Network automation API
The Splunk Phantom Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The following APIs are supported to leverage the capabilities of network automation using playbooks.
address_in_network
The address_in_network API checks if the IP address is in the user-specified IP address range is expressed in CIDR format.
The address_in_networkis API is supported from within a custom function.
phantom.address_in_network(ip, net)
Parameter | Description |
---|---|
ip | This parameter is the IPv4 address that has to be checked. |
net | This parameter is the IPv4 CIDR notation expressing the IP address range that needs to be tested. |
This sample uses the phantom.address_in_network() API.
phantom.address_in_network('192.168.100.11', '192.168.100.0/24')
The address must be within the address range to return true. For example, phantom.valid_ip('phantom.address_in_network('192.168.100.11', '10.0.0.0/8')') returns false.
attacker_ips, victim_ips
Review collect before using either of these APIs, as these convenience APIs have limited use cases.
These APIs return an attacker or victim value depending on the CEF deviceDirection
, sourceAddress
, and destinationAddress
fields.
The attacker_ips and victim_ips APIs are supported from within a custom function.
phantom.attacker_ips(container, scope='new') phantom.victim_ips(container, scope='new')
Parameter | Description |
---|---|
container | This is the container object passed in to the on_start() API or any action callbacks. |
scope | For more details about this parameter see collect. The parameter defaults to 'new' or you can pass 'all' to collect the field values from all artifacts. |
- If the deviceDirection field is inbound or not present, the
sourceAddress
field is returned as the attacker IP address anddestinationAddress
is returned as the victim IP address. - If the
deviceDirection
field is outbound, then thedestinationAddress
field is returned as the attacker IP address andsourceAddress
is returned as the victim IP address.
valid_ip
The valid_IP API validates an IPv4 address.
phantom.valid_ip(address)
Parameter | Required? | Description |
---|---|---|
address | Required | This parameter validates the IPv4 address |
This sample uses the phantom.valid_ip() API.
phantom.valid_ip('192.168.100.11')
The IPv4 address format must be used to return true. The host name, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.
valid_net
The valid_net API validates a CIDR notation of IPv4 address range.
phantom.valid_net(net)
Parameter | Required? | Description |
---|---|---|
net | Required | This parameter validates the CIDR notation of IPv4 address range, such as /0 or /32. |
This sample uses the phantom.valid_net() API.
phantom.valid_net('192.168.100.11/32')
The CIDR notation format must be used to return true. The hostname, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.
Vault automation API | Deprecated automation API |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!