Splunk® Phantom (Legacy)

Build Playbooks with the Visual Editor

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Set container parameters in Splunk Phantom using the API block

Use the API block to set parameters of the container it's running in. For example, you can use an API call to set the severity of a container.

Perform the following tasks to configure an API block:

  1. Drop a new block onto the playbook editor.
  2. Click on the block, and then select API from the block types.
  3. Select the API property you want to set. The following table summarizes the properties that you can set:
    Property Description
    label The label of the container. The drop-down list shows all of the container labels currently available on your Splunk Phantom instance.
    sensitivity The sensitivity of the container.
    severity The severity of the container.
    status The status of the container, such as Resolved.
    owner The owner of the container.
    add list One of two API calls that doesn't operate directly on the container. The add list property takes two parameters: the list that you want to add to, and the data you are adding. If the list doesn't exist, it is created by Splunk Phantom. You can point the data field to a variable by selecting from the properties, results, and artifacts, or you can type in a fixed string.
    remove list One of two API calls that doesn't operate directly on the container. The remove list property takes a list name as the single parameter, and deletes that list when it has run.
    pin Pin data to the heads-up display (HUD) in the container. This property takes the following parameters:
    • Data
    • Message
    • Pin Type
    • Pin Style
    add tag The API call used to add a tag to the container.
    remove tag The API call to remove a tag from the container.
    add comment The API call used to add a comment to a container. You can either supply a variable or a static string in the input.
    promote to case The API call used to promote the container to a case. It takes a single parameter, the case template you can pick from a drop-down list.
    add note The API call used to add a note. It takes the parameters title, content, and note format. With the note format parameter, you can choose either HTML or Markdown.
    You can configure multiple API calls in any API block. For example, you can set the label, severity, and status of a container using one API block.
  4. Click Save to save the settings. A check mark appears next to the API calls that you configured.
Last modified on 07 May, 2020
Require user input to continue running the Splunk Phantom playbook   Run other Splunk Phantom playbooks inside your playbook

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters