System automation API
Splunk Phantom's Automation API allows security operations teams to develop detailed and precise automation strategies. Playbooks can serve many purposes, ranging from automating minimal investigative tasks that can speed up analysis to large-scale response to a security breach. The following APIs are supported to leverage the capabilities of the platform using Playbooks.
get_base_url
phantom.get_base_url()
This is an API supported for the purposes of letting the user retrieve the URL that points to Phantom instance.
import phantom.rules as phantom import json def on_start(container): url = phantom.get_base_url() phantom.debug(url) return def on_finish(container, summary): return
The return value of this API is just the base URL of the platform as configured in Administration / System Settings / Company Settings.
2016-02-13T01:29:25.977000+00:00: calling on_start(): on incident 'test', id: 107. 2016-02-13T01:29:26.020179+00:00: phantom.get_base_url(): called for playbook run '219' 2016-02-13T01:29:26.022549+00:00: https://10.10.0.10 2016-02-13T01:29:26.025000+00:00: No actions were executed 2016-02-13T01:29:26.034220+00:00: calling on_finish() 2016-02-13T01:29:26.049943+00:00: Playbook 'get_base_url (id: 175)' executed (playbook_run_id: 219) on incident 'test'(id: 107). Playbook execution status is:'success' No actions were executed for this playbook and 'incident' {"message":"No actions were executed","playbook_run_id":219,"result":[],"status":"success"} *** The Playbook has completed. Result: success ***
get_rest_base_url
phantom.get_rest_base_url()
This API returns the base URL to this phantom instances REST API. This is guaranteed to work on all Phantom instances, regardless of installation type or the base URL in Company Settings.
On a release OVA or privileged install:
Thu Jan 03 2019 16:37:23 GMT-0800 (Pacific Standard Time): https://127.0.0.1/rest/
On an unprivileged install, showing the custom HTTPS port:
Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): https://127.0.0.1:9999/rest/
get_phantom_home
phantom.get_phantom_home()
This API returns the path to the Phantom home directory.
On a release OVA or privileged install:
Thu Jan 03 2019 16:37:23 GMT-0800 (Pacific Standard Time): /opt/phantom
On an unprivileged install:
Thu Jan 03 2019 16:36:31 GMT-0800 (Pacific Standard Time): /home/username/directory_name
set_action_limit
phantom.set_action_limit(limit)
This is an API that allows the users to specify a max numbers of action calls (phantom.act() calls) that can be executed by an container by a Playbook. Default is 50 action calls per container per Playbook. Keep in mind each phantom.act() call may still result in multiple actions performed resulting in more actions than this setting. This implementation helps protect the playbook from a logic bug or an infinte loop resulting in the playbook executing forever.
Data access automation API | Vault automation API |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8
Feedback submitted, thanks!