REST CEF
Splunk Phantom uses the Common Event Format (CEF). CEF is a system of key:value pairs for key pieces of information about an artifact. The value is often referred to as the contains as shorthand.
/rest/cef
Get a list of available CEF.
Syntax
https://<username>:<password>@<host>/rest/cef
Usage details
Use parameters to get additional pages or sorting. All default CEFs have a type of "default." Custom CEFs have the type "custom." Only custom CEFs are mutable. CEFs with the type "default" cannot be modified.
GET
Get a list of available CEF.
Example request
Get a list of available CEF.
curl -k -u admin:changeme https://localhost/rest/cef -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 151, "data": [ { "type": "default", "id": 1, "data_type": [ "mac address" ], "name": "dmac" }, … { "type": "custom", "id": 566, "data_type": ["myIp"], "name": "myDestination" } ], "num_pages": 16 }
POST
Add a custom CEF.
Example request
You can add a custom CEF by supplying a JSON formatted body.
curl -k -u admin:changeme https://localhost/rest/cef \ -d '{ "name":"docs-test-cef", "data_type":["test"] }'
Example response
A successful response includes the numeric Id given to the CEF.
{ "id": 151, "success": true }
/rest/cef filters
You can use operators to sort or filter the results.
_filter_type | optional | string | Either "custom" or "default". Custom returns only custom CEFs, while default returns a list of all default CEFs. |
_filter_name | optional | string | A quoted name for the CEF you want information about. |
/rest/cef?_filter_type="custom"
Look up information about a CEF
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
GET
Get a list of all custom CEFs defined on the system.
Example request
Get a list of available CEF.
curl -k -u admin:changeme https://localhost/rest/cef?_filter_type="custom" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 1, "data": [ { "type": "custom", "id": 151, "data_type": [ "test" ], "name": "docs-test-cef" } ], "num_pages": 1 }
/rest/cef?custom=true&page_size=3&page=0
Get a paginated list of all custom CEFs
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
Usage
You can set the page size to any valid integer.
GET
Get a list of all custom CEFs defined on the system, organized into pages.
Example request
Get a list of available CEF.
curl -k -u admin:changeme https://localhost/rest/cef?custom=true&page_size=3&page=0 -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 151, "data": [ { "type": "default", "id": 1, "data_type": [ "mac address" ], "name": "dmac" }, { "type": "default", "id": 2, "data_type": [], "name": "act" }, { "type": "default", "id": 3, "data_type": [ "host name" ], "name": "dhost" }, { "type": "default", "id": 4, "data_type": [], "name": "app" }, { "type": "default", "id": 5, "data_type": [], "name": "deviceCustomDate2Label" }, { "type": "default", "id": 6, "data_type": [], "name": "applicationProtocol" }, { "type": "default", "id": 7, "data_type": [], "name": "deviceDirection" }, { "type": "default", "id": 8, "data_type": [], "name": "baseEventCount" }, { "type": "default", "id": 9, "data_type": [ "domain" ], "name": "dntdom" }, { "type": "default", "id": 10, "data_type": [], "name": "bytesIn" } ], "num_pages": 16 }
rest/cef?_filter_name="<name>"
Get information about a single CEF, by name.
Syntax
https://<username>:<password>@<host>rest/cef?_filter_name="<name>"
GET
Get information about a single CEF, by name.
Example request
Get a list of CEF called docs-test-cef.
curl -k -u admin:changeme https://localhost/rest/cef?_filter_name="docs-test-cef" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 1, "data": [ { "type": "custom", "id": 151, "data_type": [ "test" ], "name": "docs-test-cef" } ], "num_pages": 1 }
/rest/cef/<id>
Update a custom CEF.
Syntax
https://<username>:<password>@<host>/rest/cef/<id>
POST
Update a custom CEF by supplying the CEF Id and a JSON formatted body of the updates.
Example request
Update the custom CEF called docs-example-cef
curl -k -u admin:changeme https://localhost/rest/cef/<id> \ -d '{ "name":"docs-example-cef", "data_type":["example"] } '
Example response
A successful response includes the numeric Id given to the CEF.
{ "id": 151, "success": true }
DELETE
Delete a custom CEF by supplying the CEF Id.
Example request
Delete the custom CEF with Id 151.
curl -k -u admin:changeme https://localhost/rest/cef/151 -X DELETE
Example response
A successful response includes a success message.
{ "success": true }
REST Audit | REST Cluster Nodes |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!