This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Investigation API reference
Access the Investigation framework in Splunk Enterprise Security. The Investigation framework is a mechanism for getting information about investigations or to create investigations. This API reference supports the following types of objects:
| Type | Object |
|---|---|
| Investigation | investigation |
| Investigation Event | investigation_event |
| Investigation Attachment | investigation_attachment |
| Investigation Artifacts | investigation_lead |
Usage details
Authentication and authorization
Following capabilities are required to access all the investigation information.
edit_timelinemanage_all_investigations
Otherwise, the default capabilities associated with the ess_analyst role can create and edit investigations.
Common return format
For success and error responses, the general format follows.
Success
The general response for successes, such as 200, follows:
{
"entry": [
{JSON object 1},
...
],
"paging": {
"offset": <number>,
"perPage": <number>,
"total": <number>
}
}
where each object in the entry array would be specified per endpoint.
Error
The general response for errors, such as 4xx/5xx, follows:
{
"messages": [
{
"type": "ERROR",
"text": "<error message>"
},
...
]
}
/services/storage/investigation/{object}
GET
Returns all information about the object type.
| GET Request | Type | Description | Required |
|---|---|---|---|
| object | string | Following are the possible objects for the GET request:
|
required |
| count | integer | An integer that limits the amount of entries returned. Non-positive numbers including 0 means all results. | optional |
| earliest | string | A string that can be parsed by /search/timeparser endpoint and filters entries that are created before that time. For rxample, -30h, 2019-07-08T10:14:02, 1562606228
|
optional |
| latest | string | A string that can be parsed by /search/timeparser endpoint and filters entries that are created before that time. For example, -30h, 2019-07-08T10:14:02, 1562606228
|
optional |
| output_mode | string | A string that defines the output format. The default value is xml. Available format options are xml and json. | optional |
Investigation Object Type (investigation object)
Supports parameters: count, earliest, latest, output_mode
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation?output_mode=json'
Example response
[{'id': '65a1d1d43024ad9c7108b820', 'class_name': 'investigation', 'title': 'asdf', 'version': 1, 'status': [{'name': 'New', 'time': 1705103828, 'id': 'investigation:1'}], 'description': '', 'comments': [], 'tags': [], 'collaborators': [{'name': 'admin', 'write': True}, {'name': 'admin2', 'write': True}, {'name': 'admin3', 'write': True}, {'name': 'ess_analyst', 'write': True}], 'mod_time': 1705108572, 'create_time': 1705103828, 'creator': 'admin'}]
Investigation Event Object Type (investigation_event object)
Supports parameters: investigation_id, class_name, count, earliest, latest, output_mode
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_event?output_mode=json'
Example response
[{"id": "65c57f60c0ae17b4850df830", "title": "API Demo", "start_time": 1562611260, "description": "demo data", "draft": false, "class_name": "note_event", "parent_class": "investigation", "parent_id": "65a1d1d43024ad9c7108b820", "parent_version": 1, "version": 1, "end_time": 0, "comments": [], "tags": [], "create_time": 1707442016, "creator": "admin"}, {"id": "65c57f6dc0ae17b4850df831", "title": "API Demo", "start_time": 1562611260, "description": "demo data", "draft": false, "class_name": "note_event", "parent_class": "investigation", "parent_id": "65a1d1d43024ad9c7108b820", "parent_version": 1, "version": 1, "end_time": 0, "comments": [], "tags": [], "create_time": 1707442029, "creator": "admin"}]
Investigation Attachment Object Type (investigation_attachment object)
Supports parameters: parent_id, parent_class, count, earliest, latest, output_mode
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_attachment?output_mode=json'
Example response
[{"creator": "admin", "class_name": "investigation_attachment", "parent_class": "note_event", "parent_id": "5d10defb7732fa64142bf521", "id": "5d10defc7732fa64142bf522", "name": "InvestigationOverview.png", "content_type": "image/png", "version": 1, "content_size": 1088762, "create_time": 1561386748, "parent_version": 1, "content_encoding": "base64"}, {"creator": "admin", "class_name": "investigation_attachment", "parent_class": "note_event", "parent_id": "5d0940867732fa68d96356e3", "id": "5d0940867732fa68d96356e4", "content_size": 1058626, "content_type": "image/png", "version": 1, "name": "Browser.png", "create_time": 1560887430, "parent_version": 1, "content_encoding": "base64"}]
Investigation Artifacts Object Type (investigation_lead object)
Supports parameters: parent_id, parent_class, count, earliest, latest, output_mode
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_lead?output_mode=json'
Example response
[{"tags": [], "schema": {"expanded_artifact": {"is_list": true, "label": "Auto-Expand", "type": "file"}, "artifact": {"is_list": false, "label": "file", "type": "file"}}, "parent_class": "investigation", "description": "local exploit stage", "title": "", "version": 1, "class_name": "investigation_lead", "comments": [], "origin_method": "manual", "parent_id": "5cdeb45b7732fa172e53ce41", "attributeModel": {"expanded_artifact": [], "artifact": "explorers.exe"}, "id": "5d093f397732fa68d96356e1", "parent_version": 1, "create_time": 1560887097, "origin_src": "", "origin_src_type": "", "creator": "admin"}, {"tags": [], "schema": {"expanded_artifact": {"is_list": true, "label": "Auto-Expand", "type": "asset"}, "artifact": {"is_list": false, "label": "asset", "type": "asset"}}, "parent_class": "investigation", "description": "", "origin_method": "manual", "version": 1, "class_name": "investigation_lead", "comments": [], "title": "", "parent_id": "5cdeb45b7732fa172e53ce41", "creator": "admin", "id": "5d093dfa7732fa07d92f6095", "parent_version": 1, "create_time": 1560886778, "origin_src": "", "origin_src_type": "", "attributeModel": {"expanded_artifact": [], "artifact": "127.0.1.452"}}]
POST
Creates an object of the given object type.
Request string
| POST Request | Type | Description | Required |
|---|---|---|---|
| object | string | Following are the possible objects for the POST request:
|
required |
| output_mode | string | A string that defines the output format. The default value is xml. Available format options are xml and json. | optional |
Each of the four object types have different data payloads.
Response
A success or failure message.
Investigation Object Type (investigation object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation?output_mode=json' --data '{"class_name":"investigation","version":1,"title":"Create Investigation","status":[{"name":"New","time":1562603519,"id":"investigation:1"}],"description":"API usage","comments":[],"tags":[],"collaborators":[],"mod_time":0}'
Example response
{"class_name": "investigation", "version": 1, "title": "Create Investigation", "status": [{"name": "New", "time": 1562603519, "id": "investigation:1"}], "description": "API usage", "comments": [], "tags": [], "collaborators": [{"name": "admin", "write": true}], "mod_time": 1707446584, "create_time": 1707446584, "creator": "admin", "id": "65c59138c0ae17b4850df833"}
Investigation Event Object Type (investigation_event object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_event?output_mode=json' --data '{"title":"API Demo","start_time":1562611260,"description":"demo data","draft":false,"class_name":"note_event","parent_class":"investigation","parent_id":"65c59138c0ae17b4850df833","parent_version":1,"version":1,"end_time":0,"comments":[],"tags":[]}'
Example response
{"title": "API Demo", "start_time": 1562611260, "description": "demo data", "draft": false, "class_name": "note_event", "parent_class": "investigation", "parent_id": "65c59138c0ae17b4850df833", "parent_version": 1, "version": 1, "end_time": 0, "comments": [], "tags": [], "create_time": 1707446955, "creator": "admin", "id": "65c592abc0ae17b4850df834"}
Investigation Attachment Object Type (investigation_attachment object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_attachment?output_mode=json' --data '{"content":"iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAALWElEQVR42uXZBbCV1RYH8IMdYwMqGCAWithgiwmiqKNgDSp2i90xCia2gGJgJ2ELJmGNYwu2CHZ353rvt2b2nXOPl/Fe9TmP976Zfc8595zz7b3W+sfa+1QiosW0PCr//jNmWh4CmKav/58Afvvtt3qvf/nllz81Ye19/rEAvv/++3jooYfimWeeiSeeeCKuvPLK6NOnT6OHzz/99NPx8ssvxw8//NCoOX/99decV9A//vhjjiYH4CZjxoyJ7bffPhZccMFo06ZNjnbt2sUmm2wS3bt3z9G1a9dYffXVo3Pnzjk6deqUY9VVV42VVlopFllkkfxeq1atomXLljkWXnjhWGuttWKjjTaK888/P+d544034uOPP65b+F+qAJjcc889scoqq8Q222wTo0ePjrfeeivHe++9lxO8++678eijj8Zdd90Vo0aNyio98sgj8fDDD+fze++9Nx588MG48cYb44YbbogBAwZEv3794pRTTonDDjssdt1110zAuuuum8FuuOGGscEGG8Shhx4aY8eOzQT+6QCefPLJWHrppeOggw6Kzz//vF5Gvvjiizj77LPj2muvzYAmTpwYI0eOjAsuuCAuu+yyunHOOefk/1999dX44IMP4sMPP4xPPvkkPv3003w0XnvttRwSJMCLLroo1lxzzazQiSeemElqCD5TDcBCP/roo9hqq62iW7du9Rb+7bffZkaPO+64eP755+P222+P0047LU4//fQYP358TJo0qW5hZbETJkyI6667LgYOHJhQMQR64YUX1j0fMmRIVsn3VUqCvL/EEkskzCTgp59+alwAymYyGPbFAqcXXnghF3/rrbcmtGT/3HPPTZg89thjMW7cuISPofxHHXVUErehC8QeeOCBhJ/MP/7443HHHXfkY8m2xAke//DLHLWQqjS0eFlefvnls5zlCxYsw6+//npcccUVcfPNN8cZZ5yRpf/yyy9/RzjfE/ygQYMaDED1XnrppSSsKn3zzTcJMYFffvnl+bpc4LvaaqtlpWrnqTQEn6uuuirxRy7L9fXXX2dgZ511Vtx2220JCZ8licr9/vvv50BunysTgUNDFzmW8YaURkXffPPNev878MAD6yW0wQBK1lZeeeXYZ5994ueff6734c8++yymTJkSTz31VBLrlltuiQMOOCB69uyZCgJy8LrbbrslBGVXhRq6qJaMl6SVQDwShfJeufr37x877LBDVmOqASDQ+uuvnwHI5tQuN99ss81innnmiWbNmkWlUskxwwwzJBHPO++8Ov2fWgB4glN4Iujlllsuh+f333//7zKtYgiN7KpeCF0pmYdHRJl77rnj4IMPTvmDOSRSCcGRN8pwwgknpKntvvvu+TjXXHPlWHTRReOII45IMr/44ovpHYyLHJfsqqLqITEzFPj0008f7du3j7XXXjtatGiRvsPU7r777qy4gXtk23w77bRTVjcDcFNYZySiP/XUU1Nprr766th///1jr732ykCQWGbA5s4774wdd9wx+vbtmxkxevXqlYokeJnffPPNY++99475558/1aYo2dChQ5OQXHmWWWbJz/ruHnvskYk56aSTYtiwYblg61IpSqWy1sRbllxyyXyU+AoFsZhNN900s0cRTGKCLl26ZB9jgsUXXzwzSn2+++67JLVSgoHv8gv4VFrVUkHft/hqE/IZiZhvvvnSA955551UMfesJrTnquj+zz77bFx//fWZqIsvvjiFhHszw4oFcdtLL700rV9pKZDmy8Swd80112Tm4V5Ps84662R2d9lll1hsscUyAIE35QI3MKluW7wGL7B1T/Br27Zt9k1HHnlkmiYB0Rmst956abYVJPKP++67L43C6+22266ORCCxwgorZBlxQUBklr4PHjw4+x+NV1Nb5o4dO2YvZMEuur/11lsnDzp06JCcwAHeQ1Z5DtklLmCtuhmA7CIH4hm9e/fOQGg5LLZu3TpvCncgpKS1C6x+/dVXX2VwdJusatZq5bg4MdFwb/eUMAtCeJUAH+sCF5d7SDLI4WZdBWRUZ4i4PgDzyELSwGXmmWfOgFi8sgpov/32S4JRlEJMEEQsmUJmGfYaRCdPnpyZqw3E3gCU5p133rjpppt+17CBDY9hlHjFPHFqyy23TA6AbUVEJtVN0m/PeYGsmGCLLbZIEiOtBYBMjx49clI30sgp8dtvv51ZVA0qpcfXFiy77LLZIm+88cZZ4XK5l0Qts8wyuUikBxffEQiZXHHFFVNiVUQCdbVkXNCM0j0qMsiiTz755MycKpCzsmXEgVlnnTUnUS2XXkWD5Yb+z2CWWmqpdEoNHnhsu+22KYECpuN8RsUIBdiqGKyDKWWiQjLN+IqyzTHHHLlYkHQfyQZJ/CitRgZAosgm0gjikksuqSOxjFKfmWaaKZo3bx577rlnajUTYvk+RwZHjBiR8KP7TM1zwaiiiUmeReqjwMsizEN28U0QqkgmJQNU7fhmm2225KULSqgSyJYEV4o76u/J1tFHH52YrSYmYlEi0gn/Mq60Nh2CLy237zAkW0oVVQVwg1ePnNv7DPDwww9Pgp555pnZO9l7CMxnvSfzGkFmVwKwcC1KdT9U1wuRMS5M15W++pIl78Gk0ikpDoDWnHPOmZNZLAyvscYauXgZUhmbGvtcVVQVWT/kkEOSI+6nGYRrleE/SE+BPJc4FS0BEBtJrO6T6jVzSil6xELa6kvU2gOkBhfm99xzz6VnLLTQQtnIqYrmjnrYyICY7xn4cfzxx9e9RnTEFlzpjxwMmANBJYaB6ZVKADpSnjXVbrTsgMgnhai9XnnllSyxtmLnnXfOz8sGq6de3jOxIGacccYMUsCGjMJ9eU3HZRfOVUdPZMEqKxGlw21SAMXSYZUJgUDtVVpuC6jt2Tk0LJdjmNp2u6nDdwVDCRsdgAuJcQHBatuEEgTbR2xwAj2QQ1AOXA1J2s8HqFbpa7TMDNLiqJsx3XTT5f9mn332HCpJ9RiqOZoUgIm1r1QBNBo6DYBjVq8dYO0UQ9XArHaXd8wxx6RJEgBE5/ogw0P83xkQuJnLmRC+SI7nRKFofqMDACOaTccpzLHHHpsT4wVYeWRIAoN/7bj2GPlr97klAK1zNdeYGHNyeZ+Uuic/QnBBqBbilwQ2OoDqQExil4a0jj9IGUf2nPx5ToJZvX00qBABrTZTdARDWbg9aHJlTm1nNXz48BQNz1WBSZJmPoP09icUqlzmthur7qn+8GxUtuzItK+MS5lVQKbtETRhgrRJdyLBef3f8SFTRGqqA2o2PVQHJ2DbcxDxvr4KFGVc5R27EInqatqj4E91UI06nVYJhkRlnBdxWkHIpl6GsdloyDZ3BQVZAh/9Db7oaGGfQtUOnlGOD0tDqCcq50Aq5rIn0S3Ybv7pHzhkhRsqMSkVlBaX+ehjVEB74UxTdcp5KFx7bRAIgQtYtVQTvATr8wKFd4kTlI2TS5Nn3r8UQGktZMUiwYFigAsoyaiO1vsm1tnCrqC0KNoDQ9CqYsis9+yVLd775rCHIKG2kn9rANUKI7smJnl0ngnKpszJqPd1oxZaNuYGVUJyLTn+lOFegtNuk2kdauk8eQr3pnx/229kMgXvDI+qICucyrwulULxlYbO+ZkfyGneaoc+qvYXIibp6Kfal/62H/nK8aB9qg2L/oYRkj2SKpu8BMab+vuafTZxcOClCtXf/4/8Sinb9quwbGJG6LhygQUWyEaQnPIQ2G/I5UtCnDuBlY0/Q6V85UTuH/2Z1WJkDTe0DjTfXgCetR+qte+++9Yb+ioZ58yMkDTj1R8er/9TAWlVwIGcaiWomOFcyn4C0REcYfFoamdN/xU/dKtO7ajek//P/1I/dloeAmg5LY9/ASmq+nHby3MAAAAAAElFTkSuQmCC","name":"avatar.png","content_size":2961,"content_type":"image/png","content_encoding":"base64","class_name":"investigation_attachment","version":1,"parent_id":"5d238e6a7732fa17fc53522d","parent_class":"note_event","parent_version":1}'
Example response
{"content_type": "image/png", "name": "avatar.png", "create_time": 1562614674, "content_encoding": "base64", "parent_id": "5d238e6a7732fa17fc53522d", "parent_class": "note_event", "class_name": "investigation_attachment", "creator": "admin", "version": 1, "id": "5d239b927732fa17fc535233", "parent_version": 1, "content_size": 2961}
Investigation Artifacts Object Type (investigation_lead object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_lead?output_mode=json' --data '{"description":"","tags":[],"class_name":"investigation_lead","parent_class":"investigation","parent_id":"65c59138c0ae17b4850df833","parent_version":1,"version":1,"title":"","comments":[],"origin_method":"manual","origin_src_type":"","origin_src":"","schema":{"artifact":{"type":"asset","is_list":false,"label":"asset"},"expanded_artifact":{"type":"asset","is_list":true,"label":"Auto-Expand"}},"attributeModel":{"artifact":"127.0.0.2","expanded_artifact":[]}}'
Example response
{"description": "", "tags": [], "class_name": "investigation_lead", "parent_class": "investigation", "parent_id": "65c59138c0ae17b4850df833", "parent_version": 1, "version": 1, "title": "", "comments": [], "origin_method": "manual", "origin_src_type": "", "origin_src": "", "schema": {"artifact": {"type": "asset", "is_list": false, "label": "asset"}, "expanded_artifact": {"type": "asset", "is_list": true, "label": "Auto-Expand"}}, "attributeModel": {"artifact": "127.0.0.2", "expanded_artifact": []}, "create_time": 1707447449, "creator": "admin", "id": "65c59499c0ae17b4850df835"}
/services/storage/investigation/{object}/{id}
Used to get information about specific investigations, update specific investigations, or delete specific investigations. This REST API reference supports the following types of objects:
| Type | Object |
|---|---|
| Investigation | investigation |
| Investigation Event | ar_event, search_event, action_event, notable_event, spl_event, note_event |
| Investigation Attachment | investigation_attachment |
| Investigation Artifacts | investigation_lead |
Usage details
Authentication and authorization
Following capabilities are required to access all the investigation information.
edit_timelinemanage_all_investigations
Otherwise, the default capabilities associated with the ess_analyst role can create and edit investigations.
GET
Gets information about a specific object with the given ID.
