Use the contains parameter to configure contextual actions

Splunk SOAR apps have a parameter for action inputs and outputs called "contains". The contains types, in conjunction with the primary parameter property, are used to enable contextual actions in the Splunk SOAR user interface. A common example is the contains type "ip". This represents an ip address. You might run an action that produces an ip address as one of its output items. Or, you may have ingested an artifact of type ip. If you view the ip in Investigation, you will get a context menu that lets you then run other actions that take ip as an input. When an author is creating an app, they specify that a given data field "contains" an ip, so that Splunk SOAR knows how to treat this piece of data.

Once a data type has been defined as "ip", the platform parses all the actions for all the apps that are installed and it shortlists all the actions that have specified "ip" as one of the contains for a parameter that was marked as primary. These actions will be made available from the context menu for that item.

This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another. As an app author, check that your data type isn't already covered by an existing contains that other apps use before creating a new one for their app. Contains is a list, and a given field may have more than one simultaneous contains type. A common example is a SHA256 which will often be listed both as "sha256" as well as "hash". But, some common concepts can be product specific, such as an "id". While the concept of an ID is generic, in terms of making use of it, an ID from one product generally doesn't work well in a different product.

Besides apps, Playbooks can also add artifacts to their container through the phantom.add_artifact call. Artifacts have a contains type, either by virtue of their CEF type, or by directly specifying a contains type.

The contains types applies to files in the container, such as apk, doc, jar, os memory dump, pdf, pe file, ppt, and xls. Apps and Playbooks can specify a contains on a file. Splunk SOAR will also attempt to determine the file type for manually uploaded files as some Apps, most notable those that implement a detonate file, only handle certain file types.

Since new apps can provide new contains types, this list may differ from what is available on your Splunk SOAR instance. To see the current contains list on a given Splunk SOAR instance, use the REST endpoint /rest/cef_metadata . This displays both the current contains types as well as CEF types and what contains types they map to.

anubis task id 
apk 
carbon black query 
carbon black query type 
carbon black sensor id 
carbon black watchlist 
cuckoo task id 
cyphort event id 
doc 
domain 
email 
file name 
file path 
file size 
firewall rule name 
flash 
hash 
host name 
ip 
isightpartners report id 
jar 
javascript 
jira project key 
jira ticket key 
jira ticket status 
lastline task id 
mac address 
malwr task id 
md5 
mobileiron device uuid 
network application 
os memory dump 
pdf 
pe file 
pid 
port 
ppt 
process name 
qradar offense id
rt queue 
rt ticket id 
servicenow ticket id 
sha1 
sha256 
srp guid 
tanium question 
threatgrid task id 
url 
urlquery queue id 
urlquery report id 
user name 
vault id 
vm 
volatility profile 
wepawet task id 
wildfire task id 
xls