Cortex XSOAR: How to Retrieve a CSV File

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker

Title_Cortex-XSOAR-Retrieving-CSV-file_palo-alto-networks.jpg

 

Read this short, on-point blog to learn how to retrieve a CSV file!

 

Fig 1_Cortex-XSOAR-Retrieving-CSV-file_palo-alto-networks.png

 

Today, I am demonstrating the retrieving of a CSV file via the XSOAR !http command for one of my customers. You can download a test spreadsheet here: Untitled-spreadsheet-Sheet1-1. Since you are here, let me tell you a bit more.

 

The task is to retrieve a CSV file via an HTTP call. The command will look like this:

unset
!http method="GET" url="https://cybernotdienst.de/wp-content/uploads/2023/07/
Untitled-spreadsheet-Sheet1-1.csv"
unsecure="true" proxy="false" saveAsFile="yes"

 

This is the built-in command XSOAR supports from the start. As you can see, the URL points to the file above. We do NOT use the proxy and we want to save the file directly to the system.

 

With that command you will find a Context Key in XSOAR which describes the file:

Unset


Size:86
SHA1:ece8161f45d8e3f0b16eb2253caea45d0d679076
SHA256:cd00f63027fbb6b2a50b8c2257137749e1548abf9f1c217c8f1c1a42a179566c
SHA512:a5d3d608fb1dd60bdcc9e0937b1f7a47f7af1d27c2058fb9b9fa737c08a8e3627
c2a0e5e5ebec1e90ecf190233de579f9f0e9d5be13a6ee9e52e0a5d6c0d103a

Name:Untitled spreadsheet - Sheet1 (1).csv
SSDeep:3:AUhBx9IWmJGwFvpCFUZUTOhji7T:AS7vsEUoojin
EntryID:4@11288
Info:text/csv; charset=utf-8
Type:CSV text
MD5:ab8c27e05a3d12827ccd0dc671c70ce9
Extension:csv

 

And that's almost the complete trick, now we can use !ParseCSV on the EntryID above to get the CSV file parsed into the context data:

Unset

!ParseCSV entryID=4@11288

 

Now you can pack these commands into a Playbook and automate the tasks at hand.

 

You can add a Conditional with a filter, to avoid the ParseCSV to fail, because the file you wanted to download is not actually a CSV file.

Fig 2_Cortex-XSOAR-Retrieving-CSV-file_palo-alto-networks.png

This may be a harder way, as you need to retrieve the file.


Under normal circumstances we would expect that such a file is part of an incident, which makes it way easier, as the attached file will already be there and we just need to check if there is a CSV file and start the parsing.

 

Fig 3_Cortex-XSOAR-Retrieving-CSV-file_palo-alto-networks.png

 

Please reach out if you have any questions. Thank you for reading!

 

  • 3812 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Labels
Top Liked Authors