For details, see:
Session automation API
The Splunk SOAR (On-premises) Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The following APIs are supported to leverage the capabilities of session automation using playbooks.
build_phantom_rest_url
Use the build_phantom_rest_url API to combine the Splunk SOAR (On-premises) base URL and the specific resource path, such as /rest/artifact.
The build_phantom_rest_url API is supported from within a custom function.
phantom.build_phantom_rest_url()
This sample uses the phantom.build_phantom_rest_url API.
get_base_url
Use the get_base_url API to retrieve the URL that points to your Splunk SOAR (On-premises) instance.
The get_base_url API is supported from within a custom function.
phantom.get_base_url()
This sample uses the phantom.get_base_url() API.
get_phantom_home
Use the get_phantom_home API to return the path to the Splunk SOAR (On-premises) home directory.
The get_phantom_home is supported from within a custom function.
phantom.get_phantom_home()
The following examples show the return values for the get_phantom_home API:
Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): /home/username/directory_name
get_rest_base_url
Use the get_rest_base_url API to return the base URL to the REST API of your Splunk SOAR (On-premises) instance. This API works on all Splunk SOAR (On-premises) instances, regardless of installation type, or the base URL found in the in Company Settings.
The get_rest_base_url is supported from within a custom function.
phantom.get_rest_base_url()
The following examples show the return values for the get_rest_base_url API.showing the custom HTTPS port:
Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): https://127.0.0.1:8443/rest/
requests
Use the requests API to interact with the Splunk SOAR (On-premises) platform through the REST API. By using phantom.requests instead of directly importing requests from site packages, you avoid the need to set the Splunk SOAR (On-premises) request headers by hand, meaning that you don't need to authenticate with the platform. For more information on how to use the requests package, see https://pypi.org/project/requests.
The requests API is supported from within a custom function.
phantom.requests
This sample uses the phantom.requests() API.
set_action_limit
Use set_action_limit in your playbook's on_start() block to set the maximum number of action calls that can be executed. The default is 50 action calls per container per Playbook. Each phantom.act() call can still result in multiple actions performed, resulting in more actions than this setting.
set_action_limit is not supported from within a custom function.
phantom.set_action_limit(limit)
| Data access automation API | Vault automation API |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
Download manual
Feedback submitted, thanks!