Request string
| GET Request | Type | Description | Required |
|---|---|---|---|
| object | string | Following are the possible objects for the GET request:
|
required |
| id | string | The ID of the investigation object for which to get information. | required |
| output_mode | string | A string that defines the output format. The default value is xml. Available format options are xml and json. | optional |
Investigation Object Type (investigation object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation/65c59138c0ae17b4850df833?output_mode=json'
Example response
{"id": "65c59138c0ae17b4850df833", "class_name": "investigation", "version": 1, "title": "Create Investigation", "status": [{"name": "New", "time": 1562603519, "id": "investigation:1"}], "description": "API usage", "comments": [], "tags": [], "collaborators": [{"name": "admin", "write": true}], "mod_time": 1707447450, "create_time": 1707446584, "creator": "admin"}
Investigation Event Object Type (note_event object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/note_event/65c5a5bfc0ae17b4850df836?output_mode=json'
Example response
{"id": "65c5a5bfc0ae17b4850df836", "title": "API Demo", "start_time": 1562611260, "description": "demo data", "draft": false, "class_name": "note_event", "parent_class": "investigation", "parent_id": "65c59138c0ae17b4850df833", "parent_version": 1, "version": 1, "end_time": 0, "comments": [], "tags": [], "create_time": 1707451839, "creator": "admin"}
Investigation Attachment Object Type (investigation_attachment object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_attachment/5d238e6a7732fa17fc53522d?output_mode=json'
Example response
{"content_type": "image/png", "name": "avatar.png", "create_time": 1562614674, "creator": "admin", "parent_id": "5d238e6a7732fa17fc53522d", "parent_class": "note_event", "class_name": "investigation_attachment", "content_encoding": "base64", "version": 1, "id": "5d239b927732fa17fc535233", "parent_version": 1, "content_size": 2961}
Investigation Artifacts Object Type (investigation_lead object)
Example request
curl -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_lead/65c59499c0ae17b4850df835?output_mode=json'
Example response
{"id": "65c59499c0ae17b4850df835", "description": "", "tags": [], "class_name": "investigation_lead", "parent_class": "investigation", "parent_id": "65c59138c0ae17b4850df833", "parent_version": 1, "version": 1, "title": "", "comments": [], "origin_method": "manual", "origin_src_type": "", "origin_src": "", "schema": {"artifact": {"type": "asset", "is_list": false, "label": "asset"}, "expanded_artifact": {"type": "asset", "is_list": true, "label": "Auto-Expand"}}, "attributeModel": {"artifact": "127.0.0.2", "expanded_artifact": []}, "create_time": 1707447449, "creator": "admin"}
PUT
Updates a specific object with the given ID.
| PUT Request | Type | Description | Required |
|---|---|---|---|
| object | string | Following are the possible objects for the GET request:
|
required |
| id | string | The ID of the investigation object to get info on. | required |
| output_mode | string | A string that defines the output format. The default value is xml. Available format options are xml and json. | optional |
Investigation Object Type (investigation object)
Example request
curl -X PUT -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation/65c59138c0ae17b4850df833?output_mode=json' --data '{"class_name":"investigation","version":1,"title":"Modified Investigation","status":[{"name":"New","time":1562603519,"id":"investigation:1"}],"description":"API usage","comments":[],"tags":[],"collaborators":[{"name": "admin", "write": true}],"mod_time":0}'
Example response
{"class_name": "investigation", "version": 1, "title": "Modified Investigation", "status": [{"name": "New", "time": 1562603519, "id": "investigation:1"}], "description": "API usage", "comments": [], "tags": [], "collaborators": [{"name": "admin", "write": true}], "mod_time": 1707453692, "create_time": 1707446584, "creator": "admin", "id": "65c59138c0ae17b4850df833"}
Investigation Event Object Type (note_event object)
Example request
curl -X PUT -ku admin:changeme 'https://localhost:8089/services/storage/investigation/note_event/65c5a5bfc0ae17b4850df836?output_mode=json' --data '{"title":"API Demo","start_time":1562611260,"description":"demo data.","draft":false,"class_name":"note_event","parent_class":"investigation","parent_id":"5d14c4717732fa17fc535227","parent_version":1,"version":1,"end_time":0,"comments":[],"tags":[],"id":"5d238e6a7732fa17fc53522d","create_time":1562611306,"creator":"admin"}'
Example response
{"parent_id": "5d14c4717732fa17fc535227", "description": "demo data.", "parent_version": 1, "class_name": "note_event", "parent_class": "investigation", "comments": [], "tags": [], "draft": false, "start_time": 1562611260, "id": "5d238e6a7732fa17fc53522d", "title": "API Demo", "version": 1, "create_time": 1562611373, "creator": "admin", "end_time": 0}
Investigation Artifacts Object Type (investigation_lead object):
Example request
curl -X PUT -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_lead/65c59499c0ae17b4850df835?output_mode=json' --data '{"description":"","id":"5d249d797732fa17fc535235","comments":[],"origin_src":"","title":"","tags":[],"create_time":1562680673,"parent_class":"investigation","parent_version":1,"version":1,"origin_src_type":"","parent_id":"5cdeb45b7732fa172e53ce41","class_name":"investigation_lead","creator":"admin","origin_method":"manual","schema":{"artifact":{"is_list":false,"type":"asset","label":"asset"},"expanded_artifact":{"is_list":true,"type":"asset","label":"Auto-Expand"}},"attributeModel":{"artifact":"127.0.0.3","expanded_artifact":[]}}'
Example response
{"class_name": "investigation_lead", "id": "65c59499c0ae17b4850df835", "create_time": 1562680673, "parent_id": "5cdeb45b7732fa172e53ce41", "description": "", "creator": "admin", "origin_src_type": "", "parent_version": 1, "origin_src": "", "parent_class": "investigation", "comments": [], "tags": [], "origin_method": "manual", "version": 1, "schema": {"expanded_artifact": {"is_list": true, "label": "Auto-Expand", "type": "asset"}, "artifact": {"is_list": false, "label": "asset", "type": "asset"}}, "attributeModel": {"expanded_artifact": [], "artifact": "127.0.0.3"}, "title": ""}
DELETE
Deletes a specific object with the given ID.
| DELETE Request | Type | Description | Required |
|---|---|---|---|
| object | string | Following are the possible objects for the GET request:
|
required |
| id | string | The ID of the investigation object to get information on. | required |
| output_mode | string | A string that defines the output format. The default value is xml. Available format options are xml and json. | optional |
Investigation Object Type (investigation object)
Example request
curl -X DELETE -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation/65c59138c0ae17b4850df833?output_mode=json'
Example response
{"class_name": "investigation", "version": 1, "title": "Modified Investigation", "status": [{"name": "New", "time": 1562603519, "id": "investigation:1"}], "description": "API usage", "comments": [], "tags": [], "collaborators": [{"name": "admin", "write": true}], "mod_time": 1707456496, "create_time": 1707446584, "creator": "admin", "id": "65c59138c0ae17b4850df833"}
Investigation Event Object Type (note_event object)
Example request
curl -X DELETE -ku admin:changeme 'https://localhost:8089/services/storage/investigation/note_event/5d238ead7732fa17fc53522e?output_mode=json'
Example response
{"parent_id": "5d14c4717732fa17fc535227", "description": "demo data.", "parent_version": 1, "class_name": "note_event", "parent_class": "investigation", "comments": [], "tags": [], "draft": false, "start_time": 1562611260, "id": "5d238ead7732fa17fc53522e", "title": "API Demo", "version": 1, "create_time": 1562611373, "creator": "admin", "end_time": 0}
Investigation Attachment Object Type (investigation_attachment object)
Example request
curl -X DELETE -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_attachment/5d238e6a7732fa17fc53522d?output_mode=json'
Example response
{"content_type": "image/png", "name": "avatar.png", "create_time": 1562614674, "creator": "admin", "parent_id": "5d238e6a7732fa17fc53522d", "parent_class": "note_event", "class_name": "investigation_attachment", "content_encoding": "base64", "version": 1, "id": "5d239b927732fa17fc535233", "parent_version": 1, "content_size": 2961}
Investigation Artifacts Object Type (investigation_lead object)
Example request
curl -X DELETE -ku admin:changeme 'https://localhost:8089/services/storage/investigation/investigation_lead/5d249d797732fa17fc535235?output_mode=json'
Example response
{"version": 1, "origin_src": "", "origin_method": "manual", "parent_id": "5cdeb45b7732fa172e53ce41", "class_name": "investigation_lead", "title": "", "attributeModel": {"expanded_artifact": [], "artifact": "127.0.0.2"}, "id": "5d249d797732fa17fc535235", "origin_src_type": "", "schema": {"expanded_artifact": {"type": "asset", "label": "Auto-Expand", "is_list": true}, "artifact": {"type": "asset", "label": "asset", "is_list": false}}, "create_time": 1562680697, "comments": [], "parent_version": 1, "parent_class": "investigation", "description": "", "creator": "admin", "tags": []}
Last modified on 15 February, 2024
| Analytic Story API reference |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!