We’re planning some file enrichment / manipulation in a SOAR playbook and it looks like we can “get the file on the SOAR case wall.” Where is this file actually?
Example - using the Gmail integration and able to put eml file on wall.
Context is what if the file is malicious - what’s in the immediate environs of the file - i.e. what’s the blast radius?
Please reference this community post for more info:
What is file path on Chronicle SOAR, for files are downloaded from external services ?
The context of my questions is two-fold: for access and for security
Access: having files on the wall is great and playbooks can access them
Security: I need to know what the blast radious is for bad files on the wall. And encbase64 does not protect from the risk.
Sorry - I was focusing on access. In terms of security - by storing the file encoded as a base64 object as part of the case object itself does provide a level of security. There can be no direct execution of the file and the file’s contents are isolated from the underlying infrastructure so no interaction with the server or any agents.
There are actions in the playbook that can extract the file’s hash and then use the integration with Google Threat Intel to get a reputation check on the file. There are details on these actions available here.
Hi
I couldn’t find a way to DM you
Can you contact Jeff Welch, our account lead and ask him to relay this info about “ file’s contents are isolated from the underlying infrastructure “
base64enc content absolutely can run on a webpage
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.