08-31-2021 05:32 AM
Hello!
We want to create an automation which download a file from a given URL (which contains a file. pe: https://www.comunidad.madrid/sites/default/files/doc/sanidad/epid/informe_epidemiologico_semanal_cov...)
The idea is to store the file in the XSOAR incident to analyze it with our tools.
It is easy to do with Python in a local machine, but as XSOAR dockerize and works with files in a different way we don't know how to proceed.
Does anyone know the best way to download files and store them in the same incident?
Thanks in advance,
Alejandro Bracamonte.
08-31-2021 06:32 AM
Hello
I run into the same problem, as I would avoid that XSOAR Playbook scans URLs, which XSOAR already did.
The dockerize hindering me too to store already scanned urls.
So I've build an own Integration which use FTP as a store.
My solution for the FTP: it runs on the demisto machine, with vsfdpd...
regards
roger
09-01-2021 12:47 AM
Hello Roger,
The problem here is the same, we want to get the EntryID of the file so we can execute other tasks in XSOAR to analyze the file.
How do you access the file from an incident when it is stored in the FTP server?
Reagrds,
Alejandro Bracamonte.
09-01-2021 11:57 AM
Hi! So the easy way to get the EntryID of the file is using the variable ${File.EntryID}
If you want to get more specific and insure you are getting a certain file you'll need to add a filter into the query, otherwise you'll bring back all of the files.
It sounds like several of you are experimenting with writing your own Automation to do something specific with the contents of a file. If you want a good example of how we do that take a look at the ReadFile automation. It simply reads the contents of a file and dumps it into a context value.
Let me know if that helps or you are still missing something on this.
Thanks!
-Doug
09-01-2021 11:24 PM
Hi Doug!
Thank you for your response. Our problem here is not to get the EntryID from the context. We are downloading a file using requests library in a automation and we want to store that file in the incident adding the information to the context. We don't know how to do this in the same automation.
Regards,
Alejandro.
09-02-2021 05:02 AM
Hi Alejandro
Just found it out.
If you email it with mail-sender-new:
AttachedID is <id>@<ticketnumber> -> 31@1234
attachNames is the name of the attachment, you would like to see in the Mail Attachment -> "picture.png"
attachCIDs is the name in the war room, in the "command"-Part of the entry 31 -> "picture"
You need all three entries. You may put more than one attachment, just put a coma in between -> "31@1234,45@1234" etc
Finally I've got it working 🙂
greets
roger
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
