Splunk® Phantom (Legacy)

Python Playbook API Reference for Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Network automation API

Splunk Phantom's Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale response to a security breach. The following APIs are supported to leverage the capabilities of the platform using Playbooks.

valid_ip

phantom.valid_ip(address)

This API validates an IPv4 address

valid_net

phantom.valid_net(net)

This API validates a CIDR notation of IPv4 address range

address_in_network

phantom.address_in_network(ip, net)

This API checks to see if the ipaddress is in the user specified ip address range expressed in CIDR format.

Parameter Description
ip This is the IPv4 address that has to be checked.
net This is the IPv4 CIDR notation expressing the IP address range that needs to be tested.

attacker_ips, victim_ips

phantom.attacker_ips(container, scope='new')
phantom.victim_ips(container, scope='new')
Parameter Description
container This is the container object passed in to on_start() or any action callbacks. Just pass it as is to the API.
scope For more details about this parameter please read phantom.collect(). The parameter defaults to 'new' or you can pass 'all' to collect the field values from all artifacts.

Review the phantom.collect() API before using, as these convenience APIs have very limited use scenarios. These APIs return an attacker or victim value depending on the CEF deviceDirection, sourceAddress, and destinationAddress fields.

  • If deviceDirection is 'inbound' or not present: sourceAddress is returned as the 'attacker' IP address and destinationAddress is returned as the 'victim' IP address.
  • If deviceDirection is 'outbound' then the destinationAddress is returned as the 'attacker' IP address and sourceAddress is returned as the 'victim' IP address.
Last modified on 30 April, 2020
Vault automation API   Phantom playbook API tutorial overview

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters