Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST Evidence

Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.


Manage evidence.




Add evidence to a container.

The body of the request is a JSON object with the following fields.

Field Required Description
container_id required Id of the container to which you are adding evidence.
object_id required Id of object to be added -- artifact id, note id, etc.
content_type required The content type of the object to add as evidence. One of the types:
  • containerattachment
  • artifact
  • actionrun
  • container
  • note

Example request
Add an artifact of Id 17 to container Id 9.

curl -k -u admin:changeme https://localhost/rest/evidence \
-d '{
    "container_id": 9,
    "object_id": 17,
    "content_type": "artifact",

Example response
A successful POST will return a success indicator and the Id of the newly created evidence.

    "id": 4,
    "success": true

/rest/evidence optional query parameters and filters

Query all evidence with the addition of query parameters and filters. See REST Query Data for further information about query parameters.

/rest/evidence?&_special_content_type=True&_filter_container=<container id>

Example query parameters and filters follow:

  • _special_content_type=True - adds a string to the JSON returned that gives the type of evidence. Allowable values are actionrun, artifact, container, containerattachment, and note. In the following example, the type is "artifact".
  • _filter_container=<container id> - filters the query to a single container.

For cases or containers that have large collections of evidence, consider adding paging parameters.


https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>


Get a list of evidence.

Example request
Get a list of evidence for container Id 5 with a page size of 5 and special content type true.

curl -k -u admin:changeme https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and data.

    "count": 1,
    "data": [
            "container": 5,
            "modified_time": "2019-05-23T17:18:39.595829Z",
            "_special_content_type": "artifact",
            "create_time": "2019-05-23T17:18:39.595528Z",
            "object_id": 20,
            "content_type": 52,
            "id": 1
    "num_pages": 1


Return information about a note's attachments when it is marked as evidence. If this parameter is present, the response will include a _special_content_object field which will contain a list of objects or None if there are no attachments for the note.


Return information about the note's attachments.

Example request
Return information about the note's attachments.


Example response
A successful GET provides information about the size, name, and container attachment ID of the note.

'id': 605, 
'create_time': '2020-04-14T02:26:41.993230Z', 
'modified_time': '2020-04-14T02:26:41.993413Z', 
'container': 9738, 
'object_id': 5203, 
'content_type': 96, 
'id': 5203,
 'title': '',
 'content': 'note_content_fosecdYXmfSG',
 'create_time': '2020-04-14T02:26:41.297248Z',
 'modified_time': '2020-04-14T02:26:41.938770Z',
 'note_type': 'g',
 'author': 1640,
 'phase': None,
 'container': 9739,
 'task': None,
 'artifact': None,
[{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, 
{'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, 
{'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}]

/rest/evidence/<evidence id>

Manage one item by evidence Id.


Delete an item from evidence.

Example request
Delete the evidence with Id 5.

curl -k -u admin:changeme https://localhost/rest/evidence/5 -X DELETE

Example response
A successful response includes a success message.

    "id": 5,
    "success": true
Last modified on 01 April, 2022
REST custom function   REST HUD

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters