REST Severity
You can manage the severities using REST. Supported methods are GET, POST, and DELETE.
Splunk Phantom ships with three predefined severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a Splunk Phantom administrator.
Rules for severity names:
- You can have up to 10 active severity names.
- A severity name can consist only of the ASCII characters A-Z, a-z, numerals 0-9, dash ( - ), or underscore ( _ ).
- Severity names can be up to 20 characters long.
- Severity names cannot be edited. To change a severity name, delete it and recreate the severity name.
- The default severity names High, Medium, and Low can be deleted. However, even if they are deleted, your ingestion apps will still be able to use the severity names High, Medium, and Low.
- A severity name which has been deleted can be reactivated by creating a new severity with the same name.
Severity names are stored in Splunk Phantom's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.
Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.
Deleted severity names show in search results, the Analyst Queue, Investigation, and dashboard widgets where appropriate. Severity names which have been deleted are shown in all these areas using strikethrough text.
Deleted severities have a few other impacts, such as:
- You cannot filter by disabled severities in Analyst Queue.
- Using the graphical user interface, you cannot create a container with a deleted severity or change a container's severity to a deleted severity.
- Events and artifacts with deleted severities will appear lower than those with active severities in sorted lists in the Analyst Queue and Investigation.
To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.
/rest/severity
Get a list of all severities.
Syntax
https://<username>:<password>@<host>/rest/severity
Usage details
You must have the "View System Settings" permission to list severities. You You need "System Settings Edit" permissions to create or modify a severity.
GET
Get a list of all severities.
Example request
Get a list of available CEF.
curl -k -u admin:changeme https://localhost/rest/severity -G -X GET
Example response
A successful request will result in a 200 response and a JSON formatted list of severities.
{ "count": 3, "data": [ { "disabled": false, "name": "high", "color": "red", "modified_time": "2019-05-29T20:22:05.809886Z", "id": 1, "is_default": false, "create_time": "2019-05-29T20:22:05.809371Z", "order": 0 }, { "disabled": false, "name": "medium", "color": "yellow", "modified_time": "2019-05-29T20:22:05.811406Z", "id": 2, "is_default": true, "create_time": "2019-05-29T20:22:05.811153Z", "order": 1 }, { "disabled": false, "name": "low", "color": "green", "modified_time": "2019-05-29T20:22:05.812411Z", "id": 3, "is_default": false, "create_time": "2019-05-29T20:22:05.812242Z", "order": 2 } ], "num_pages": 1 }
POST
Create a severity.
Request string
An argument string must include the following parameters:
Field | Required | Type | Description |
---|---|---|---|
color | optional | string | One of the following color choices:
|
name | required | string | Name of the severity. |
is_default | required | bool | A status with "is_default'" set to True becomes the default severity. |
Example request
You can add aseverity by supplying a JSON formatted body.
curl -k -u admin:changeme https://localhost/rest/severity \ -d '{ "color" : "red", "name" : "urgent" }'
Example response
A successful request will result in a 200 response, returning the severity's Id and success as JSON.
{ "id": 6, "success": true }
/rest/severity/<severity id>
Modify an existing severity.
Syntax
https://<username>:<password>@<host>/rest/severity/<severity id>
Usage details
You need "System Settings Edit" permissions to create or modify a severity.
POST
Modify an existing a severity, such as changing the urgent severity color from "red" to "orange".
Request string
An argument string must include the following parameters:
Field | Required | Type | Description |
---|---|---|---|
color | optional | string | One of the following color choices:
|
name | required | string | Name of the severity. |
is_default | required | bool | A status with "is_default'" set to True becomes the default severity. |
Example request
You can add aseverity by supplying a JSON formatted body.
curl -k -u admin:changeme https://localhost/rest/severity \ -d '{ "color" : "orange", "name" : "urgent" }'
Example response
A successful request will result in a 200 response, returning the severity's Id and success as JSON.
{ "id": 6, "success": true }
REST Run Playbook | REST Source Control Repository |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!