Splunk® Phantom (Legacy)

Python Playbook API Reference for Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

System automation API

Splunk Phantom's Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale response to a security breach. The following APIs are supported to leverage the capabilities of the platform using Playbooks.

get_base_url

phantom.get_base_url()

This is an API supported for the purposes of letting the user retrieve the URL that points to Phantom instance.

import phantom.rules as phantom
import json

def on_start(container):
    url = phantom.get_base_url()
    phantom.debug(url)
    return

def on_finish(container, summary):
    return

The return value of this API is just the base URL of the platform as configured in Administration / System Settings / Company Settings.

2016-02-13T01:29:25.977000+00:00: calling on_start(): on incident 'test', id: 107.
2016-02-13T01:29:26.020179+00:00: phantom.get_base_url(): called for playbook run '219'
2016-02-13T01:29:26.022549+00:00: https://10.10.0.10
2016-02-13T01:29:26.025000+00:00: No actions were executed
2016-02-13T01:29:26.034220+00:00: calling on_finish()
2016-02-13T01:29:26.049943+00:00:
Playbook 'get_base_url (id: 175)' executed (playbook_run_id: 219) on incident 'test'(id: 107).
Playbook execution status is:'success'
	No actions were executed for this playbook and 'incident'
{"message":"No actions were executed","playbook_run_id":219,"result":[],"status":"success"}

 *** The Playbook has completed. Result: success ***

get_rest_base_url

phantom.get_rest_base_url()

This API returns the base URL to this phantom instances REST API. This is guaranteed to work on all Phantom instances, regardless of installation type or the base URL in Company Settings.

On a release OVA or privileged install:

Thu Jan 03 2019 16:37:23 GMT-0800 (Pacific Standard Time): https://127.0.0.1/rest/  

On an unprivileged install, showing the custom HTTPS port:

Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): https://127.0.0.1:9999/rest/

get_phantom_home

phantom.get_phantom_home()

This API returns the path to the Phantom home directory.

On a release OVA or privileged install:

Thu Jan 03 2019 16:37:23 GMT-0800 (Pacific Standard Time): /opt/phantom

On an unprivileged install:

Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): /home/username/directory_name

set_action_limit

phantom.set_action_limit(limit)

This is an API that allows the users to specify a max numbers of action calls (phantom.act() calls) that can be executed by an container by a Playbook. Default is 50 action calls per container per Playbook. Keep in mind each phantom.act() call may still result in multiple actions performed resulting in more actions than this setting. This implementation helps protect the playbook from a logic bug or an infinte loop resulting in the playbook executing forever.

Last modified on 30 April, 2020
Data access automation API   Vault automation API

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters