Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST Evidence

Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.

/rest/evidence

Manage evidence.

Syntax 

https://<username>:<password>@<host>/rest/evidence

POST

Add evidence to a container.

The body of the request is a JSON object with the following fields.

Field Required Description
container_id required Id of the container to which you are adding evidence.
object_id required Id of object to be added -- artifact id, note id, etc.
content_type required The content type of the object to add as evidence. One of the types:
  • containerattachment
  • artifact
  • actionrun
  • container
  • note

Example request
Add an artifact of Id 17 to container Id 9. 

curl -k -u admin:changeme https://localhost/rest/evidence \
-d '{
    "container_id": 9,
    "object_id": 17,
    "content_type": "artifact",
}'

Example response
A successful POST will return a success indicator and the Id of the newly created evidence. 

{
    "id": 4,
    "success": true
}

/rest/evidence optional query parameters and filters

Query all evidence with the addition of query parameters and filters. See REST Query Data for further information about query parameters.

/rest/evidence?&_special_content_type=True&_filter_container=<container id>

Example query parameters and filters follow:

  • _special_content_type=True - adds a string to the JSON returned that gives the type of evidence. Allowable values are actionrun, artifact, container, containerattachment, and note. In the following example, the type is "artifact".
  • _filter_container=<container id> - filters the query to a single container.

For cases or containers that have large collections of evidence, consider adding paging parameters.

Syntax 

https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>

GET

Get a list of evidence.

Example request
Get a list of evidence for container Id 5 with a page size of 5 and special content type true. 

curl -k -u admin:changeme https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and data. 

{
    "count": 1,
    "data": [
        {
            "container": 5,
            "modified_time": "2019-05-23T17:18:39.595829Z",
            "_special_content_type": "artifact",
            "create_time": "2019-05-23T17:18:39.595528Z",
            "object_id": 20,
            "content_type": 52,
            "id": 1
        }
    ],
    "num_pages": 1
}

/rest/evidence?_special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Return information about a note's attachments when it is marked as evidence. If this parameter is present, the response will include a _special_content_object field which will contain a list of objects or None if there are no attachments for the note.

GET

Return information about the note's attachments.

Example request
Return information about the note's attachments. 

/rest/evidence?_special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Example response
A successful GET provides information about the size, name, and container attachment ID of the note. 

{
'id': 605, 
'create_time': '2020-04-14T02:26:41.993230Z', 
'modified_time': '2020-04-14T02:26:41.993413Z', 
'container': 9738, 
'object_id': 5203, 
'content_type': 96, 
'_special_content_object': 
{
'id': 5203,
 'title': '',
 'content': 'note_content_fosecdYXmfSG',
 'create_time': '2020-04-14T02:26:41.297248Z',
 'modified_time': '2020-04-14T02:26:41.938770Z',
 'note_type': 'g',
 'author': 1640,
 'phase': None,
 'container': 9739,
 'task': None,
 'artifact': None,
 'container_attachments': 
[{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, 
{'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, 
{'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}]
}
}

/rest/evidence/<evidence id>

Manage one item by evidence Id.

DELETE

Delete an item from evidence.

Example request
Delete the evidence with Id 5. 

curl -k -u admin:changeme https://localhost/rest/evidence/5 -X DELETE

Example response
A successful response includes a success message. 

{
    "id": 5,
    "success": true
}
Last modified on 01 April, 2022
REST custom function   REST HUD

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters