Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST CEF

Splunk Phantom uses the Common Event Format (CEF). CEF is a system of key:value pairs for key pieces of information about an artifact. The value is often referred to as the contains as shorthand.

/rest/cef

Get a list of available CEF.

Syntax

https://<username>:<password>@<host>/rest/cef

Usage details
Use parameters to get additional pages or sorting. All default CEFs have a type of "default." Custom CEFs have the type "custom." Only custom CEFs are mutable. CEFs with the type "default" cannot be modified.

GET

Get a list of available CEF.

Example request
Get a list of available CEF.

curl -k -u admin:changeme https://localhost/rest/cef -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
        "count": 151,
        "data": [
            {
                "type": "default",
                "id": 1,
                "data_type": [
                    "mac address"
                ],
                "name": "dmac"
            },
            …
            {
                "type": "custom",
                "id": 566,
                "data_type": ["myIp"],
                "name": "myDestination"
            }
        ],
        "num_pages": 16
    }

POST

Add a custom CEF.

Example request
You can add a custom CEF by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/cef \
-d '{
        "name":"docs-test-cef",
        "data_type":["test"]
    }'

Example response
A successful response includes the numeric Id given to the CEF.

{
        "id": 151,
        "success": true
}

/rest/cef filters

You can use operators to sort or filter the results.

_filter_type optional string Either "custom" or "default". Custom returns only custom CEFs, while default returns a list of all default CEFs.
_filter_name optional string A quoted name for the CEF you want information about.

/rest/cef?_filter_type="custom"

Look up information about a CEF

Syntax

https://<username>:<password>@<host>/rest/cef?_filter_type="custom"

GET

Get a list of all custom CEFs defined on the system.

Example request
Get a list of available CEF.

curl -k -u admin:changeme https://localhost/rest/cef?_filter_type="custom" -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 1,
    "data": [
        {
            "type": "custom",
            "id": 151,
            "data_type": [
                "test"
            ],
            "name": "docs-test-cef"
        }
    ],
    "num_pages": 1
}

/rest/cef?custom=true&page_size=3&page=0

Get a paginated list of all custom CEFs

Syntax

https://<username>:<password>@<host>/rest/cef?_filter_type="custom"

Usage
You can set the page size to any valid integer.

GET

Get a list of all custom CEFs defined on the system, organized into pages.

Example request
Get a list of available CEF.

curl -k -u admin:changeme https://localhost/rest/cef?custom=true&page_size=3&page=0 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 151,
    "data": [
        {
            "type": "default",
            "id": 1,
            "data_type": [
                "mac address"
            ],
            "name": "dmac"
        },
        {
            "type": "default",
            "id": 2,
            "data_type": [],
            "name": "act"
        },
        {
            "type": "default",
            "id": 3,
            "data_type": [
                "host name"
            ],
            "name": "dhost"
        },
        {
            "type": "default",
            "id": 4,
            "data_type": [],
            "name": "app"
        },
        {
            "type": "default",
            "id": 5,
            "data_type": [],
            "name": "deviceCustomDate2Label"
        },
        {
            "type": "default",
            "id": 6,
            "data_type": [],
            "name": "applicationProtocol"
        },
        {
            "type": "default",
            "id": 7,
            "data_type": [],
            "name": "deviceDirection"
        },
        {
            "type": "default",
            "id": 8,
            "data_type": [],
            "name": "baseEventCount"
        },
        {
            "type": "default",
            "id": 9,
            "data_type": [
                "domain"
            ],
            "name": "dntdom"
        },
        {
            "type": "default",
            "id": 10,
            "data_type": [],
            "name": "bytesIn"
        }
    ],
    "num_pages": 16
}

rest/cef?_filter_name="<name>"

Get information about a single CEF, by name.

Syntax

https://<username>:<password>@<host>rest/cef?_filter_name="<name>"

GET

Get information about a single CEF, by name.

Example request
Get a list of CEF called docs-test-cef.

curl -k -u admin:changeme https://localhost/rest/cef?_filter_name="docs-test-cef" -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 1,
    "data": [
        {
            "type": "custom",
            "id": 151,
            "data_type": [
                "test"
            ],
            "name": "docs-test-cef"
        }
    ],
    "num_pages": 1
}  

/rest/cef/<id>

Update a custom CEF.

Syntax

https://<username>:<password>@<host>/rest/cef/<id>

POST

Update a custom CEF by supplying the CEF Id and a JSON formatted body of the updates.

Example request
Update the custom CEF called docs-example-cef

curl -k -u admin:changeme https://localhost/rest/cef/<id> \
-d '{
        "name":"docs-example-cef",
        "data_type":["example"]
    }
'

Example response
A successful response includes the numeric Id given to the CEF.

{
        "id": 151,
        "success": true
}

DELETE

Delete a custom CEF by supplying the CEF Id.

Example request
Delete the custom CEF with Id 151.

curl -k -u admin:changeme https://localhost/rest/cef/151 -X DELETE

Example response
A successful response includes a success message.

{
        "success": true
}
Last modified on 03 September, 2020
REST Audit   REST Cluster Nodes

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters