Issue Working with Files

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue Working with Files

L1 Bithead

Hello everyone,

 

I am having some trouble working with files in an incident.
I have integrated an API that need a path to upload a file.

This API checks the file extension in the path and as I have seen, file paths in XSOAR incidents are something like 80_916@80. I would need to have access to an absolute path or a way to get a path with the file name at the end of it.
Maybe exists a way to move a file to a specific path or something that could help me with this issue. I haven't found any documentation about this.

 

Could you help me?

Thanks in advance,

Alejandro.

11 REPLIES 11

L2 Linker

Hi Alejandro!

 

It's important to remember that we intentionally containerize all of the Integration and Automation code using Docker.  The purpose of this is to keep that code from accessing files on the server filesystem.  So even if you actually had the actual file path you can't actually use it because you'd just be attempting to access the non-existent path in the container.  (Just an FYI: in most cases it should be in /var/lib/demisto/attachments where it is stored with a hash filename) 

What we do provide for you is a filehandle.  This enables you to pass the filehandle any time you would normally want to use a file without having to know the exact location on the server.  So if you are using it to sandbox a file for instance you don't have to give it the full path to the file you just pass the filehandle and XSOAR will provide the file.

 

I hope this helps!

Doug Couch  |  XSOAR Customer Success Engineer - Manager
Palo Alto Networks  |  3000 Tannery Way  |  Santa Clara, CA 95054  

Hi!

 

Thank you for your reply.

I have been testing with the information you have provided but I have not been able to upload the file.

I am working with the API's owner to solve the problem by his side reading the extension from the file's metadata, but it would be very useful to have a way to access a file using the actual name or path.

 

Thank you for your help!

Alejandro.

Hi @abracamontesauz ,

 

If I understand correctly, you would like to check that a file uploaded into an incident has a specific file extension BEFORE uploading it? I'll try and cover all scenarios.

 

Firstly, when referencing a files path in an automation or integration, one can use the `demisto.getFilePath(<entryID>)` command to retrieve the data. This will give you the path (that you can use, for example, with Python `open()` command and also the filename (including extension).

 

When uploading a file to the incident as part of the incident creation, there isn't  way to specifically check the extension prior to uploading the file. The file will be included, however, you can make it subject to pre-processing rules. This would involve creating a new pre-processing rule that matched the incident type you are creating:

 

ABurt_0-1613993991561.png

 

You can choose here to either simply drop the incident, or perhaps, run and automation script. Dropping the incident could happen when the attachment criteria are met:

 

ABurt_1-1613994084577.png

Above is an example.

 

Using an automation script could give you more control over what happens but is a little more advanced.

 

 

You could also choose to handle the incident (depending on it's attachments) at the playbook level. This could also involve automatically closing the incident if attachment criteria are not met.

 

ABurt_2-1613994394371.png

Example above.

 

 

I hope this helps.

Hello @ABurt,

 

Thank you for your response, that information will be very useful for me in the future.

 

Although, my problem is not to check the file extension at Demisto's level. The problem is that the external API which I am using, receives the file like "<_io.BufferedReader name='71_313@71'>" using python open() method, and checks that name to read the extension. I need that name to be something like "myfile.xls" so the API could read it properly and recognize the file to store it.

 

I hope it's is clearer now.

Thank's in advance,

Alejandro.

 

Are you referring to the XSOAR API, if so, which endpoint?

 

Regards

 

Adam

Hi,

 

No, I am using an external API that I have implemented.

 

Regards.

So you have an integration that is using an API from a 3rd party product and you would like to pass it an absolute file path?

That's exactly the point, sorry for my explanations.

OK, I understand.

 

In your integration, call the "demisto.getFilePath(<entryID>)" providing the entryID (which is the 123@123  reference). This will return a JSON dictionary with the key names "name" and "path". The name is the original filename and the path is the absolute path that can be used in opening a file handle.

 

For example:
273@6cf5026f-8199-45ab-80fc-199ddf3291ab is a zip file in my playground. When using demisto.getFilePath("273@6cf5026f-8199-45ab-80fc-199ddf3291ab")  I receive:

{

    "name": "view-x64.zip",

    "path": "6cf5026f-8199-45ab-80fc-199ddf3291ab_273@6cf5026f-8199-45ab-80fc-199ddf3291ab" 

}

 

If I assigned the return value to "res" (for example), I can then use:

 

with open(res.get('path'), "rb") as fp:

    print(f"I have opened {res.get('name')} at {fp})

 

 

Regards

 

Adam

Good morning Adam,

 

In my integration I had already used the function getFilePath.

I have something like:
    file=demisto.getFilePath(file_id)
    file=open(file['path'],'rb')

Then, I use this variable as the input for the API request because if I try to open file['name'] it can't find the file. The problem is that this variable is equals to <_io.BufferedReader name='71_356@71'> and it should be <_io.BufferedReader name='myfile.xls'> to allow the API to read the extension properly.

 

Thanks once again,

Alejandro.

Now I understand. There isn't anything to be done about the filename in the incident.

 

I can only suggest perhaps doing something directly with the io library to manipulate the "name" in a file handle, howeverm I don't think this is possible.

 

One workaround would be to (excuse the pseudo code):

 

 

 

def get_handle(file_data):

    return_handle = open(file_data['name'], "wb")

    with open(file_data['path'], "rb") as fp:

        return_handle.write(fp.read())

        return_handle.seek(0,0)

    return return_handle

 

 

def main():

    args = demisto.args()

    entryID = args['entryID']

    file_data = demisto.getFilePath(entryID)

    new_handle = get_handle(file_data)

 

 

This would temporarily write data to a file named aptly and return the handle you need. This file, though, would only exist throughout the execution of the intergation command.

  • 8421 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!