IBM QRadar SOAR

I need to be able to read the contents of an attachment and generate "DNS" artifacts for each line.

Ex:
dns.txt is attached and its content:
server.com
server2.com
server3.com
...

How could I generate it?

------------------------------
Juan Cruz Del Col
------------------------------

Hi Juan, 

Thank you for raising this in the community. 
There are two main steps that I can see needing to be done here before you can read each line. The first would be getting the attachment data from Resilient and then once you have it; depending on your usecase the raw file data may suit your needs or maybe you have to take a second step by saving the attachment data to a temporary file and then reading that. 

We have a helper function in the resilient_lib pypi module called get_file_attachment which should help you in getting the files data. Here is a link to see how that would be used from a community app : https://github.com/ibmResilient/resilient-community-apps/blob/master/fn_google_cloud_dlp/fn_google_cloud_dlp/util/gcp_helper.py#L93
And then for saving the file data and reading its contents, your best bet would be the tempfile module. 

Here is an example from the same file above showing how to use that: https://github.com/ibmresilient/resilient-community-apps/blob/060fec06e3b6464a0b277434c429821437c71eef/fn_google_cloud_dlp/fn_google_cloud_dlp/util/gcp_helper.py#L126

If you implement both of the above things, to read each line you could then open the file using

file= open('nameoffile', 'r')

and then get its lines as a list with :
lines = file.readlines()
(you may need something extra if the file is PDF,DOCX or ODT) 

Let me know if the above is helpful for you or if you have any questions.

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Tue September 24, 2019 12:37 PM
From: Juan Cruz Del Col
Subject: Read attachments

I need to be able to read the contents of an attachment and generate "DNS" artifacts for each line.

Ex:
dns.txt is attached and its content:
server.com
server2.com
server3.com
...

How could I generate it?

------------------------------
Juan Cruz Del Col
------------------------------

Hey Juan,

The examples @Ryan Gordon mentioned above are helpful, as well as the get_file_attachment() method.

Don't use tempfile though -- it's a pain and results in slightly more system overhead.

If you want to get a file (IO object) from the returned byte-string, use this:

import unicodedata  # Required import
from cStringIO import StringIO  # Required import

StringIO(unicodedata.normalize("NFKD", get_file_attachment_returned_bytestring_here.decode('utf-8', 'ignore')))

Yes, it's two (native) imports instead of one, but it'll be more efficient and robust (removes possible encoding errors).

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Wed September 25, 2019 05:45 AM
From: Ryan Gordon
Subject: Read attachments

Hi Juan, 

Thank you for raising this in the community. 
There are two main steps that I can see needing to be done here before you can read each line. The first would be getting the attachment data from Resilient and then once you have it; depending on your usecase the raw file data may suit your needs or maybe you have to take a second step by saving the attachment data to a temporary file and then reading that. 

We have a helper function in the resilient_lib pypi module called get_file_attachment which should help you in getting the files data. Here is a link to see how that would be used from a community app : https://github.com/ibmResilient/resilient-community-apps/blob/master/fn_google_cloud_dlp/fn_google_cloud_dlp/util/gcp_helper.py#L93
And then for saving the file data and reading its contents, your best bet would be the tempfile module. 

Here is an example from the same file above showing how to use that: https://github.com/ibmresilient/resilient-community-apps/blob/060fec06e3b6464a0b277434c429821437c71eef/fn_google_cloud_dlp/fn_google_cloud_dlp/util/gcp_helper.py#L126

If you implement both of the above things, to read each line you could then open the file using

file= open('nameoffile', 'r')

and then get its lines as a list with :
lines = file.readlines()

(you may need something extra if the file is PDF,DOCX or ODT) 

Let me know if the above is helpful for you or if you have any questions.

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Tue September 24, 2019 12:37 PM
From: Juan Cruz Del Col
Subject: Read attachments

I need to be able to read the contents of an attachment and generate "DNS" artifacts for each line.

Ex:
dns.txt is attached and its content:
server.com
server2.com
server3.com
...

How could I generate it?

------------------------------
Juan Cruz Del Col
------------------------------
​​​​​​​​​​