After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
REST App
Install apps and see which Python version the apps are.
/rest/app
Syntax
https://<username>:<password>@<host>/rest/app
Usage details
The account used must have permissions to edit Apps.
POST
Install a app.
Example request
You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package.
curl -k -u username:password https://localhost/rest/app \ -d '{ "app": "<BASE64 ENCODED TARBALL OR INSTALLER PACKAGE>" }'
Success example response
A successful response includes the import success message and the success true status.
{ "success": true, "message": "App successfully imported.", "id": 190 }
Failure example response
A failed response includes the import failure message and the failed true status.
{ "failed": true, "message": "App install failed." }
Example Python request
Python example of how the API can be called.
import json import base64 import requests file_contents = open('/path/to/myapp.tgz', 'rb').read() encoded_contents = base64.b64encode(file_contents) payload = {'app': encoded_contents} requests.post('https://phantom.mycompany.com/rest/app', auth=('soar_local_admin', PASSWORD), data=json.dumps(payload))
The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.
DELETE
Delete a app.
Example request
Delete the app with Id 151.
curl -k -u username:password https://localhost/rest/app/151 -X DELETE
/rest/app/<app-id>
Get the details of the specified app, including the Python version number.
Syntax
https://<username>:<password>@<host>/rest/app/<app-id>
Usage details
The account used must have permissions to view Apps.
GET
See the Python version number of the specified App.
Example request
Get the details of app id 112.
curl -k -u username:password https://localhost/rest/app/112?pretty -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their values.
{ "app_config_render": null, "product_version_regex": ".*", "python_version": "3.6", "uber_view": null, "disabled": false, "logo": "logo_abuseipdb.svg", "install_time": "2019-07-15T01:31:42.560831Z", "id": 112, "logo_dark": "logo_abuseipdb_dark.svg", "rest_handler": null, "appname": "-", "_pretty_invalid_assets": [], "version": 1, "_pretty_actions": [ { "description": "Report an IP for abusive behavior", "name": "post ip" }, { "description": "Queries IP info", "name": "lookup ip" }, { "description": "Validate the asset configuration for connectivity using supplied configuration", "name": "test connectivity" } ], "app_version": "1.0.9", "type": "reputation", "product_name": "AbuseIPDB", "description": "This app integrates with AbuseIPDB to perform investigative actions", "tags": [], "_pretty_asset_count": 1, "app_config": {}, "_pretty_install_time": "Jul 15 at 01:31 AM", "configuration": { "api_key": { "required": true, "description": "API Key", "data_type": "password" } }, "product_vendor": "AbuseIPDB", "publisher": "Splunk", "name": "AbuseIPDB", "release_tag": null, "consolidate_widgets": true, "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5", "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5", "_pretty_dark_logo": "logo_abuseipdb_dark.svg", "require_auth_token": false, "main_module": "abuseipdb_connector.pyc", "known_versions": [ "1.0.9" ] }
The return values of note follow:
Field | Type | Description |
---|---|---|
app_version | string | The version of the app. |
configuration | JSON object | Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example: {... "configuration": { "api_key": { "required": true, "order": 0, "data_type": "password", "description": "API Key" } }, ... } |
description | string | A brief description of the app. |
id | string | The Id of the app. |
install_time | string | The time that the app was installed, in epoch UTC format. |
logo | string | The product logo in .svg or .png format. |
logo_dark | string | The dark mode product logo in .svg or .png format. |
name | string | Short name for the asset. Used when invoking an action on this asset. |
product_name | string | Official name of the product. Used when invoking an action on this asset. |
product_vendor | string | The name of the app vendor. Used when invoking an action on this asset. |
publisher | string | The publisher of the app, such as or Splunk or SentinelOne. |
python_version | string | Python version number. |
tags | array of strings | 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks. |
type | string | A brief categorization of this asset. |
For information on the app status API, see Status endpoints.
REST Aggregation Rules | REST Approval |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!