Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST custom function

/rest/custom_function

https://<username>:<password>@<host>/rest/custom_function

Create or view a list of all custom functions.

POST

Create a custom function.

Request parameters

Field Required Type Description
name required string A unique name per repository that identifies the custom function.
scm_id required string The ID for an existing repository on the system.

<Returned values>

None.

Fields for both creating and updating a custom function

Field Required Type Default Description
draft_mode optional Boolean true A flag to mark a custom function as a draft version. This flag allows you to save invalid Python code while draft_mode is set to true.
python optional string true Python code that executes for the custom function when it is included in a playbook.
description optional string true Descriptive text for the custom function. This field displays when selecting custom functions inside the playbook editor.
commit_message Dependency of a Python field string true This field is required if the Python field is passed. This message is used for the commit of the changed Python and metadata files to the connected repository.
inputs optional JSON object {} Inputs are used for configuring the custom function in the playbook editor.

Example value: 

 [ { "description":
"fgh",
"contains_type"
:  ["ip"] ,
"name":  "fgh"
} ]
outputs optional JSON object {} Outputs are used for configuring downstream blocks from the custom function in the playbook editor.

Example value: 

[ {
"data_path":
"ip",
"description":
"This is an ip",
"contains_type"
:  ["ip"],
} ]

Example request and response
This example JSON request shows creating the draft version of a non-draft custom function, and giving that draft version a different description.This request doesn't disable the current custom function, so it doesn't affect any playbooks using this custom function.

JSON request

curl -k -u admin:changeme https://localhost/rest/custom_function/1 \
-d '{
    "description": "Example description. Can be any text.",
    "draft_mode": true
}'

JSON response

{
    "warnings": [ ] ,
    "errors":  [ ] ,
    '"id":  2,
    "success":  true,
    "commit_sha":  "1ded5f50ac2e2790b3e2869f6e1487ffc4236856"
}

The ID passed back in the response is the newly created custom function. commit_sha is the commit for the new files.

GET

View a list of custom functions.

<Returned values>

None.

Notable parameters

Field Required Type Description
commit_sha optional string The most recent GIT commit identifier for the custom function.
disabled optional Boolean Describes whether the custom function is active or inactive.
draft_mode optional Boolean If you set the draft_mode field to true, you can see your draft mode versions of custom functions. If you set the draft_mode field to false, you can see your non-draft mode custom functions.
latest_editor optional integer A foreign key to a PhUser model. This field reflects the last Splunk Phantom user that edited the custom function.
name optional string The name of the custom function. This name is the same as the name on the custom function listing page.
scm optional integer A foreign key to the SCM model. This field is the current repository where the custom function is saved.

Example request and response
Request to view the list of custom functions. 

curl -k -u admin:changeme https://localhost/rest/custom_function/<id> -G -X GET

JSON response

{
    "count": 1,
    "data": [
        {
            "scm": 1,
            "platform_version": "4.8",
            "description": "This is a description",
            "latest_editor": 1,
            "json_blob_sha": "c7299d2825c823d24d2570bed7f2321bee7113ef",
            "draft_mode": false,
            "forked_from": null,
            "commit_sha": "7e08d23bd11bc3043e0872a58e8ead0722edc3b3",
            "python_blob_sha": "37422d6dc6e7fee1b05b2a9fc58edceb0a0d069f",
            "scm_user_name": "",
            "last_updated_time": "2020-01-01T01:00:00Z",
            "version": 1,
            "passed_validation": true,
            "date_created": "2020-01-01T01:00:00Z",
            "disabled": false,
            "id": 1,
            "custom_function_id": "930b704e669274d0fb9293d1db5bdc5f0c457304",
            "name": "example_custom_function"
        }
    ],
    "num_pages": 1
}



rest/custom_function/<id>

https://<username>:<password>@<host>/rest/custom_function/<id>

Update a custom function, or view a list of all custom functions.

POST

Update a custom function.

You can't update the name or scm_id fields of an existing custom function. Because you can't update the fields, when you make a POST request, make sure to either match the name and scm_id fields in the request body, or don't include the name and scm_id fields in the request body in order for it to pass. If you want to change the name and scm_id fields of the custom function, you need to create a copy.

<Returned values>

None.

Fields for both creating and updating a custom function

Field Required Type Default Description
draft_mode optional Boolean true A flag to mark a custom function as a draft version. This flag allows you to save invalid Python code while draft_mode is set to true.
python optional string true Python code that runs for the custom function when it is included in a playbook.
description optional string true Descriptive text for the custom function. This field is shown when selecting custom functions inside the playbook editor.
commit_message Dependency of a Python field string true This field is required if the Python field is passed. This message is used for the commit of the changed Python and metadata files to the connected repository.
inputs optional JSON object {} Inputs are used for configuring the custom function in the playbook editor.

Example value: 

 [ { "description:
"fgh",
"contains_type"
:  ["ip"] ,
"name":  "fgh"
} ]
outputs optional JSON object {} Outputs are used for configuring downstream blocks from the custom function in the playbook editor.

Example value: 

[ {
"data_path":
"ip",
"description":
"This is an ip",
"contains_type"
:  ["ip"],
} ]

Example request and response
This example JSON request shows creating the draft version of a non-draft custom function, and giving that draft version a different description.This request doesn't disable the current custom function, so it doesn't affect any playbooks using this custom function.

JSON request

curl -k -u admin:changeme https://localhost/rest/custom_function/1 \
-d '{
    "description": "Example description. Can be any text.",
    "draft_mode": true
}'

JSON response

{
    "warnings": [ ] ,
    "errors":  [ ] ,
    '"id":  2,
    "success":  true,
    "commit_sha":  "1ded5f50ac2e2790b3e2869f6e1487ffc4236856"
}

The ID passed back in the response is the newly created custom function. commit_sha is the commit for the new files.

GET

View a single custom function or a list of custom functions.

<Returned values>

None.

Notable parameters

Field Required Type Description
commit_sha optional string The most recent GIT commit identifier for the custom function.
disabled optional Boolean Describes whether the custom function is active or inactive.
draft_mode optional Boolean If you set the draft_mode field to true, you can see your draft mode versions of custom functions. If you set the draft_mode field to false, you can see your non-draft mode custom functions.
latest_editor optional integer A foreign key to a PhUser model. This foreign key reflects the last Splunk Phantom user that edited the custom function.
name optional string The name of the custom function. This name is the same as the name in the custom function listing page.
scm optional integer A foreign key to the SCM model. This foreign key is the current repository where the custom function is saved.

Example request and response

JSON request

curl -k -u admin:changeme https://localhost/rest/custom_function/<id> -G -X GET

Request to view a single custom function.

JSON response

{
    "playbooks": [
        {
            "active": true,
            "draft_mode": false,
            "name": "toggle_playbook_active",
            "id": 1
        }
    ],
    "disabled": false,
    "scm_user_name": "",
    "create_time": "2020-01-01T01:00:00Z",
    "id": 1,
    "scm_id": 1,
    "latest_editor": 1,
    "warnings": [],
    "commit_sha": "7e08d23bd11bc3043e0872a58e8ead0722edc3b3",
    "platform_version": "4.8",
    "version": 10,
    "passed_validation": true,
    "inputs": [
        {
            "custom_function": 10,
            "description": "",
            "contains_type": [
                "*"
            ],
            "id": 10,
            "name": "input_1"
        }
    ],
    "description": "This is a description",
    "draft_mode": false,
    "python": "def example_custom_function(input_1=None, **kwargs): return {} ",
    "outputs": [],
    "errors": [],
    "custom_function_id": "930b704e669274d0fb9293d1db5bdc5f0c457304",
    "name": "example_custom_function",
    "json_blob_sha": "c7299d2825c823d24d2570bed7f2321bee7113ef",
    "forked_from": null,
    "python_blob_sha": "37422d6dc6e7fee1b05b2a9fc58edceb0a0d069f",
    "date_created": "2020-01-01T01:00:00Z"
}


Last modified on 29 April, 2020
REST Containers   REST Evidence

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters