Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

REST Evidence

Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.

/rest/evidence

Manage evidence.

Syntax 

https://<username>:<password>@<host>/rest/evidence

POST

Add evidence to a container.

The body of the request is a JSON object with the following fields.

Field Required Description
container_id required Id of the container to which you are adding evidence.
object_id required Id of object to be added -- artifact id, note id, etc.
content_type required The content type of the object to add as evidence. One of the types:
  • containerattachment
  • artifact
  • actionrun
  • container
  • note

Example request
Add an artifact of Id 17 to container Id 9. 

curl -k -u admin:changeme https://localhost/rest/evidence \
-d '{
    "container_id": 9,
    "object_id": 17,
    "content_type": "artifact",
}'

Example response
A successful POST will return a success indicator and the Id of the newly created evidence. 

{
    "id": 4,
    "success": true
}

/rest/evidence optional query parameters and filters

Query all evidence with the addition of query parameters and filters. See REST Query Data for further information about query parameters.

/rest/evidence?&_special_content_type=True&_filter_container=<container id>

Example query parameters and filters follow:

  • &_special_content_type=True - adds a string to the JSON returned that gives the type of evidence. In the following example, the type is "artifact".
  • _filter_container=<container id> - filters the query to a single container.

For cases or containers that have large collections of evidence, consider adding paging parameters.

Syntax 

https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>

GET

Get a list of evidence.

Example request
Get a list of evidence for container Id 5 with a page size of 5 and special content type true. 

curl -k -u admin:changeme https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and data. 

{
    "count": 1,
    "data": [
        {
            "container": 5,
            "modified_time": "2019-05-23T17:18:39.595829Z",
            "_special_content_type": "artifact",
            "create_time": "2019-05-23T17:18:39.595528Z",
            "object_id": 20,
            "content_type": 52,
            "id": 1
        }
    ],
    "num_pages": 1
}

/rest/evidence/<evidence id>

Manage one item by evidence Id.

DELETE

Delete an item from evidence.

Example request
Delete the evidence with Id 5. 

curl -k -u admin:changeme https://localhost/rest/evidence/5 -X DELETE

Example response
A successful response includes a success message. 

{
    "id": 5,
    "success": true
}
Last modified on 16 April, 2020
REST Containers   REST HUD

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters