Use Python scripts and the REST API to manage your deployment
Administrators can use scripts and the REST API to manage their deployment.
For example, this script uses the Phantom REST API to send an email alert when containers with the specified label and tag combination reach a predefined percentage of the total containers.
import requests import urllib import time import json try: requests.packages.urllib3.disable_warnings() except: from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) config = { 'url': 'https://127.0.0.1', 'token': '', # unnecessary for localhost 'label': '', 'tag': '', 'threshold': .1, 'email': '', 'email_asset': 'smtp' } headers = {} token = config['token'] if token: headers = {'ph-auth-token': token} total_url = '{0}/rest/container?_filter_status="closed"&_filter_label="{1}"'.format(config['url'], config['label']) response = requests.get(total_url, headers=headers, verify=False) resp_json = response.json() total = resp_json['count'] url = '{0}/rest/container?_filter_status="closed"&_filter_label="{1}"&_filter_tags__contains="{2}"'.format(config['url'], config['label'], config['tag']) response = requests.get(url, headers=headers, verify=False) resp_json = response.json() count = resp_json['count'] if float(count) / total < config['threshold']: print "Threshold not hit. Taking no action." exit(0) print "Hit threshold. Notifying {0}".format(config['email']) if config.get('app_id'): appid = config['app_id'] else: build_action_url = '{0}/rest/build_action'.format(config['url']) response = requests.get(build_action_url, headers=headers, verify=False) build_json = response.json() assets = build_json['assets'] for asset in assets: if asset['name'] == config['email_asset']: appid = asset['apps'][0] action_body = { 'action': 'send email', 'container_id': resp_json['data'][0]['id'], 'name': 'notification email', 'targets': [ { 'assets': [config['email_asset']], 'parameters': [ { 'to': config['email'], 'from': 'Phantom notifications', 'subject': 'You are opening a lot of alerts', 'body': 'Please consider opening fewer alerts. See {0}/browse/{1}'.format(config['url'], urllib.quote(config['label'])) } ], 'app_id': appid } ], 'type': 'generic' } action_url = '{0}/rest/action_run'.format(config['url']) response = requests.post(action_url, data=json.dumps(action_body), headers=headers, verify=False) print response.json()
Set the desired values in the config
dictionary. This table defines the expected values.
Dictionary entry | Values |
---|---|
url | URL of the instance. Use the loopback address (127.0.0.1) if the script is run on the localhost. |
token | API token for a remote connection. If the script is run on the localhost, you don't need to supply the API token. |
label | The label name to check. |
tag | The tag name to check for items with the required label. |
threshold | A percentage, expressed as a decimal, of containers with the given label and tag that will trigger the alert. |
The email address that recieves the alert. | |
email_asset | The SMTP asset name from which the email server configuration is obtained. |
Sample "config"
config = { 'url': 'https://127.0.0.1', 'token': '', # unnecessary for localhost 'label': 'soc_alert', 'tag': 'red_alert', 'threshold': .1, 'email': 'soc@contoso.com', 'email_asset': 'smtp' }
This script is provided as an example of ways administrators can use Python and the REST API to manage their on-premises deployment of Phantom.
On Splunk Phantom 4.9 or later, use Python 3 to write your scripts.
Use ITSI to monitor the health of your deployment | Add and configure apps and assets to provide actions in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!