IBM Security QRadar SOAR

​Hello,
I was looking to access the metadata of all attachments in a single incident.  I did get an example which uses attachments_data = self.rest_client().get("/incidents/{0}/attachments".format(incident_id)) and then I used a for to go through each entry
 data = self.rest_client().get_content("/incidents/{0}/attachments/{1}/contents".format(incident_id,cell["id"]))

The data I get back is a string object which I can write the data out to a file on the server.  Potential security concerns aside if I have 50 attachments I don't want to write 50 files to the circuit server then read them back in for the metadata if I can help it.
What I would like to do is using StringIO or ByteIO be able to take that str object and read it into, in this case, an Image object then run the script to get the Metadata off of it.  No matter what I've tried I get errors that it doesn't recognize it as a Image. 
Is the attachments contents encoded somehow (like Base64) and that's all I'm missing or is what I described simply not possible in the framework.
thanks


------------------------------
Andrew Arter
------------------------------

Hi Andrew,

If you download the Utilities function off of the App Exchange, you'll find "Attachment to Base64" and "Base64 to Artifact" functions.  I believe that will be able to extract any IOCs from the attachment that you are needing the Metadata for.

You'll need to create a workflow containing those two functions, then having an Automatic Rule, with Object as Attachment, to trigger that workflow.  The results should return back the information into the Artifacts tab in the Incident.

------------------------------
Paul Chu
------------------------------

Original Message:
Sent: Wed May 08, 2019 12:31 PM
From: Andrew Arter
Subject: Attachment metadata

​Hello,
I was looking to access the metadata of all attachments in a single incident.  I did get an example which uses attachments_data = self.rest_client().get("/incidents/{0}/attachments".format(incident_id)) and then I used a for to go through each entry
 data = self.rest_client().get_content("/incidents/{0}/attachments/{1}/contents".format(incident_id,cell["id"]))

The data I get back is a string object which I can write the data out to a file on the server.  Potential security concerns aside if I have 50 attachments I don't want to write 50 files to the circuit server then read them back in for the metadata if I can help it.
What I would like to do is using StringIO or ByteIO be able to take that str object and read it into, in this case, an Image object then run the script to get the Metadata off of it.  No matter what I've tried I get errors that it doesn't recognize it as a Image. 
Is the attachments contents encoded somehow (like Base64) and that's all I'm missing or is what I described simply not possible in the framework.
thanks


------------------------------
Andrew Arter
------------------------------

Thank you however, I'm looking for if there's a way to access the metadata from a circuit script.  That way I can add modules then try getting different data from it.

thanks
Andy

------------------------------
Andrew Arter
------------------------------

Original Message:
Sent: Thu May 09, 2019 02:57 AM
From: Paul Chu
Subject: Attachment metadata

Hi Andrew,

If you download the Utilities function off of the App Exchange, you'll find "Attachment to Base64" and "Base64 to Artifact" functions.  I believe that will be able to extract any IOCs from the attachment that you are needing the Metadata for.

You'll need to create a workflow containing those two functions, then having an Automatic Rule, with Object as Attachment, to trigger that workflow.  The results should return back the information into the Artifacts tab in the Incident.

------------------------------
Paul Chu

Original Message:
Sent: Wed May 08, 2019 12:31 PM
From: Andrew Arter
Subject: Attachment metadata

​Hello,
I was looking to access the metadata of all attachments in a single incident.  I did get an example which uses attachments_data = self.rest_client().get("/incidents/{0}/attachments".format(incident_id)) and then I used a for to go through each entry
 data = self.rest_client().get_content("/incidents/{0}/attachments/{1}/contents".format(incident_id,cell["id"]))

The data I get back is a string object which I can write the data out to a file on the server.  Potential security concerns aside if I have 50 attachments I don't want to write 50 files to the circuit server then read them back in for the metadata if I can help it.
What I would like to do is using StringIO or ByteIO be able to take that str object and read it into, in this case, an Image object then run the script to get the Metadata off of it.  No matter what I've tried I get errors that it doesn't recognize it as a Image. 
Is the attachments contents encoded somehow (like Base64) and that's all I'm missing or is what I described simply not possible in the framework.
thanks


------------------------------
Andrew Arter
------------------------------

Hi Andrew,

Let me make sure I've got this right. For each attachment on your incident you're calling get /orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}/contents. The result you get is the actual content of the attachment - the binary data. It sounds like you don't want to write the "bytes" to a file, you would prefer to use BytesIO instead.

You can try something like this, to see if it's giving you desired results:

data = self.rest_client().get_content("/incidents/{0}/attachments/{1}/contents".format(incident_id,cell["id"]))

import io
bio = io.BytesIO(data)
bio.seek(0)  # go to the start of the stream
print(bio.read())​

Best,
Tamara

------------------------------
Tamara Zlender
------------------------------

Original Message:
Sent: Wed May 08, 2019 12:31 PM
From: Andrew Arter
Subject: Attachment metadata

​Hello,
I was looking to access the metadata of all attachments in a single incident.  I did get an example which uses attachments_data = self.rest_client().get("/incidents/{0}/attachments".format(incident_id)) and then I used a for to go through each entry
 data = self.rest_client().get_content("/incidents/{0}/attachments/{1}/contents".format(incident_id,cell["id"]))

The data I get back is a string object which I can write the data out to a file on the server.  Potential security concerns aside if I have 50 attachments I don't want to write 50 files to the circuit server then read them back in for the metadata if I can help it.
What I would like to do is using StringIO or ByteIO be able to take that str object and read it into, in this case, an Image object then run the script to get the Metadata off of it.  No matter what I've tried I get errors that it doesn't recognize it as a Image. 
Is the attachments contents encoded somehow (like Base64) and that's all I'm missing or is what I described simply not possible in the framework.
thanks


------------------------------
Andrew Arter
------------------------------