REST App
Install Splunk Phantom apps and see which Python version the apps are.
/rest/app
Syntax
https://<username>:<password>@<host>/rest/app
Usage details
The account used must have permissions to edit Apps.
POST
Install a Splunk Phantom app.
Example request
You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package.
curl -k -u admin:pwd https://localhost/rest/app \ -d '{ "app": "<BASE64 ENCODED TARBALL OR INSTALLER PACKAGE>" }
Success example response
A successful response includes the import success message and the success true status.
{ "message": "App successfully imported.", "success": true }
Failure example response
A failed response includes the import failure message and the failed true status.
{ "failed": true, "message": "App install failed." }
Example Python request
Python example of how the API can be called.
import json import base64 import requests file_contents = open('/path/to/myapp.tgz', 'rb').read() encoded_contents = base64.b64encode(file_contents) payload = {'app': encoded_contents} requests.post('https://phantom.mycompany.com/rest/app', auth=('admin', PASSWORD), data=json.dumps(payload))
The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.
DELETE
Delete a Splunk Phantom app.
Example request
Delete the app with Id 151.
curl -k -u admin:changeme https://localhost/rest/app/151 -X DELETE
/rest/app/<app-id>
Get the details of the specified app, including the Python version number.
Syntax
https://<username>:<password>@<host>/rest/app/<app-id>
Usage details
The account used must have permissions to view Apps.
GET
See the Python version number of the specified App.
Example request
Get the details of app id 112.
curl -k -u admin:changeme https://localhost/rest/app/112?pretty -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their values.
{ "app_config_render": null, "product_version_regex": ".*", "python_version": "3.6", "uber_view": null, "disabled": false, "logo": "logo_abuseipdb.svg", "install_time": "2019-07-15T01:31:42.560831Z", "id": 112, "logo_dark": "logo_abuseipdb_dark.svg", "rest_handler": null, "appname": "-", "_pretty_invalid_assets": [], "version": 1, "_pretty_actions": [ { "description": "Report an IP for abusive behavior", "name": "post ip" }, { "description": "Queries IP info", "name": "lookup ip" }, { "description": "Validate the asset configuration for connectivity using supplied configuration", "name": "test connectivity" } ], "app_version": "1.0.9", "type": "reputation", "product_name": "AbuseIPDB", "description": "This app integrates with AbuseIPDB to perform investigative actions", "tags": [], "_pretty_asset_count": 1, "app_config": {}, "_pretty_install_time": "Jul 15 at 01:31 AM", "configuration": { "api_key": { "required": true, "description": "API Key", "data_type": "password" } }, "product_vendor": "AbuseIPDB", "publisher": "Splunk", "name": "AbuseIPDB", "release_tag": null, "consolidate_widgets": true, "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5", "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5", "_pretty_dark_logo": "logo_abuseipdb_dark.svg", "require_auth_token": false, "main_module": "abuseipdb_connector.pyc", "known_versions": [ "1.0.9" ] }
The return values of note follow:
Field | Type | Description |
---|---|---|
app_version | string | The version of the app. |
configuration | JSON object | Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example: {... "configuration": { "api_key": { "required": true, "order": 0, "data_type": "password", "description": "API Key" } }, ... } |
description | string | A brief description of the app. |
id | string | The Id of the app. |
install_time | string | The time that the app was installed, in epoch UTC format. |
logo | string | The product logo in .svg or .png format. |
logo_dark | string | The dark mode product logo in .svg or .png format. |
name | string | Short name for the asset. Used when invoking an action on this asset. |
product_name | string | Official name of the product. Used when invoking an action on this asset. |
product_vendor | string | The name of the app vendor. Used when invoking an action on this asset. |
publisher | string | The publisher of the app, such as Phantom or Splunk or SentinelOne. |
python_version | string | Python version number. |
tags | array of strings | 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks. |
type | string | A brief categorization of this asset. |
REST Aggregation Rules | REST Approval |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!