Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.


Install Splunk Phantom apps and see which Python version the apps are.




Usage details
The account used must have permissions to edit Apps.


Install a Splunk Phantom app.

Example request
You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package.

curl -k -u admin:pwd https://localhost/rest/app \
-d '{

Success example response
A successful response includes the import success message and the success true status.

    "message": "App successfully imported.",
    "success": true

Failure example response
A failed response includes the import failure message and the failed true status.

    "failed": true,
    "message": "App install failed."

Example Python request
Python example of how the API can be called.

import json
import base64
import requests
file_contents = open('/path/to/myapp.tgz', 'rb').read()
encoded_contents = base64.b64encode(file_contents)
payload = {'app': encoded_contents}
                auth=('admin', PASSWORD),

The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.


Delete a Splunk Phantom app.

Example request
Delete the app with Id 151.

curl -k -u admin:changeme https://localhost/rest/app/151 -X DELETE


Get the details of the specified app, including the Python version number.



Usage details
The account used must have permissions to view Apps.


See the Python version number of the specified App.

Example request
Get the details of app id 112.

curl -k -u admin:changeme https://localhost/rest/app/112?pretty -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their values.

  "app_config_render": null,
  "product_version_regex": ".*",
  "python_version": "3.6",
  "uber_view": null,
  "disabled": false,
  "logo": "logo_abuseipdb.svg",
  "install_time": "2019-07-15T01:31:42.560831Z",
  "id": 112,
  "logo_dark": "logo_abuseipdb_dark.svg",
  "rest_handler": null,
  "appname": "-",
  "_pretty_invalid_assets": [],
  "version": 1,
  "_pretty_actions": [
      "description": "Report an IP for abusive behavior",
      "name": "post ip"
      "description": "Queries IP info",
      "name": "lookup ip"
      "description": "Validate the asset configuration for connectivity using supplied configuration",
      "name": "test connectivity"
  "app_version": "1.0.9",
  "type": "reputation",
  "product_name": "AbuseIPDB",
  "description": "This app integrates with AbuseIPDB to perform investigative actions",
  "tags": [],
  "_pretty_asset_count": 1,
  "app_config": {},
  "_pretty_install_time": "Jul 15 at 01:31 AM",
  "configuration": {
    "api_key": {
      "required": true,
      "description": "API Key",
      "data_type": "password"
  "product_vendor": "AbuseIPDB",
  "publisher": "Splunk",
  "name": "AbuseIPDB",
  "release_tag": null,
  "consolidate_widgets": true,
  "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5",
  "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5",
  "_pretty_dark_logo": "logo_abuseipdb_dark.svg",
  "require_auth_token": false,
  "main_module": "abuseipdb_connector.pyc",
  "known_versions": [

The return values of note follow:

Field Type Description
app_version string The version of the app.
configuration JSON object Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example:
	"configuration": {
		"api_key": {
			"required": true,
			"order": 0,
			"data_type": "password",
			"description": "API Key"
description string A brief description of the app.
id string The Id of the app.
install_time string The time that the app was installed, in epoch UTC format.
logo string The product logo in .svg or .png format.
logo_dark string The dark mode product logo in .svg or .png format.
name string Short name for the asset. Used when invoking an action on this asset.
product_name string Official name of the product. Used when invoking an action on this asset.
product_vendor string The name of the app vendor. Used when invoking an action on this asset.
publisher string The publisher of the app, such as Phantom or Splunk or SentinelOne.
python_version string Python version number.
tags array of strings 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks.
type string A brief categorization of this asset.
Last modified on 26 February, 2020
REST Aggregation Rules   REST Approval

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters