IBM Security QRadar SOAR

Hello,

I can access the attachments that have been uploaded to incidents from the server by going into the /crypt/attachments. However, the files in this directory have an extension of ".dat" and therefore I can't open them to view the content.

Is there a way to extract all the attachments from the sever/application so I can access them in their original format (pdf, xlsx, doc)?

------------------------------
Thanks,
Mandiel
------------------------------

Not so related but this is how I download Attachments from Incident, in this case a report attachment:

def get_incident_attachments(incident_id):
    try:
        attachments = resilient_client.get(
                '/incidents/{}/attachments?handle_format=names'.format(incident_id))
        for attachment in attachments:
            if ".eml" in attachment["name"] and ".report" not in attachment["name"]:
                return attachment
    except Exception as e:
        print(e)

def download_incident_attachment(incident_id):
    report_attachment = get_incident_attachments(incident_id)
    report_filename = report_attachment["name"]
    report_attachment_id = report_attachment["id"]
    report_save_path = "C:\\Users\\l.sipos\\Desktop\\Att\\"

    with open(report_save_path + str(incident_id) + "_" + report_filename, "w+b") as file_name:
        data = resilient_client.get_content(
                "/incidents/{}/attachments/{}/contents".format(incident_id, report_attachment_id))
        file_name.write(data)​

------------------------------
Lucian Sipos
------------------------------

Original Message:
Sent: Fri October 15, 2021 11:20 AM
From: Mandiel Lastra
Subject: Export Attachments

Hello,

I can access the attachments that have been uploaded to incidents from the server by going into the /crypt/attachments. However, the files in this directory have an extension of ".dat" and therefore I can't open them to view the content.

Is there a way to extract all the attachments from the sever/application so I can access them in their original format (pdf, xlsx, doc)?

------------------------------
Thanks,
Mandiel
------------------------------

Thank you for your response.

------------------------------
Mandiel Lastra
------------------------------

Original Message:
Sent: Tue October 19, 2021 05:29 AM
From: Lucian Sipos
Subject: Export Attachments

Not so related but this is how I download Attachments from Incident, in this case a report attachment:

def get_incident_attachments(incident_id):    try:        attachments = resilient_client.get(                '/incidents/{}/attachments?handle_format=names'.format(incident_id))        for attachment in attachments:            if ".eml" in attachment["name"] and ".report" not in attachment["name"]:                return attachment    except Exception as e:        print(e)def download_incident_attachment(incident_id):    report_attachment = get_incident_attachments(incident_id)    report_filename = report_attachment["name"]    report_attachment_id = report_attachment["id"]    report_save_path = "C:\\Users\\l.sipos\\Desktop\\Att\\"    with open(report_save_path + str(incident_id) + "_" + report_filename, "w+b") as file_name:        data = resilient_client.get_content(                "/incidents/{}/attachments/{}/contents".format(incident_id, report_attachment_id))        file_name.write(data)​

------------------------------
Lucian Sipos

Original Message:
Sent: Fri October 15, 2021 11:20 AM
From: Mandiel Lastra
Subject: Export Attachments

Hello,

I can access the attachments that have been uploaded to incidents from the server by going into the /crypt/attachments. However, the files in this directory have an extension of ".dat" and therefore I can't open them to view the content.

Is there a way to extract all the attachments from the sever/application so I can access them in their original format (pdf, xlsx, doc)?

------------------------------
Thanks,
Mandiel
------------------------------

If you want to extract attachement, or send attachement by email, or walk all incident in the DB to extract all attachement (could be dangerous with malwares), you could use the AttachementRest endpoint RestAPI call:
access by Help /Contact > API Tools

to manipulate REST API them using a workflow, you can use the fn_utility App like here on a multiselect field update (get part) example:

Pre Process:

target_field = rule.properties.mail_to

inputs.rest_method = "GET"

# workflow.properties.credentials.api_url is defined in "Change multiselect credentials" -> refers to the website
# incident.org_handle get the current organization
inputs.rest_url = u"{}/rest/orgs/{}/types/incident/fields/{}".format(workflow.properties.credentials.api_url, incident.org_handle, target_field)
inputs.rest_verify = True

# workflow.properties.credentials.api_encoded_credentials is defined in "Change multiselect credentials" -> refers to the api credentials
# use a Specific API credential that is visible and create the encode version using this command in SSH: echo -n "api_key_id:api_key_secret" | base64

# HTTP headers can be specified as a multi-line string
inputs.rest_headers = """
Content-Type: application/json
Authorization: Basic {}
""".format(workflow.properties.credentials.api_encoded_credentials)

Post Process

​

json_data = str(results.text)

and work your results json

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Fri October 15, 2021 11:20 AM
From: Mandiel Lastra
Subject: Export Attachments

Hello,

I can access the attachments that have been uploaded to incidents from the server by going into the /crypt/attachments. However, the files in this directory have an extension of ".dat" and therefore I can't open them to view the content.

Is there a way to extract all the attachments from the sever/application so I can access them in their original format (pdf, xlsx, doc)?

------------------------------
Thanks,
Mandiel
------------------------------