05-30-2023 02:13 AM
Hello,
We'd like to know if a zip file is encrypted inside a playbook or a automation. The way in which XSOAR works with these files does not allow the use of python libraries. Is there a way through the File context value to know if the file is encrypted?
05-30-2023 05:21 AM
Hi @Josep , if you use zipfile instead of 7z while unzipping, the error will be provided if the zip file is protected. You can handle the error in the playbook to catch if the zip is password protected.
05-30-2023 05:09 PM
I'm confused by this statement: "The way in which XSOAR works with these files does not allow the use of python libraries." If you use a custom automation with a custom docker image you can import and use basically any library you want, I don't understand what the the restriction would be here.
05-31-2023 12:27 AM
Yes building your automation for this purpose is another solution. You can use the built-in command "/docker_image_create" and specify other parameters. The only potential issue is you won't be able to delete dockers from the UI. You will need to go into the server to delete them.
/docker_image_create name=<name_here> base=<base_image> dependencies=<comma_seperated_deps>
I hope this helps.
06-01-2023 08:31 AM
This may help, in the wrar section of the script there is reference to passing the password if encrypted.
https://xsoar.pan.dev/docs/reference/scripts/unzip-file , line 125 in the editor.
06-06-2023 04:35 AM
Thanks for the response.
We are using Graph to get the files in sharepoint. This forces us that when we download the file it can only be placed in the context with the name "File". If we try to use this format within an automation, the output is not valid for processing. This is why you cannot download and use a downloaded file in the same automation, it must first be placed in the context in the XSOAR format and then used in the automation.
06-06-2023 04:38 AM
Thanks for the reply.
We want to check that the file can carry malware, for this we use a sandbox that only works if the file does not contain a password. This is why we don't want to open the file, just check if it has a password.
06-06-2023 09:20 PM
It sounds like you could implement your playbook with logic something like this to meet your requirements:
Fetch file from Graph (file entry ID is written to context) -> Conditional task which calls a custom automation, where the custom integration uses the python zipfile (or similar) library to determine if the zip is encrypted, then returns the result
-> (If unencrypted) sends to sandbox / (else) do other custom processing for encrypted zips.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
