishing emails. When ingesting into Phantom these don't work as there isn't any method to extract and analyse the attached zip file which contains the original email message and any associated attachments.

Does anyone have any experience with this product and any scripts or playbooks that would work to automate analysis?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎01-07-2020 11:05 AM

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook:

https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item

If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook.

0 Karma
Reply

maxywalker1
Explorer
‎01-07-2020 02:45 PM

Thanks for that, I have started creating a playbook for this (to feed into another existing playbook) but don't seem to have any applications that support the actions 'get attachment' or 'deflate item'.

Is there any way to actually search for applications by supported actions?

There doesn't seem to be any clear information out there having looked through the documentation and splunkbase, but maybe I am not looking in the right places.

0 Karma
Reply

ansusabu
Communicator
‎01-07-2020 10:47 PM

'deflate item' is available in 'phantom app'(Phantom App for Phantom)

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...