Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

REST Aggregation Rules

Create or update an aggregation rule.

/rest/aggregation_rule

Create an aggregation rule.

Syntax

https://<username>:<password>@<host>/rest/aggregation_rule

POST

Create an aggregation rule.

Request string
An argument string must include the following fields.

Field Required Type Description
rule required JSON object This contains the main body of the aggregation rule, with 'name', and 'group' as top level keys. In 'group' each key is a CEF field which will be checked for matches, within this there is method and the may-be-required regex. If method is set to "Exact" then no regex value is required, and the aggregation will be done on exact match. If method is set to "Regex" the 'regex' value will be required to specify the regex pattern to be matched on, please see https://pypi.org/project/regex/ for more information on allowed regex patterns.
label required string Only artifacts coming in with this label will be checked for aggregation rule matches. This field must be different than the destination label.
destination_label required string Once a match has been found the artifact will be added to a container with this label. This field must be different than label.
tenants optional JSON array of integers If applicable, the list of tenant ids which should use this rule to aggregate incoming data.

Example request
You can add an exact method by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/aggregation_rule \
-d '{
	"rule": {
		"name": "test rule exact",
		"group": {
			"destinationAddress": {
				"method": "Exact"
			}
		}
	},
	"label": "phishing",
	"destination_label": "spear_phishing"
}'

Example request
You can add a regex method by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/aggregation_rule \
-d '{
	"rule": {
		"name": "test rule regex",
		"group": {
			"sourceAddress": {
				"method": "Exact"
			},
			"destinationAddress": {
				"method": "Regex",
				"regex": "10\.10\.6.*"
			}
		}
	},
	"label": "phishing",
	"destination_label": "spear_phishing",
	"tenants": [12, 43]
}'

/rest/aggregation_rule/<aggregation_rule_id>

Update an existing aggregation rule.

Syntax

https://<username>:<password>@<host>/rest/aggregation_rule/<aggregation_rule_id>

Usage details
Optionally, you can leave off the aggregation_rule_id, but then it must be included in the request body. This facilitates bulk updates, passing a list of JSON objects each containing the appropriate Id. Special fields used for update are included below.

POST

Update an existing aggregation rule.

Request string
An argument string must include the following fields.

Field Required Type Description
add_tenants optional JSON array of integers Used in the same way as the 'tenants' field, however this will not remove any tenants which do not appear in the list.
remove_tenants optional JSON array of integers The opposite of the 'add_tenants' field listed above, instead of replacing tenants with the tenant list, this will only remove those in the list.

Example request
Update tenant Ids 6 and 34.

curl -k -u admin:changeme https://localhost/rest/aggregation_rule \
-d '{
  "id": 100,
  "add_tenants": [6, 34]
}'

Example request
Remove tenant Ids 6 and 201

curl -k -u admin:changeme https://localhost/rest/aggregation_rule \
-d '{
  "id": 100,
  "remove_tenants": [6, 201]
}'

Example response
A successful POST will return back a success indicator and the ID of the newly created rule.

{
    "id": 100,
    "success": true
}
Last modified on 26 February, 2020
REST administration   REST App

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters