Make REST API calls to Splunk SOAR instances with Splunk App for SOAR
With Splunk App for SOAR, you can now make REST API calls to Splunk SOAR instances. You can make REST API calls to any Splunk SOAR instances listed on the SOAR Server Configuration page. To see what servers are available for REST API calls, select the Configurations tab.
When using the REST API calls using Splunk App for SOAR, be careful to optimize any searches so as to ensure high performance.
restsoar
Use the restsoar
generating command to retrieve information from a Splunk SOAR instance. Because this command is generating you must issue it first when you run an SPL search.
This command requires endpoint
and soar_server
parameters:
endpoint
: The endpoint of the Splunk SOAR environment (e.g.,/container/
).soar_server
: The name of the Splunk SOAR environment, as configured in Splunk App for SOAR (e.g., "soar-1").
Examples
This command retrieves information about "container 2" from a Splunk SOAR environment named "soar-1":
|restsoar endpoint=/container/2 soar_server="soar-1"
This command retrieves an audit trail for "container 2" from a Splunk SOAR environment named "soar-1":
|restsoar endpoint=/container/2/audit soar_server="soar-1"
restsoarstream
Use the restsoarstream
eventing command to manipulate the data in a Splunk SOAR instance. Because this command is an eventing command, it enriches events with more information, and can be used within a search pipeline. The endpoint
parameter is a field name instead of string, which allows you to issue multiple requests to a Splunk SOAR API within a single command.
This command requires endpoint
and soar_server
parameters:
endpoint
: The endpoint of the Splunk SOAR environment (e.g.,/container/
).soar_server
: The name of the Splunk SOAR environment, as configured in Splunk App for SOAR (e.g., "soar-1").
Example
This example demonstrates how to fetch information from containers with IDs 1–10 from a Splunk SOAR environment named "soar-1":
|makeresults count=10 |streamstats count |rename count as id |eval endpoint = "/container/".id."/phases" |restsoarstream endpoint=endpoint soar_server="soar-1" |mvexpand soar_response |eval soar_response=replace(soar_response,"'","\"") | spath input=soar_response
Audit logs from Splunk SOAR instances using Splunk App for SOAR | Find log files |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67
Feedback submitted, thanks!