Skip to main content
Splunk® SOAR (On-premises)

REST API Reference for Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.0.0
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

REST Containers

Create, modify, and manage containers using the following rest endpoints.

/rest/container

Manage containers and their associated authorized users, pin templates, comments, attachments, and options.

Syntax

https://<username>:<password>@<host>/rest/container

POST

Expand

Create a container.

POST

Expand

Update existing containers and revise the associated authorized user list.

/rest/container optional query parameters

Query all containers for authorized users with the addition of a query parameter.

/rest/container?_annotation_authorized_users

The Container LIST API will also display the authorized field when the annotation is provided.

Syntax

https://<username>:<password>@<host>/rest/container?_annotation_authorized_users

GET

Expand

Get the authorized users.

/rest/container/<container_id>

Update an existing container.

Syntax

https://<username>:<password>@<host>/rest/container/<container_id>

POST

Expand

Update an existing container that is assigned to a user and assign a role instead.

POST

Expand

Update an existing container and assign authorized users.

/rest/container/<container_id> optional query parameters

Query a container ID for authorized users.

/rest/container/<container_id>?_annotation_authorized_users

The container API has a query parameter that returns the authorized user field associated with the container.

Syntax

https://<username>:<password>@<host>/rest/container/<container_id>?_annotation_authorized_users

Usage details


GET

Collapse

Retrieve a list of non-administrator users who have sufficient permissions to view a container.

Example request
Returns the authorized user field associated with container ID 51.

curl -k -u soar_local_admin:password https://localhost/rest/container/51?_annotation_authorized_users -G -X GET

Example response
If there are no users associated with a container authorized user list, then an empty list is returned. If the calling user is an administrator or on the authorized user list, then this field is a list of user IDs.

{
   ...
    "authorized_users": [
      3,
      4
    ],
}

/rest/container/<container_id>/permitted_users

Query for authorized user candidates.

Syntax

https://<username>:<password>@<host>/rest/container/<container_id>/permitted_users

Usage details
This is used to show a list of candidates who can be granted authorized user access to a container using the authorized_users parameter.

GET

Collapse

Retrieve a list of non-administrator users who have sufficient permissions to view a container.

Example request
Retrieve a list of non-administrator users who have sufficient permissions to view a container.

curl -k -u soar_local_admin:password https://localhost/rest/container/<container_id>/permitted_users -G -X GET

Example response
The result is a JSON object.

{
	"users": [{
			"username": "hansel",
			"first_name": "hansel",
			"last_name": "breadcrumbs",
			"display_name": "hansel breadcrumbs",
			"type": "normal",
			"id": 3
		},
		{
			"username": "gretel",
			"first_name": "gretel",
			"last_name": "breadcrumbs",
			"display_name": "gretel breadcrumbs",
			"type": "normal",
			"id": 4
		}
	]
}

/rest/container_pin_settings

Create a pin template.

Syntax

https://<username>:<password>@<host>/rest/container_pin_settings

Usage details
Pins are also called Heads Up Display (HUD) cards. These cards are displayed in Investigation. HUD cards are used to help analysts or other users easily track important information at a glance.

A new end point has been added to set a pin/HUD card that will be automatically created when a container matching the set label is created. Setting the label to null makes the pin/HUD card apply to all containers.

POST

Expand

Create a template pin/HUD card.


/rest/container_pin

Add a Pin to a container.

Syntax

https://<username>:<password>@<host>/rest/container_pin

Usage details
Pins are also called Heads Up Display (HUD) cards. These cards are displayed in Investigation. HUD cards are used to help analysts or other users easily track important information at a glance.

POST

Expand

Pin data to the HUD tab in Investigation.

/rest/container_comment

Add a comment to a container.

Syntax

https://<username>:<password>@<host>/rest/container_comment

Usage details
The user adding the comment must have Edit permissions to the container.

POST

Expand

Add a comment to a container.

/rest/container_attachment

Attach a file to a container.

Syntax

https://<username>:<password>@<host>/rest/container_attachment

Usage details
The user adding the attachment must have Edit permissions to the container.

POST

Expand

Add an attachment to a container.

/rest/container_options

Get container options.

Syntax

https://<username>:<password>@<host>/rest/container_options

Usage details
You need the "Container View" permission to get this list.

GET

Collapse

Get a list of options for containers.

Example request
Retrieve a list of non-administrator users who have sufficient permissions to view a container.

curl -k -u soar_local_admin:changeme https://localhost/rest/container_options -G -X GET

Example response
The result is a JSON object.

{
	"status": [{
			"is_default": true,
			"name": "new",
			"status_type": "new",
			"order": 0
		},
		{
			"is_default": false,
			"name": "ripe",
			"status_type": "new",
			"order": 1
		},
		{
			"is_default": true,
			"name": "open",
			"status_type": "open",
			"order": 0
		},
		{
			"is_default": true,
			"name": "closed",
			"status_type": "resolved",
			"order": 0
		}
	],
	"severity": [{
			"color": "red",
			"is_default": false,
			"name": "high",
			"order": 0
		},
		{
			"color": "yellow",
			"is_default": true,
			"name": "medium",
			"order": 1
		},
		{
			"color": "green",
			"is_default": false,
			"name": "low",
			"order": 2
		}
	],
	"tags": [
		"tag4",
		"tag5",
		"tag1",
		"tag2",
		"tags",
		"auto add tag test",
		"tag3",
		"test123qa2",
		"test123qa"
	],
	"sensitivity": [
		[
			"red",
			"TLP:Red"
		],
		[
			"amber",
			"TLP:Amber"
		],
		[
			"green",
			"TLP:Green"
		],
		[
			"white",
			"TLP:White"
		]
	],
	"label": [
		"events"
	],
	"severity_colors": [
		[
			"red",
			"Red"
		],
		[
			"orange",
			"Orange"
		],
		[
			"yellow",
			"Yellow"
		],
		[
			"green",
			"Green"
		],
		[
			"light_blue",
			"Light Blue"
		],
		[
			"blue",
			"Blue"
		],
		[
			"purple",
			"Purple"
		],
		[
			"pink",
			"Pink"
		],
		[
			"light_grey",
			"Light Grey"
		],
		[
			"dark_grey",
			"Dark Grey"
		]
	]
}

/rest/container/<container_id>/approvals

Get a list of container approvals.

Syntax

https://<username>:<password>@<host>/rest/container/<container_id>/approvals

GET

Collapse

Get a list of container approvals.

Example request

curl -k -u soar_local_admin:changeme https://localhost/rest/container/<container_id>/approvals -G -X GET

Example response

{
    "count": 1,
    "data": [
        {
            "id": 1,
            "_pretty_action_run": "user initiated post ip action",
            "action_run": 1,
            "_pretty_asset": "abuseipdb",
            "asset": 16,
            "close_time": null,
            "display": true,
            "_pretty_due_time": "In 57 minutes",
            "due_time": "2020-08-14T02:06:22.543000Z",
            "_pretty_escalated_approval": "",
            "escalated_approval": null,
            "message": "pending-approval",
            "name": "approval for 'post ip' on asset 'abuseipdb'",
            "_pretty_owner": "soar_local_admin",
            "owner": 5,
            "owner_type": "Primary Asset Owner",
            "_pretty_parent": "",
            "parent": null,
            "playbook_run": null,
            "_pretty_start_time": "0 minutes ago",
            "start_time": "2020-08-14T01:09:01.556000Z",
            "status": "pending",
            "type": "asset",
            "version": 1,
            "jitc": {},
            "node_guid": "6e17377a-313e-4a96-8c2f-2a3e16f6ec45",
            "responses": [],
            "_pretty_container": 4,
            "_pretty_action_name": "post ip"
        }
    ],
    "pages": 1
}


For information on the container status API, see Status endpoints.

Last modified on 20 September, 2024
REST Cluster Nodes   REST Custom Function

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters