Network automation API
The Splunk Phantom Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The following APIs are supported to leverage the capabilities of network automation using playbooks.
The address_in_network API checks if the IP address is in the user-specified IP address range is expressed in CIDR format.
The address_in_networkis API is supported from within a custom function.
|ip||This parameter is the IPv4 address that has to be checked.|
|net||This parameter is the IPv4 CIDR notation expressing the IP address range that needs to be tested.|
This sample uses the phantom.address_in_network() API.
The address must be within the address range to return true. For example, phantom.valid_ip('phantom.address_in_network('192.168.100.11', '10.0.0.0/8')') returns false.
Review collect before using either of these APIs, as these convenience APIs have limited use cases.
These APIs return an attacker or victim value depending on the CEF
The attacker_ips and victim_ips APIs are supported from within a custom function.
phantom.attacker_ips(container, scope='new') phantom.victim_ips(container, scope='new')
|container||This is the container object passed in to the on_start() API or any action callbacks.|
|scope||For more details about this parameter see collect. The parameter defaults to 'new' or you can pass 'all' to collect the field values from all artifacts.|
- If the deviceDirection field is inbound or not present, the
sourceAddressfield is returned as the attacker IP address and
destinationAddressis returned as the victim IP address.
- If the
deviceDirectionfield is outbound, then the
destinationAddressfield is returned as the attacker IP address and
sourceAddressis returned as the victim IP address.
The valid_IP API validates an IPv4 address.
|address||Required||This parameter validates the IPv4 address|
This sample uses the phantom.valid_ip() API.
The IPv4 address format must be used to return true. The host name, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.
The valid_net API validates a CIDR notation of IPv4 address range.
|net||Required||This parameter validates the CIDR notation of IPv4 address range, such as /0 or /32.|
This sample uses the phantom.valid_net() API.
The CIDR notation format must be used to return true. The hostname, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.
Vault automation API
Deprecated automation API
This documentation applies to the following versions of Splunk® Phantom: 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!