Splunk® Phantom (Legacy)

Develop Apps for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Use the contains parameter to configure contextual actions

Splunk Phantom apps have a parameter for action inputs and outputs called "contains". The contains types, in conjunction with the primary parameter property, are used to enable contextual actions in the Splunk Phantom user interface. A common example is the contains type "ip". This represents an ip address. You might run an action that produces an ip address as one of its output items. Or, you may have ingested an artifact of type ip. If you view the ip in Investigation, you will get a context menu that lets you then run other actions that take ip as an input. When an author is creating an app, they specify that a given data field "contains" an ip, so that Splunk Phantom knows how to treat this piece of data.

Once a data type has been defined as "ip", the platform parses all the actions for all the apps that are installed and it shortlists all the actions that have specified "ip" as one of the contains for a parameter that was marked as primary. These actions will be made available from the context menu for that item.

This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another. As an app author, check that your data type isn't already covered by an existing contains that other apps use before creating a new one for their app. Contains is a list, and a given field may have more than one simultaneous contains type. A common example is a SHA256 which will often be listed both as "sha256" as well as "hash". But, some common concepts can be product specific, such as an "id". While the concept of an ID is generic, in terms of making use of it, an ID from one product generally doesn't work well in a different product.

Besides apps, Playbooks can also add artifacts to their container through the phantom.add_artifact call. Artifacts have a contains type, either by virtue of their CEF type, or by directly specifying a contains type.

The contains types applies to files in the container, such as apk, doc, jar, os memory dump, pdf, pe file, ppt, and xls. Apps and Playbooks can specify a contains on a file. Splunk Phantom will also attempt to determine the file type for manually uploaded files as some Apps, most notable those that implement a detonate file, only handle certain file types.

Since new apps can provide new contains types, this list may differ from what is available on your Splunk Phantom instance. To see the current contains list on a given Splunk Phantom instance, use the REST endpoint https://phantom.example.com/rest/cef_metadata . This displays both the current contains types as well as CEF types and what contains types they map to.

anubis task id 
apk 
carbon black query 
carbon black query type 
carbon black sensor id 
carbon black watchlist 
cuckoo task id 
cyphort event id 
doc 
domain 
email 
file name 
file path 
file size 
firewall rule name 
flash 
hash 
host name 
ip 
isightpartners report id 
jar 
javascript 
jira project key 
jira ticket key 
jira ticket status 
lastline task id 
mac address 
malwr task id 
md5 
mobileiron device uuid 
network application 
os memory dump 
pdf 
pe file 
pid 
port 
ppt 
process name 
qradar offense id
rt queue 
rt ticket id 
servicenow ticket id 
sha1 
sha256 
srp guid 
tanium question 
threatgrid task id 
url 
urlquery queue id 
urlquery report id 
user name 
vault id 
vm 
volatility profile 
wepawet task id 
wildfire task id 
xls 
Last modified on 11 August, 2020
Configure metadata in a JSON schema to define your app's configuration   App authoring API

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters