02-18-2021 03:13 AM
Hello everyone,
I am having some trouble working with files in an incident.
I have integrated an API that need a path to upload a file.
This API checks the file extension in the path and as I have seen, file paths in XSOAR incidents are something like 80_916@80. I would need to have access to an absolute path or a way to get a path with the file name at the end of it.
Maybe exists a way to move a file to a specific path or something that could help me with this issue. I haven't found any documentation about this.
Could you help me?
Thanks in advance,
Alejandro.
02-18-2021 07:39 AM
Hi Alejandro!
It's important to remember that we intentionally containerize all of the Integration and Automation code using Docker. The purpose of this is to keep that code from accessing files on the server filesystem. So even if you actually had the actual file path you can't actually use it because you'd just be attempting to access the non-existent path in the container. (Just an FYI: in most cases it should be in /var/lib/demisto/attachments where it is stored with a hash filename)
What we do provide for you is a filehandle. This enables you to pass the filehandle any time you would normally want to use a file without having to know the exact location on the server. So if you are using it to sandbox a file for instance you don't have to give it the full path to the file you just pass the filehandle and XSOAR will provide the file.
I hope this helps!
02-22-2021 02:41 AM
Hi!
Thank you for your reply.
I have been testing with the information you have provided but I have not been able to upload the file.
I am working with the API's owner to solve the problem by his side reading the extension from the file's metadata, but it would be very useful to have a way to access a file using the actual name or path.
Thank you for your help!
Alejandro.
02-22-2021 03:46 AM
Hi @abracamontesauz ,
If I understand correctly, you would like to check that a file uploaded into an incident has a specific file extension BEFORE uploading it? I'll try and cover all scenarios.
Firstly, when referencing a files path in an automation or integration, one can use the `demisto.getFilePath(<entryID>)` command to retrieve the data. This will give you the path (that you can use, for example, with Python `open()` command and also the filename (including extension).
When uploading a file to the incident as part of the incident creation, there isn't way to specifically check the extension prior to uploading the file. The file will be included, however, you can make it subject to pre-processing rules. This would involve creating a new pre-processing rule that matched the incident type you are creating:
You can choose here to either simply drop the incident, or perhaps, run and automation script. Dropping the incident could happen when the attachment criteria are met:
Above is an example.
Using an automation script could give you more control over what happens but is a little more advanced.
You could also choose to handle the incident (depending on it's attachments) at the playbook level. This could also involve automatically closing the incident if attachment criteria are not met.
Example above.
I hope this helps.
02-22-2021 04:13 AM
Hello @ABurt,
Thank you for your response, that information will be very useful for me in the future.
Although, my problem is not to check the file extension at Demisto's level. The problem is that the external API which I am using, receives the file like "<_io.BufferedReader name='71_313@71'>" using python open() method, and checks that name to read the extension. I need that name to be something like "myfile.xls" so the API could read it properly and recognize the file to store it.
I hope it's is clearer now.
Thank's in advance,
Alejandro.
02-22-2021 04:44 AM
Are you referring to the XSOAR API, if so, which endpoint?
Regards
Adam
02-22-2021 04:47 AM
Hi,
No, I am using an external API that I have implemented.
Regards.
02-22-2021 05:14 AM
So you have an integration that is using an API from a 3rd party product and you would like to pass it an absolute file path?
02-22-2021 05:22 AM
That's exactly the point, sorry for my explanations.
02-22-2021 07:03 AM
OK, I understand.
In your integration, call the "demisto.getFilePath(<entryID>)" providing the entryID (which is the 123@123 reference). This will return a JSON dictionary with the key names "name" and "path". The name is the original filename and the path is the absolute path that can be used in opening a file handle.
For example:
273@6cf5026f-8199-45ab-80fc-199ddf3291ab is a zip file in my playground. When using demisto.getFilePath("273@6cf5026f-8199-45ab-80fc-199ddf3291ab") I receive:
{
"name": "view-x64.zip",
"path": "6cf5026f-8199-45ab-80fc-199ddf3291ab_273@6cf5026f-8199-45ab-80fc-199ddf3291ab"
}
If I assigned the return value to "res" (for example), I can then use:
with open(res.get('path'), "rb") as fp:
print(f"I have opened {res.get('name')} at {fp})
Regards
Adam
02-23-2021 01:20 AM
Good morning Adam,
In my integration I had already used the function getFilePath.
I have something like:
file=demisto.getFilePath(file_id)
file=open(file['path'],'rb')
Then, I use this variable as the input for the API request because if I try to open file['name'] it can't find the file. The problem is that this variable is equals to <_io.BufferedReader name='71_356@71'> and it should be <_io.BufferedReader name='myfile.xls'> to allow the API to read the extension properly.
Thanks once again,
Alejandro.
02-23-2021 03:13 AM
Now I understand. There isn't anything to be done about the filename in the incident.
I can only suggest perhaps doing something directly with the io library to manipulate the "name" in a file handle, howeverm I don't think this is possible.
One workaround would be to (excuse the pseudo code):
def get_handle(file_data):
return_handle = open(file_data['name'], "wb")
with open(file_data['path'], "rb") as fp:
return_handle.write(fp.read())
return_handle.seek(0,0)
return return_handle
def main():
args = demisto.args()
entryID = args['entryID']
file_data = demisto.getFilePath(entryID)
new_handle = get_handle(file_data)
This would temporarily write data to a file named aptly and return the handle you need. This file, though, would only exist throughout the execution of the intergation command.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
