Set container parameters in Splunk Phantom using the API block
Use the API block to set parameters of the container it's running in. For example, you can use an API call to set the severity of a container.
Perform the following tasks to configure an API block:
- Drop a new block onto the playbook editor.
- Click on the block, and then select API from the block types.
- Select the API property you want to set. The following table summarizes the properties that you can set:
Property Description label The label of the container. The drop-down list shows all of the container labels currently available on your Splunk Phantom instance. sensitivity The sensitivity of the container. severity The severity of the container. status The status of the container, such as Resolved. owner The owner of the container. add list One of two API calls that doesn't operate directly on the container. The add list
property takes two parameters: the list that you want to add to, and the data you are adding. If the list doesn't exist, it is created by Splunk Phantom. You can point the data field to a variable by selecting from the properties, results, and artifacts, or you can type in a fixed string.remove list One of two API calls that doesn't operate directly on the container. The remove list
property takes a list name as the single parameter, and deletes that list when it has run.pin Pin data to the heads-up display (HUD) in the container. This property takes the following parameters: - Data
- Message
- Pin Type
- Pin Style
add tag The API call used to add a tag to the container. remove tag The API call to remove a tag from the container. add comment The API call used to add a comment to a container. You can either supply a variable or a static string in the input. promote to case The API call used to promote the container to a case. It takes a single parameter, the case template you can pick from a drop-down list. add note The API call used to add a note. It takes the parameters title, content, and note format. With the note format parameter, you can choose either HTML or Markdown. - Click Save to save the settings. A check mark appears next to the API calls that you configured.
Require user input to continue running the Splunk Phantom playbook | Run other Splunk Phantom playbooks inside your playbook |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!