File Utilities
Overview
File Utilities is a set of file actions used to power up playbook capabilities.
Actions
Add Attachment
Description
Adds an attachment to the case wall.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | Specify the name of the attachment that will be visible in the case wall. |
| IsFavorite | Checkbox | Unchecked | No | Specify whether you want the attachment to be marked as favorite in the case wall. |
| Base64 Blob | String | N/A | Yes | Specify the attachment's Base64 blob. Use “Get Files as Base64” action to get the Base 64 blob. |
| Type | String | N/A | Yes | Specify the extension of the file |
| Description | String | N/A | Yes | Specify description of the file. |
Example
In this scenario, a Base64 blob is derived from a previous action and then is attached to the case wall. Once added to the wall, it can then be used for further analysis. This action is used alongside the “Get File as Base64” action, which generates the Base64 string of a file.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| Name | Malicious_EML |
| IsFavorite | Checked |
| Base64 Blob | [FileUtilities_Get Files as Base64_1.JsonResult | "data.base64"] |
| Type | [FileUtilities_Get Files as Base64_1.JsonResult | "data.extension" |
| Description | Malicious EML file from end user. |
Action Results
-
Script Result
Script Result Name Value options Example is_success True/False is_success:True -
JSON Result
{ "evidenceName" : "Malicious_EML", "description " : "Malicious EML file from end user.", "evidenceThumbnailBase64" : "", "evidenceId" : 322, "fileType" : ".eml", "creatorUserId" : "Siemplify automation", "id " : 322, "type" : 4, "caseId" : 51187, "isFavorite" : true, "modificationTimeUnixTimeInMs" : 1664206699128, "creationTimeUnixTimeInMs" : 1664206699128, "alertIdentifier" : null }
Add Entity to File
Description
Adds an identifier of a target entity to a local file. It will only add one occurrence of the entity to the file and will return False if the entity already exists.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Filename | String | N/A | Yes | Specify the name of the file to write entities to. File will be stored in /tmp/ directory. |
Example
In this scenario, suspicious hostname entity identifiers are added to a file called iocs_list.txt in /mnt/fileshare/ directory.
Action Configurations
| Parameter | Value |
| Entities | Suspicious hostnames |
| Filename | /mnt/fileshare/ocs_list.txt |
Action Results
-
Script Result
Script Result Name Value options Example AddedAllEntities True/False True
Count Files
Description
Counts number of files in a given folder path according to a specific file extension.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| File Extension | String | *.txt | No | Specify the file extension to count by. |
| Folder | String | N/A | Yes | Specify the folder path which you would like to count the files. |
| Is Recursive | Checkbox | Unchecked | No | If enabled, this will recursively count all files in the directory. |
Example
In this scenario, all files with .txt in /mnt/fileshare directory are counted.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| File Extension | *.txt |
| Folder | /mnt/fileshare/ |
| Is Recursive | Checked |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Count Value 10
Create Archive
Description
Creates an archive file from a list of provided files or directory. Returns the location of the archive file.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Archive Type | String | N/A | Yes | Specify the type of archive to create. Supports: zip, tar, gztar, bztar, xtar. |
| Archive Base Name | String | N/A | Yes | Specify the name of the archive file that will be created without extension. |
| Archive Input | String | Unchecked | Yes | If enabled, this will recursively count all files in the directory. |
Example
In this scenario, an archive zip file called archived_ioc_files is created containing multiple files in the /mnt/fileshares directory.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| Archive Type | zip |
| Archive Base Name | archived_ioc_files |
| Archive Input | /mnt/fileshares/ioc_list1,/mnt/fileshares/ioc_list2, /mnt/fileshares/ioc_list3 |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False true -
JSON Result
{ "archive" : "/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives/archived_ioc_files.zip", "success" : true }
Decode Base64
Description
Decodes Base64 input string and returns a json object with the content.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Base64 Input | String | N/A | Yes | Specify the Base64 input string you would like to decode. |
| Encoding | Dropdown | UTF-8 | Yes | Specify the encoding format. UTF-8 or ASCII. |
Example
In this scenario, a Base64 blob of a file is converted using UTF-8 to its original content.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| Base64 Input | (2FtcGxIIGZpbGUgY29udGFpbmluZyBzYW1qbGUgZGFOYQ== |
| Encoding | UTF-8 |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False true -
JSON Result
{ "decoded_content" : "<file content>" }
Extract Archive
Description
Extracts an archive file to a directory.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Archive | String | N/A | Yes | Specify the path of the archive to be extracted. Supports: zip, tar, gztar, bztar, xtar. Destination path is: /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract |
Example
In this scenario, files in ioc_lists.zip are extracted and saved in the /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract directory.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| Archive | /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract/ioc_lists |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False true -
JSON Result
{"archives" : {0 : "success" : true, "archive" : "ioc_lists.tar", "folder" : "/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract/ioc_lists", "files_with_path" :{ 0 : "/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract/testarchive/Archives/ioc_lists.tar", 1 : "/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract/ioc_lists/Archives/file1" }, "files_list" : { 0 : "ioc_lists.tar", 1 : "file1", 2 : "file2" }, "files" :{ "name" : "ioc_lists", "type" : "directory", "children" : { 0 :{ "name" : "ioc_lists.tar", "type" : "file" }, 1 : { "name" : "file1", "type" : "file" }, 2 : { "name" : "file2", "type" : "file" } } } }
Extract Zip Files
Description
Extract files from a ZIP archive. It has the ability to extract password protected files by either a supplied password or brute force. It uses the attachment_id attribute of a file entity to pull the file from the case wall and extract it.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Include Data in JSON Result | Checkbox | Unchecked | No | Specify whether you want to include the extracted data as Base64 values in the json result. |
| Create Entities | Checkbox | Checked | No | Specify whether you want to create entities out of the extracted files. |
| Zip File Password | String | N/A | No | Specify the password of the zip file if it’s password protected. |
| Bruteforce Password | Checkbox | Unchecked | No | Specify whether you want to brute force the password protected zip file. |
| Add to Case Wall | Checkbox | Checked | No | Specify whether you want to add the extracted files to the case wall. |
| Zip Password List Delimiter | String | , | Yes | Specify the delimiter to use if multiple passwords are provided in the “Zip File Password” parameter. |
Example
In this scenario, a password protected zip file entity is extracted and the resulting files are added to the case wall along with file entity creation.
Action Configurations
| Parameter | Value |
| Include Data in JSON Result | Checked |
| Create Entities | Checked |
| Zip File Password | Password1 |
| Bruteforce Password | Unchecked |
| Add to Case Wall | Checked |
| Zip Password List Delimiter | , |
Action Results
-
Script Result
Script Result Name Value options Example zip_files_extracted True/False true
Get Attachment
Description
Retrieves an attachment from the case wall and returns its Base64 value.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Attachment Scope | Dropdown | Alert | Yes | Specify the type of the attachment that needs to be retrieved. Options are: Case or Alert |
Example
In this scenario, an attachment is pulled from the case wall and is converted to a Base64 blob.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| Attachment Scope | Alert |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of Attachments 1 -
JSON Result
{ "evidenceName": "myfile.txt", "description": "sample descriptions", "evidenceThumbnailBase64": "", "evidenceId": 475, "fileType": ".txt", "creatorUserId": "Siemplify automation", "id": 475, "type": 4, "caseId": 51209, "isFavorite": false, "modificationTimeUnixTimeInMs": 1664222678523, "creationTimeUnixTimeInMs": 1664222678523, "alertIdentifier": "COFENSE TRIAGE: INBOX REPORTCBEdfghB-B9E2-4A04fghAB-136A6fdghF0C6", "base64_blob": "dGhpcyBpcyB0ZXN0aW5nIHNhhdfhfpbmRlIHdpbmRvd3Mgc2hhcmdfghdfgUgddfghXNpbmcgc2llbXBsdfghaWZ5IGFndfghdfghdfghZW50" }
Get Files as Base64
Description
Converts files in a directory to Base64 values.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| File Paths | String | N/A | Yes | Specify the file path(s) where the files are stored. Use comma delimiter if multiple paths are specified. |
Example
In this scenario, a file called iocs_list.txt in /mnt/sharefiles directory is converted to a Base64 blob. This action is often used along with “Add Attachment” action, which takes the Base64 blob as an input and adds the file to the case wall.
Action Configurations
| Parameter | Value |
| Entities | All entities |
| File Paths | /mnt/sharefiles/iocs_list.txt |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of Attachments 1 -
JSON Result
{ "Filenames" : { 0 : "/opt/siemplify/siemplify_server/Scripting/Phishing_.eml", 1 : "/opt/siemplify/siemplify_server/Scripting/Logo.png" }, "data" : { 0 : { "path" : "/opt/siemplify/siemplify_server/Scripting", "filename" : "Phishing_.eml", "extension" : ".eml", "base64" : "asdfagdfgergert34523523452345dfg" } } }
Remove Entity from File
Description
Removes the identifier of a target entity from a local file. It will return False if it fails to remove all entities or if an entity doesn't exist.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| File Name | String | N/A | Yes | Specify the name of the file to remove entities from. |
Example
In this scenario, internal hostname entity identifiers are removed from ioc_list.txt that is located in /tmp directory.
Action Configurations
| Parameter | Value |
| Entities | Internal hostnames |
| Filename | ioc_list |
Action Results
-
Script Result
Script Result Name Value options Example RemovedAllEntities True/False True
Save Base64 to File
Description
Converts a Base64 string to a file. It supports comma separated lists for Filename and Base64 Input.
Default file path: /opt/siemplify/siemplify_server/Scripting/downloads/FILE_NAME
Default file path using an agent: /opt/SiemplifyAgent/downloads/FILE_NAME
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| File Extension | String | N/A | No | Specify the file extension to add to the filename. |
| Base64 Input | String | N/A | Yes | Specify the Base64 string that will be converted to a file. Supports comma separation. |
| Filename | String | N/A | Yes | Specify the name of the file that will be created based on the Base64 string. |
Example
In this scenario, if the action is run on a Remote agent, a Base64 input string is saved to a ioc_list text file located in the /opt/SiemplifyAgent/downloads directory.
Action Configurations
| Parameter | Value |
| Entities | Internal hostnames |
| File Extension | txt |
| Base64 Input | c2FtcGxIIGZpbGUgY29udGFpbsdfgsdfgmluZyBzYW1wbGUgZGF
OYQ== |
| Filename | ioc_list |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False true -
JSON Result
{ "files": [ {"file_name": "ioc_list", "file_path": "/opt/SiemplifyAgent/downloads/ioc_list.txt", "extension": ".txt"}] }