Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST Search

To do a search, an HTTP GET is made to /rest/search.

Syntax

https://<username>:<password>@<host>/rest/search

GET

Search query

Request parameters
The endpoint accepts the following parameters.

Query Required The query to be searched
categories optional Comma separated list of categories to search. Valid categories follow:
  • container
  • artifact
  • asset
  • app
  • action
  • playbook
  • docs

If categories are not provided, the query will be searched across all of them.

tenant optional Id of the tenant for whom you want to filter search results.
page optional Positive integer. Returned results are paginated. This parameter requests a specific page.
page_size optional Positive integer. Returned results are paginated. This parameter determines how many results returned per-page. Use "0" for all results.

Example request
Search query for 'maxmind' in the 'app' and 'docs' categories.

curl -k -u admin:changeme https://localhost/rest/search?query=maxmind&categories=app,docs -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and data.

{
    count: 10,
    num_pages: 1,
    results: [
        {
            url: "https://10.1.16.99/docs/app_reference/maxmind_c566e153-3118-4033-abda-14dd9748c91a",
            category: "app",
            verbose: "App",
            match: {
                message: ""
            }
        },
        {
            url: "https://10.1.16.99/docs/rest/search",
            category: "docs",
            verbose: "Documentation",
            match: {
                message: ""
            }
        },
        {
            url: "https://10.1.16.99/docs/automation/playbooks",
            category: "docs",
            verbose: "Documentation",
            match: {
                message: ""
            }
        },
        .
        .
        .
    ]
}

The return values of note follow:

Field Description
url The url at which the matching search result is located
category The category that the search result belongs to. Category could be one of the following:
  • container
  • artifact
  • asset
  • app
  • action
  • playbook
  • docs
match The content that actually matched in the search result. This is a dictionary where the key is the field where the match was found. In Splunk Phantom versions before 4.0, the 'match' field used to return the search term used. In 4.0, it is empty.
verbose Verbose description of the category in which the match was found.
Last modified on 18 November, 2019
REST User Settings   REST Vault

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters