Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

REST Status

You can manage status using REST. Supported methods are GET, POST, and DELETE.

Statuses are grouped into three categories or types: New, Open, and Resolved. Your business processes may require additional statuses, so Splunk Phantom lets you to create additional statuses in each category, up a to maximum 10 total statuses.

Rules for status labels:

  • There must be at least one active status label for each status type, New, Open, and Resolved.
  • You can have a maximum of 10 status labels.
  • The labels New, Open, and Closed can be deleted, removing them from the active list. These labels cannot be renamed because they are required for backward compatibility with apps and playbooks.
  • The name of a status label can consist only of the ASCII characters A-Z, a-z, numerals 0-9, dash ( - ), or underscore ( _ ).
  • A status label cannot be more than 20 characters long.

A status label's JSON object includes an "id" field populated with an integer. The integer can be used in many REST API queries in place of the status label's name, such as in filtering. See Query for Data.

To maintain backwards compatibility with apps and existing playbooks, if the status labels New, Open, or Closed have been deleted, ingestion apps and the REST API can still assign the statuses New, Open, and Closed to containers.

/rest/container_status

List all status labels.

Syntax

https://<username>:<password>@<host>/rest/container_status

GET

Get a list of all status labels.

Example request
Get a list of all status labels.

curl -k -u admin:changeme https://localhost/rest/container_status -G -X GET

Example response
A successful GET will return a 200 response, and a JSON formatted list of statuses.

{
    "count": 4,
    "data": [
        {
            "disabled": false,
            "name": "closed",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.466124Z",
            "id": 3,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.465988Z",
            "order": 0,
            "status_type": "resolved"
        },
        {
            "disabled": false,
            "name": "new",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.464784Z",
            "id": 1,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.464504Z",
            "order": 0,
            "status_type": "new"
        },
        {
            "disabled": false,
            "name": "ripe",
            "is_mutable": true,
            "modified_time": "2019-05-30T00:06:49.758771Z",
            "id": 6,
            "is_default": false,
            "create_time": "2019-05-30T00:06:49.756331Z",
            "order": 1,
            "status_type": "new"
        },
        {
            "disabled": false,
            "name": "open",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.465676Z",
            "id": 2,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.465519Z",
            "order": 0,
            "status_type": "open"
        }
    ],
    "num_pages": 1
}

POST

Create a new status label.

Request parameters The "System Settings Edit" permission is required to add statuses. An argument string must include the following parameters:

Field Required Type Description
name required string The name of the new status.
status_type required string One of "New", "Open", or "Resolved".
is_default required bool A status with "is_default'" set to True becomes the default status.

Example request
You can create a new status label by supplying a JSON formatted body.

curl -k -u admin:changeme https://localhost/rest/container_status \
-d '{
    name: "fresh", 
    status_type: "new" 
}'

Example response
A successful request will result in a 200 response returning the new status id and success as JSON.

{
    "id": 4,
    "success": true
}

DELETE

Delete a status label.

Example request
The "System Settings Edit" permission is required to delete statuses. Delete a status label with Id 4.

curl -k -u admin:changeme https://localhost/rest/container_status/4 -X DELETE

Example response
A successful request will result in a 200 response returning the new status id and success as JSON.

{
    "id": 4,
    "success": true
}
Last modified on 24 January, 2020
REST Source Control Repository   REST System Settings

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters