Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST Severity

You can manage the severities using REST. Supported methods are GET, POST, and DELETE.

Splunk Phantom ships with three predefined severity names: High, Medium, and Low. Your organization might need additional levels of severity to match your business processes. Additional severity names can be defined by a Splunk Phantom administrator.

Rules for severity names:

  • You can have up to 10 active severity names.
  • A severity name can consist only of the ASCII characters A-Z, a-z, numerals 0-9, dash ( - ), or underscore ( _ ).
  • Severity names can be up to 20 characters long.
  • Severity names cannot be edited. To change a severity name, delete it and recreate the severity name.
  • The default severity names High, Medium, and Low can be deleted. However, even if they are deleted, your ingestion apps will still be able to use the severity names High, Medium, and Low.
  • A severity name which has been deleted can be reactivated by creating a new severity with the same name.

Severity names are stored in Splunk Phantom's internal database. Deleting a severity name from the active severity list does not remove that severity name from the database.

Deleting a severity name does not change the severity of a case, event, or artifact. Changing a severity name does not update closed events, cases, or artifacts.

Deleted severity names show in search results, the Analyst Queue, Investigation, and dashboard widgets where appropriate. Severity names which have been deleted are shown in all these areas using strikethrough text.

Deleted severities have a few other impacts, such as:

  • You cannot filter by disabled severities in Analyst Queue.
  • Using the graphical user interface, you cannot create a container with a deleted severity or change a container's severity to a deleted severity.
  • Events and artifacts with deleted severities will appear lower than those with active severities in sorted lists in the Analyst Queue and Investigation.

To maintain backwards compatibility with apps and existing playbooks, if the severity names High, Medium, or Low have been deleted, ingestion apps and the REST API can still assign the severity High, Medium, and Low to events, containers, or artifacts.

/rest/severity

Get a list of all severities.

Syntax

https://<username>:<password>@<host>/rest/severity

Usage details
You must have the "View System Settings" permission to list severities. You You need "System Settings Edit" permissions to create or modify a severity.

GET

Get a list of all severities.

Example request
Get a list of available CEF.

curl -k -u admin:changeme https://localhost/rest/severity -G -X GET

Example response
A successful request will result in a 200 response and a JSON formatted list of severities.

{
    "count": 3,
    "data": [
        {
            "disabled": false,
            "name": "high",
            "color": "red",
            "modified_time": "2019-05-29T20:22:05.809886Z",
            "id": 1,
            "is_default": false,
            "create_time": "2019-05-29T20:22:05.809371Z",
            "order": 0
        },
        {
            "disabled": false,
            "name": "medium",
            "color": "yellow",
            "modified_time": "2019-05-29T20:22:05.811406Z",
            "id": 2,
            "is_default": true,
            "create_time": "2019-05-29T20:22:05.811153Z",
            "order": 1
        },
        {
            "disabled": false,
            "name": "low",
            "color": "green",
            "modified_time": "2019-05-29T20:22:05.812411Z",
            "id": 3,
            "is_default": false,
            "create_time": "2019-05-29T20:22:05.812242Z",
            "order": 2
        }
    ],
    "num_pages": 1
}

POST

Create a severity.

Request string
An argument string must include the following parameters:

Field Required Type Description
color optional string One of the following color choices:
  • red
  • orange
  • yellow
  • green
  • light_blue
  • blue
  • purple
  • light_grey
  • dark_grey
  • pink
name required string Name of the severity.
is_default required bool A status with "is_default'" set to True becomes the default severity.

Example request
You can add aseverity by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/severity \
-d '{
    "color" : "red", 
    "name" : "urgent"
}'

Example response
A successful request will result in a 200 response, returning the severity's Id and success as JSON.

{
    "id": 6,
    "success": true
}

/rest/severity/<severity id>

Modify an existing severity.

Syntax

https://<username>:<password>@<host>/rest/severity/<severity id>

Usage details
You need "System Settings Edit" permissions to create or modify a severity.

POST

Modify an existing a severity, such as changing the urgent severity color from "red" to "orange".

Request string
An argument string must include the following parameters:

Field Required Type Description
color optional string One of the following color choices:
  • red
  • orange
  • yellow
  • green
  • light_blue
  • blue
  • purple
  • light_grey
  • dark_grey
  • pink
name required string Name of the severity.
is_default required bool A status with "is_default'" set to True becomes the default severity.

Example request
You can add aseverity by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/severity \
-d '{
    "color" : "orange", 
    "name" : "urgent"
}'

Example response
A successful request will result in a 200 response, returning the severity's Id and success as JSON.

{
    "id": 6,
    "success": true
}
Last modified on 18 November, 2019
REST Run Playbook   REST Source Control Repository

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters