IBM Security QRadar SOAR

I have incident and attachment id as inputs to function, how I can get attachment file itself parse its content?

I know resilient_lib.get_file_attachment but my understanding is that this is for external scripts hitting resilient api

------------------------------
Irek Romaniuk
------------------------------

Did you maybe manage to figure out how to do this? I'm looking for a way to parse an attached email.

------------------------------
Maria Čapkovska
------------------------------

Original Message:
Sent: Fri January 13, 2023 09:36 AM
From: Irek Romaniuk
Subject: How to read attachment in Resilient function ?

I have incident and attachment id as inputs to function, how I can get attachment file itself parse its content?

I know resilient_lib.get_file_attachment but my understanding is that this is for external scripts hitting resilient api

------------------------------
Irek Romaniuk
------------------------------

Do you know how to get attachment file itself parse its content? I met same requirement.

------------------------------
Sheng Bo Feng
------------------------------

Original Message:
Sent: Mon November 27, 2023 03:36 AM
From: Maria Czapkowska
Subject: How to read attachment in Resilient function ?

Did you maybe manage to figure out how to do this? I'm looking for a way to parse an attached email.

------------------------------
Maria Čapkovska

Original Message:
Sent: Fri January 13, 2023 09:36 AM
From: Irek Romaniuk
Subject: How to read attachment in Resilient function ?

I have incident and attachment id as inputs to function, how I can get attachment file itself parse its content?

I know resilient_lib.get_file_attachment but my understanding is that this is for external scripts hitting resilient api

------------------------------
Irek Romaniuk
------------------------------

Do you know how to get attachment file itself in SOAR script? I want to send it to sandbox for anysis.

------------------------------
Sheng Bo Feng
------------------------------

Original Message:
Sent: Mon November 27, 2023 03:36 AM
From: Maria Czapkowska
Subject: How to read attachment in Resilient function ?

Did you maybe manage to figure out how to do this? I'm looking for a way to parse an attached email.

------------------------------
Maria Čapkovska

Original Message:
Sent: Fri January 13, 2023 09:36 AM
From: Irek Romaniuk
Subject: How to read attachment in Resilient function ?

I have incident and attachment id as inputs to function, how I can get attachment file itself parse its content?

I know resilient_lib.get_file_attachment but my understanding is that this is for external scripts hitting resilient api

------------------------------
Irek Romaniuk
------------------------------

I'm not sure if this is what you meant, but in my email parsing script I have this snippet:

This adds the attachments from an email in the attachments tab in the incident and then you can make a playbook with either automatic or manual activation from an attachment. I haven't tried sending an attachment to a sandbox yet but it does work with getting attachment hashes. 

------------------------------
Maria Czapkowska
------------------------------

Original Message:
Sent: Thu January 11, 2024 03:53 AM
From: Sheng Bo Feng
Subject: How to read attachment in Resilient function ?

Do you know how to get attachment file itself in SOAR script? I want to send it to sandbox for anysis.

------------------------------
Sheng Bo Feng

Original Message:
Sent: Mon November 27, 2023 03:36 AM
From: Maria Czapkowska
Subject: How to read attachment in Resilient function ?

Did you maybe manage to figure out how to do this? I'm looking for a way to parse an attached email.

------------------------------
Maria Čapkovska

Original Message:
Sent: Fri January 13, 2023 09:36 AM
From: Irek Romaniuk
Subject: How to read attachment in Resilient function ?

I have incident and attachment id as inputs to function, how I can get attachment file itself parse its content?

I know resilient_lib.get_file_attachment but my understanding is that this is for external scripts hitting resilient api

------------------------------
Irek Romaniuk
------------------------------