REST Evidence
Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.
/rest/evidence
Manage evidence.
Syntax
https://<username>:<password>@<host>/rest/evidence
POST
Add evidence to a container.
The body of the request is a JSON object with the following fields.
Field | Required | Description |
---|---|---|
container_id | required | Id of the container to which you are adding evidence. |
object_id | required | Id of object to be added -- artifact id, note id, etc. |
content_type | required | The content type of the object to add as evidence. One of the types:
|
Example request
Add an artifact of Id 17 to container Id 9.
curl -k -u admin:changeme https://localhost/rest/evidence \ -d '{ "container_id": 9, "object_id": 17, "content_type": "artifact", }'
Example response
A successful POST will return a success indicator and the Id of the newly created evidence.
{ "id": 4, "success": true }
/rest/evidence optional query parameters and filters
Query all evidence with the addition of query parameters and filters. See REST Query Data for further information about query parameters.
/rest/evidence?&_special_content_type=True&_filter_container=<container id>
Example query parameters and filters follow:
_special_content_type=True
- adds a string to the JSON returned that gives the type of evidence. Allowable values areactionrun
,artifact
,container
,containerattachment
, andnote
. In the following example, the type is "artifact"._filter_container=<container id>
- filters the query to a single container.
For cases or containers that have large collections of evidence, consider adding paging parameters.
Syntax
https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>
GET
Get a list of evidence.
Example request
Get a list of evidence for container Id 5 with a page size of 5 and special content type true.
curl -k -u admin:changeme https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and data.
{ "count": 1, "data": [ { "container": 5, "modified_time": "2019-05-23T17:18:39.595829Z", "_special_content_type": "artifact", "create_time": "2019-05-23T17:18:39.595528Z", "object_id": 20, "content_type": 52, "id": 1 } ], "num_pages": 1 }
/rest/evidence?_special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true
Return information about a note's attachments when it is marked as evidence. If this parameter is present, the response will include a _special_content_object
field which will contain a list of objects or None
if there are no attachments for the note.
GET
Return information about the note's attachments.
Example request
Return information about the note's attachments.
/rest/evidence?_special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true
Example response
A successful GET provides information about the size, name, and container attachment ID of the note.
{ 'id': 605, 'create_time': '2020-04-14T02:26:41.993230Z', 'modified_time': '2020-04-14T02:26:41.993413Z', 'container': 9738, 'object_id': 5203, 'content_type': 96, '_special_content_object': { 'id': 5203, 'title': '', 'content': 'note_content_fosecdYXmfSG', 'create_time': '2020-04-14T02:26:41.297248Z', 'modified_time': '2020-04-14T02:26:41.938770Z', 'note_type': 'g', 'author': 1640, 'phase': None, 'container': 9739, 'task': None, 'artifact': None, 'container_attachments': [{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, {'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, {'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}] } }
/rest/evidence/<evidence id>
Manage one item by evidence Id.
DELETE
Delete an item from evidence.
Example request
Delete the evidence with Id 5.
curl -k -u admin:changeme https://localhost/rest/evidence/5 -X DELETE
Example response
A successful response includes a success message.
{ "id": 5, "success": true }
REST custom function | REST HUD |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!