Splunk® Phantom

REST API Reference for Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

REST Evidence

Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.

/rest/evidence

Manage evidence.

Syntax

https://<username>:<password>@<host>/rest/evidence

POST

Add evidence to a container.

The body of the request is a JSON object with the following fields.

Field Required Description
container_id required Id of the container to which you are adding evidence.
object_id required Id of object to be added -- artifact id, note id, etc.
content_type required The content type of the object to add as evidence. One of the types:
  • containerattachment
  • artifact
  • actionrun
  • container
  • note

Example request
Add an artifact of Id 17 to container Id 9.

curl -k -u admin:changeme https://localhost/rest/evidence \
-d '{
    "container_id": 9,
    "object_id": 17,
    "content_type": "artifact",
}'

Example response
A successful POST will return a success indicator and the Id of the newly created evidence.

{
    "id": 4,
    "success": true
}

/rest/evidence optional query parameters and filters

Query all evidence with the addition of query parameters and filters. See REST Query Data for further information about query parameters.

/rest/evidence?&_special_content_type=True&_filter_container=<container id>

Example query parameters and filters follow:

  • &_special_content_type=True - adds a string to the JSON returned that gives the type of evidence. In the following example, the type is "artifact".
  • _filter_container=<container id> - filters the query to a single container.

For cases or containers that have large collections of evidence, consider adding paging parameters.

Syntax

https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>

GET

Get a list of evidence.

Example request
Get a list of evidence for container Id 5 with a page size of 5 and special content type true.

curl -k -u admin:changeme https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and data.

{
    "count": 1,
    "data": [
        {
            "container": 5,
            "modified_time": "2019-05-23T17:18:39.595829Z",
            "_special_content_type": "artifact",
            "create_time": "2019-05-23T17:18:39.595528Z",
            "object_id": 20,
            "content_type": 52,
            "id": 1
        }
    ],
    "num_pages": 1
}

/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Return information about a note's attachments when it is marked as evidence.

GET

Return information about the note's attachments.

Example request
Return information about the note's attachments.

/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Example response
A successful GET provides information about the size, name, and container attachment ID of the note.

{
'id': 605, 
'create_time': '2020-04-14T02:26:41.993230Z', 
'modified_time': '2020-04-14T02:26:41.993413Z', 
'container': 9738, 
'object_id': 5203, 
'content_type': 96, 
'_special_content_object': 
{
'id': 5203,
 'title': '',
 'content': 'note_content_fosecdYXmfSG',
 'create_time': '2020-04-14T02:26:41.297248Z',
 'modified_time': '2020-04-14T02:26:41.938770Z',
 'note_type': 'g',
 'author': 1640,
 'phase': None,
 'container': 9739,
 'task': None,
 'artifact': None,
 'container_attachments': 
[{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, 
{'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, 
{'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}]
}
} 

/rest/evidence/<evidence id>

Manage one item by evidence Id.

DELETE

Delete an item from evidence.

Example request
Delete the evidence with Id 5.

curl -k -u admin:changeme https://localhost/rest/evidence/5 -X DELETE

Example response
A successful response includes a success message.

{
    "id": 5,
    "success": true
}
Last modified on 16 April, 2020
PREVIOUS
REST custom function
  NEXT
REST HUD

This documentation applies to the following versions of Splunk® Phantom: 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters