Splunk® App for SOAR

Use Splunk App for SOAR

Make REST API calls to Splunk SOAR instances with Splunk App for SOAR

With Splunk App for SOAR, you can now make REST API calls to Splunk SOAR instances. You can make REST API calls to any Splunk SOAR instances listed on the SOAR Server Configuration page. To see what servers are available for REST API calls, select the Configurations tab.

When using the REST API calls using Splunk App for SOAR, be careful to optimize any searches so as to ensure high performance.

restsoar

Use the restsoar generating command to retrieve information from a Splunk SOAR instance. Because this command is generating you must issue it first when you run an SPL search.

This command requires endpoint and soar_server parameters:

  • endpoint: The endpoint of the Splunk SOAR environment (e.g., /container/).
  • soar_server: The name of the Splunk SOAR environment, as configured in Splunk App for SOAR (e.g., "soar-1").

Examples

This command retrieves information about "container 2" from a Splunk SOAR environment named "soar-1":


|restsoar endpoint=/container/2 soar_server="soar-1"

This command retrieves an audit trail for "container 2" from a Splunk SOAR environment named "soar-1":


|restsoar endpoint=/container/2/audit soar_server="soar-1"  

restsoarstream

Use the restsoarstream eventing command to manipulate the data in a Splunk SOAR instance. Because this command is an eventing command, it enriches events with more information, and can be used within a search pipeline. The endpoint parameter is a field name instead of string, which allows you to issue multiple requests to a Splunk SOAR API within a single command.

This command requires endpoint and soar_server parameters:

  • endpoint: The endpoint of the Splunk SOAR environment (e.g., /container/).
  • soar_server: The name of the Splunk SOAR environment, as configured in Splunk App for SOAR (e.g., "soar-1").

Example

This example demonstrates how to fetch information from containers with IDs 1–10 from a Splunk SOAR environment named "soar-1":


|makeresults count=10
|streamstats count
|rename count as id
|eval endpoint = "/container/".id."/phases"
|restsoarstream endpoint=endpoint soar_server="soar-1"
|mvexpand soar_response
|eval soar_response=replace(soar_response,"'","\"") | spath input=soar_response

Last modified on 11 May, 2023
Audit logs from Splunk SOAR instances using Splunk App for SOAR   Find log files

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters