Use the contains parameter to configure contextual actions
Splunk Phantom apps have a parameter for action inputs and outputs called "contains". The contains types, in conjunction with the primary parameter property, are used to enable contextual actions in the Splunk Phantom user interface. A common example is the contains type "ip". This represents an ip address. You might run an action that produces an ip address as one of its output items. Or, you may have ingested an artifact of type ip. If you view the ip in Investigation, you will get a context menu that lets you then run other actions that take ip as an input. When an author is creating an app, they specify that a given data field "contains" an ip, so that Splunk Phantom knows how to treat this piece of data.
Once a data type has been defined as "ip", the platform parses all the actions for all the apps that are installed and it shortlists all the actions that have specified "ip" as one of the contains for a parameter that was marked as primary. These actions will be made available from the context menu for that item.
This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another. As an app author, check that your data type isn't already covered by an existing contains that other apps use before creating a new one for their app. Contains is a list, and a given field may have more than one simultaneous contains type. A common example is a SHA256 which will often be listed both as "sha256" as well as "hash". But, some common concepts can be product specific, such as an "id". While the concept of an ID is generic, in terms of making use of it, an ID from one product generally doesn't work well in a different product.
Besides apps, Playbooks can also add artifacts to their container through the phantom.add_artifact call. Artifacts have a contains type, either by virtue of their CEF type, or by directly specifying a contains type.
The contains types applies to files in the container, such as apk, doc, jar, os memory dump, pdf, pe file, ppt, and xls. Apps and Playbooks can specify a contains on a file. Splunk Phantom will also attempt to determine the file type for manually uploaded files as some Apps, most notable those that implement a detonate file, only handle certain file types.
Since new apps can provide new contains types, this list may differ from what is available on your Splunk Phantom instance. To see the current contains list on a given Splunk Phantom instance, use the REST endpoint https://phantom.example.com/rest/cef_metadata . This displays both the current contains types as well as CEF types and what contains types they map to.
anubis task id apk carbon black query carbon black query type carbon black sensor id carbon black watchlist cuckoo task id cyphort event id doc domain email file name file path file size firewall rule name flash hash host name ip isightpartners report id jar javascript jira project key jira ticket key jira ticket status lastline task id mac address malwr task id md5 mobileiron device uuid network application os memory dump pdf pe file pid port ppt process name qradar offense id rt queue rt ticket id servicenow ticket id sha1 sha256 srp guid tanium question threatgrid task id url urlquery queue id urlquery report id user name vault id vm volatility profile wepawet task id wildfire task id xls
Configure metadata in a JSON schema to define your app's configuration | App authoring API |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!