Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

REST administration

/rest/indicator_cef_filter

/rest/indicator_cef_filter

List all indicator_cef_filter records.

GET

List all indicator_cef_filter records.

Response values

Field Required Type Description
cef_type string Whether or not the CEF record is created by Splunk Phantom or the customer. The possible CEF types are default or custom.
cef number The ID of the associated CEF record.
cef_name string The name of the associated CEF record.
apply_filter Boolean Returns true if the associated CEF record will be filtered out during indicator creation.

JSON response

<div>
{
    "count": 155,
    "data": [
        {
            "cef_name": "dmac",
            "cef": 1,
            "cef_type": "default",
            "id": 1,
            "apply_filter": false
        },
        {
            "cef_name": "act",
            "cef": 2,
            "cef_type": "default",
            "id": 2,
            "apply_filter": false
        }
],
    "num_pages": 16
}

/rest/indicator_cef_filter/[ID]

/rest/indicator_cef_filter/[ID]

Get a particular indicator_cef_filter record by ID.

GET

Get a particular indicator_cef_filter record by ID.

Response values

Field Required Type Description
cef_type string Whether or not the CEF record is created by Splunk Phantom or the customer. The possible CEF types are default or custom.
cef number The ID of the associated CEF record.
cef_name string The name of the associated CEF record.
apply_filter boolean Returns true if the associated CEF record will be filtered out during indicator creation.

JSON response

<div>
{
    "cef_name": "dmac",
    "cef": 1,
    "cef_type": "default",
    "id": 1,
    "apply_filter": false
}

POST

Get a particular indicator_cef_filter record by ID.

Request parameters

Field Required Type Description
apply_filter boolean Returns true if the associated CEF record will be filtered out during indicator creation.


JSON request

<div>
{
    "apply_filter": true
}

/rest/license

/rest/license

Automate loading your Splunk Phantom license.

POST

Automate loading your Splunk Phantom license.

JSON request

   "license":"<license>"

}


License formatting

The license must be a single line with the \n character encoded for new lines, as in the following example: 

"license":"-----------------------BEGIN LICENSE------------------------\nUVpONWpVREV1RXl5WWlvRlMrZDF4T2JYcW1mRkttSGRKZmRPZUNvYWo5bm5Q\nb3hsYWcwRkNNYTJOYUwzdm5WaVhodGZNenFzOVZaSUlWdWtJdFl2THlQU2xm\nVGlYRlRCRy95V2NlUDh1d25XUFJNK2lhNWtmNWNnNlVRR3YzU01FYU8rSWt1\nN3plcDBBSlZwNlpZcTMzMHlwSzA2OWZDUFZm ... "
Last modified on 07 April, 2020
Use a Custom Script   REST Aggregation Rules

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters