Optional, unless the file_name is not provided Phantom.vault_delete(vault_id=None, file_name=None, container_id=None, remove_all=False, trace=False) The following is an example code snippet that can be used to add a file to the vault from the playbook: When set to True, more detailed output is displayed in debug output. If trace is on (True), more logging is enabled. Trace is a flag related to the level of logging. For example, the metadata= syntax tells the system the file is a Windows PE file, which enables actions such as "detonate file". Currently the only user-supplied attribute that is used is "contains", which specifies what kind of information is available. This parameter shows up as the file name in the container's vault files list. Write this file to /opt/phantom/vault/tmp/ directory before calling this API.Ī custom file name. This parameter is the location of the file on the file system. If no container is provided, the currently running container is used. This parameter can either be a numerical ID or a container object. Phantom.vault_add(container=None, file_location=None, file_name=None, metadata=None, trace=False) The vault_add API is supported from within a custom function. This API returns a success flag, any response message, and the vault ID of the vault file. Use the vault_add API to attach a file to a container by adding it to the vault. For details on custom code, see Add custom code to your playbook with the code block in the Build Playbooks with the Playbook Editor manual. Within the custom code, you can use the APIs described in this article. To access the vault through the visual playbook editor, use custom code. In a warm standby situation, the vault directory is synced from the primary instance to the warm backup through Rsync, unless you specify the -ignore-vault option when configuring warm standby. When a container is deleted, all container attachments are removed and all vault files associated with the attachments are deleted from your PHANTOM_HOME/vault/ directory. Vault files are duplicated to all SOAR instances in a clustered environment. The vault uses a sha1 hash for the file name on the filesystem. Vault files are stored on your drive under PHANTOM_HOME/vault/. Size is limited only by your filesystem larger files have longer upload times. The vault accepts files of all types and sizes. Users can access the vault using the vault playbook API, described here, or by directly uploading attachments to a container. Use the vault to store container attachments, also known as artifacts. The APIs in this article are supported to leverage the capabilities of vault automation using playbooks. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The Automation API allows security operations teams to develop detailed and precise automation strategies.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |