Splunk® Phantom (Legacy)

Python Playbook API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Network automation API

The Splunk Phantom Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale responses to a security breach. The following APIs are supported to leverage the capabilities of network automation using playbooks.

address_in_network

The address_in_network API checks if the IP address is in the user-specified IP address range is expressed in CIDR format.

The address_in_networkis API is supported from within a custom function.

phantom.address_in_network(ip, net)
Parameter Description
ip This parameter is the IPv4 address that has to be checked.
net This parameter is the IPv4 CIDR notation expressing the IP address range that needs to be tested.

This sample uses the phantom.address_in_network() API.

phantom.address_in_network('192.168.100.11', '192.168.100.0/24')

The address must be within the address range to return true. For example, phantom.valid_ip('phantom.address_in_network('192.168.100.11', '10.0.0.0/8')') returns false.

attacker_ips, victim_ips

Review collect before using either of these APIs, as these convenience APIs have limited use cases. These APIs return an attacker or victim value depending on the CEF deviceDirection, sourceAddress, and destinationAddress fields.

The attacker_ips and victim_ips APIs are supported from within a custom function.

phantom.attacker_ips(container, scope='new')
phantom.victim_ips(container, scope='new')
Parameter Description
container This is the container object passed in to the on_start() API or any action callbacks.
scope For more details about this parameter see collect. The parameter defaults to 'new' or you can pass 'all' to collect the field values from all artifacts.
  • If the deviceDirection field is inbound or not present, the sourceAddress field is returned as the attacker IP address and destinationAddress is returned as the victim IP address.
  • If the deviceDirection field is outbound, then the destinationAddress field is returned as the attacker IP address and sourceAddress is returned as the victim IP address.

valid_ip

The valid_IP API validates an IPv4 address.

phantom.valid_ip(address)
Parameter Required? Description
address Required This parameter validates the IPv4 address

This sample uses the phantom.valid_ip() API.

phantom.valid_ip('192.168.100.11')

The IPv4 address format must be used to return true. The host name, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.

valid_net

The valid_net API validates a CIDR notation of IPv4 address range.

phantom.valid_net(net)
Parameter Required? Description
net Required This parameter validates the CIDR notation of IPv4 address range, such as /0 or /32.

This sample uses the phantom.valid_net() API.

phantom.valid_net('192.168.100.11/32')

The CIDR notation format must be used to return true. The hostname, URL, or domain, such as phantom.valid_ip('https://my.phantom.us'), returns false.

Last modified on 13 October, 2020
Vault automation API   Deprecated automation API

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters