02-18-2021 03:13 AM
I am having some trouble working with files in an incident.
I have integrated an API that need a path to upload a file.
This API checks the file extension in the path and as I have seen, file paths in XSOAR incidents are something like 80_916@80. I would need to have access to an absolute path or a way to get a path with the file name at the end of it.
Maybe exists a way to move a file to a specific path or something that could help me with this issue. I haven't found any documentation about this.
Could you help me?
Thanks in advance,
02-18-2021 07:39 AM
It's important to remember that we intentionally containerize all of the Integration and Automation code using Docker. The purpose of this is to keep that code from accessing files on the server filesystem. So even if you actually had the actual file path you can't actually use it because you'd just be attempting to access the non-existent path in the container. (Just an FYI: in most cases it should be in /var/lib/demisto/attachments where it is stored with a hash filename)
What we do provide for you is a filehandle. This enables you to pass the filehandle any time you would normally want to use a file without having to know the exact location on the server. So if you are using it to sandbox a file for instance you don't have to give it the full path to the file you just pass the filehandle and XSOAR will provide the file.
I hope this helps!
02-22-2021 02:41 AM
Thank you for your reply.
I have been testing with the information you have provided but I have not been able to upload the file.
I am working with the API's owner to solve the problem by his side reading the extension from the file's metadata, but it would be very useful to have a way to access a file using the actual name or path.
Thank you for your help!
02-22-2021 03:46 AM
Hi @abracamontesauz ,
If I understand correctly, you would like to check that a file uploaded into an incident has a specific file extension BEFORE uploading it? I'll try and cover all scenarios.
Firstly, when referencing a files path in an automation or integration, one can use the `demisto.getFilePath(<entryID>)` command to retrieve the data. This will give you the path (that you can use, for example, with Python `open()` command and also the filename (including extension).
When uploading a file to the incident as part of the incident creation, there isn't way to specifically check the extension prior to uploading the file. The file will be included, however, you can make it subject to pre-processing rules. This would involve creating a new pre-processing rule that matched the incident type you are creating:
You can choose here to either simply drop the incident, or perhaps, run and automation script. Dropping the incident could happen when the attachment criteria are met:
Above is an example.
Using an automation script could give you more control over what happens but is a little more advanced.
You could also choose to handle the incident (depending on it's attachments) at the playbook level. This could also involve automatically closing the incident if attachment criteria are not met.
I hope this helps.
02-22-2021 04:13 AM
Thank you for your response, that information will be very useful for me in the future.
Although, my problem is not to check the file extension at Demisto's level. The problem is that the external API which I am using, receives the file like "<_io.BufferedReader name='71_313@71'>" using python open() method, and checks that name to read the extension. I need that name to be something like "myfile.xls" so the API could read it properly and recognize the file to store it.
I hope it's is clearer now.
Thank's in advance,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!