Splunk® SOAR (Cloud)

REST API Reference for Splunk SOAR (Cloud)

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF


Install apps and see which Python version the apps are.




Usage details
The account used must have permissions to edit Apps.


Install a app.

Example request
You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package.

curl -k -u username:password https://localhost/rest/app \
-d '{

Success example response
A successful response includes the import success message and the success true status.

    "message": "App successfully imported.",
    "success": true

Failure example response
A failed response includes the import failure message and the failed true status.

    "failed": true,
    "message": "App install failed."

Example Python request
Python example of how the API can be called.

import json
import base64
import requests
file_contents = open('/path/to/myapp.tgz', 'rb').read()
encoded_contents = base64.b64encode(file_contents)
payload = {'app': encoded_contents}
                auth=('soar_local_admin', PASSWORD),

The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.


Delete a app.

Example request
Delete the app with Id 151.

curl -k -u username:password https://localhost/rest/app/151 -X DELETE


Get the details of the specified app, including the Python version number.



Usage details
The account used must have permissions to view Apps.


See the Python version number of the specified App.

Example request
Get the details of app id 112.

curl -k -u username:password https://localhost/rest/app/112?pretty -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their values.

  "app_config_render": null,
  "product_version_regex": ".*",
  "python_version": "3.6",
  "uber_view": null,
  "disabled": false,
  "logo": "logo_abuseipdb.svg",
  "install_time": "2019-07-15T01:31:42.560831Z",
  "id": 112,
  "logo_dark": "logo_abuseipdb_dark.svg",
  "rest_handler": null,
  "appname": "-",
  "_pretty_invalid_assets": [],
  "version": 1,
  "_pretty_actions": [
      "description": "Report an IP for abusive behavior",
      "name": "post ip"
      "description": "Queries IP info",
      "name": "lookup ip"
      "description": "Validate the asset configuration for connectivity using supplied configuration",
      "name": "test connectivity"
  "app_version": "1.0.9",
  "type": "reputation",
  "product_name": "AbuseIPDB",
  "description": "This app integrates with AbuseIPDB to perform investigative actions",
  "tags": [],
  "_pretty_asset_count": 1,
  "app_config": {},
  "_pretty_install_time": "Jul 15 at 01:31 AM",
  "configuration": {
    "api_key": {
      "required": true,
      "description": "API Key",
      "data_type": "password"
  "product_vendor": "AbuseIPDB",
  "publisher": "Splunk",
  "name": "AbuseIPDB",
  "release_tag": null,
  "consolidate_widgets": true,
  "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5",
  "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5",
  "_pretty_dark_logo": "logo_abuseipdb_dark.svg",
  "require_auth_token": false,
  "main_module": "abuseipdb_connector.pyc",
  "known_versions": [

The return values of note follow:

Field Type Description
app_version string The version of the app.
configuration JSON object Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example:
	"configuration": {
		"api_key": {
			"required": true,
			"order": 0,
			"data_type": "password",
			"description": "API Key"
description string A brief description of the app.
id string The Id of the app.
install_time string The time that the app was installed, in epoch UTC format.
logo string The product logo in .svg or .png format.
logo_dark string The dark mode product logo in .svg or .png format.
name string Short name for the asset. Used when invoking an action on this asset.
product_name string Official name of the product. Used when invoking an action on this asset.
product_vendor string The name of the app vendor. Used when invoking an action on this asset.
publisher string The publisher of the app, such as or Splunk or SentinelOne.
python_version string Python version number.
tags array of strings 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks.
type string A brief categorization of this asset.

For information on the app status API, see Status endpoints.

Last modified on 06 September, 2023
REST Aggregation Rules
REST Approval

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters