how to use demisto-api-download in a Automation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

how to use demisto-api-download in a Automation

L1 Bithead

I am trying to use the built in demisto-api-download autmation to download a file from our hosted xsoar instance 

I am struggling to figure out how to format my command in the automation. From the documentation these are the inputs :
 

Arguments Description

uri
Request URI
filename
File name of download
description
Description of file entry

 

demisto.executeCommand("demisto-api-download", {"uri":""})

 

I would imagine I need to input my API key, but am not sure how to enter it using this command

 

Any assistance with how to use this to download a file from an incident? 

 

Thanks

1 accepted solution

Accepted Solutions

It sounds like you're looking for a file upload command/integration, like:

SMB: https://xsoar.pan.dev/docs/reference/integrations/server-message-block-smb-v2#smb-upload or

SCP: https://xsoar.pan.dev/docs/reference/integrations/remote-access-v2#copy-to

 

Uploading to a cloud file store and then syncing to your local server is also a potential option depending on what you're looking for. For that an integration like Azure File store https://xsoar.pan.dev/docs/reference/integrations/azure-storage-file-share#azure-storage-fileshare-f... or Google Drive https://xsoar.pan.dev/docs/reference/integrations/google-drive#google-drive-file-upload would do what you need.

 

View solution in original post

5 REPLIES 5

L3 Networker

I'm a little concerned that demisto-api-download isn't what you're expecting. The demisto-api-download will download a response from the API endpoint and save it as an artifact in the war room of the current incident. It won't download the response to your browser automatically, although you can download the saved artifact manually.

 

The only thing you have to provide for this command is the URL path. The API key is configured within the "Demisto REST API" integration instance.

 

Here's an example of what that looks like. In this example we send a post request to generate a CSV export of incident data, then download the results.

post_result = demisto.executeCommand("demisto-api-post", 
    {"uri":"/incident/batch/exportToCsv", 
    "body":"{\"all\":true,\"columns\":[\"name\"],\"filter\":{}}"})
filename = post_result[0]['Contents']['response']
res = demisto.executeCommand("demisto-api-download", 
    {"uri":"/incident/csv/{}".format(filename)})

The end result is an entry like this:

chrking_0-1655167917170.png

 

I hope that helps.

L4 Transporter

Hi @kbratt, I think you might need to explain your use case again and in more detail. 

 

1. Do you want to download a file that is stored somewhere (Linux filesystem) on the "Palo Alto" hosted XSOAR instance? to an incident? - This is not possible for a PA hosted instance. We do not give SSH access and do not allow the SSH integration.

2. Do you want to download a file that is inside an incident to your system? - This is not possible since we do not have access your filesystem from the XSOAR UI. 

3. Do you want to download a file from an external URL and save it inside the incident? - This is possible with some simple python code like below. The automation will accept the "URL" as an input.

import urllib2
response = urllib2.urlopen(URL)
data = response.read()
demisto.results(fileResult(FILENAME, data))

Also, scenario 1 is possible if you're not using a PA Hosted XSOAR platform. Thanks.

 

@jfernandes1 , I can gladly explain our use case a little better. Hope this makes sense. 

 

We are trying to do #2 in your response above for the most part. We have an on-prem XSOAR environment that we are moving away from, to a hosted instance. 

Currently on-prem, we are able to copy a file from an incident, to a non XSOAR Server in our environment using the Shared Agent in a playbook.. Moving to the Hosted solution, the shared agents / d2 agents are depreciated, so we are looking for other ways to continue to have this functionality in the hosted solution and are exploring our options. 

 

The powershell remoting integration looks promising, but it apparently has a file size limitation on what it is able to upload from xsoar to another Server. I can upload incident files under 275k using the command !ps-remote-upload-file, but anything larger fails. This would be the ideal solution, but I am not sure there is a way around the size limitation.

 

We found the XSOAR API integration and this also looks somewhat promising. It's a little ugly, but I was thinking about using a combination of 2 integrations to get around the limitations. Possibly use the powershell remoting integration to get around the filesystem permissions issue you highlighted to then call the XSOAR API integration GET /entry/download/entryid in a script to download the file. 

 

 

It sounds like you're looking for a file upload command/integration, like:

SMB: https://xsoar.pan.dev/docs/reference/integrations/server-message-block-smb-v2#smb-upload or

SCP: https://xsoar.pan.dev/docs/reference/integrations/remote-access-v2#copy-to

 

Uploading to a cloud file store and then syncing to your local server is also a potential option depending on what you're looking for. For that an integration like Azure File store https://xsoar.pan.dev/docs/reference/integrations/azure-storage-file-share#azure-storage-fileshare-f... or Google Drive https://xsoar.pan.dev/docs/reference/integrations/google-drive#google-drive-file-upload would do what you need.

 

Thanks for the responses @chrking , much apprecaited.

 

I think the SMB upload integration is exactly what I am looking for. I was able to just upload a file from our hosted XSOAR instance to a server on our network. Will test building this into some automation now and testing, but looks promising for sure. 

  • 1 accepted solution
  • 3388 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!