Splunk® SOAR (Cloud)

REST API Reference for Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST App

Install apps and see which Python version the apps are.

/rest/app

Syntax

https://<username>:<password>@<host>/rest/app

Usage details
The account used must have permissions to edit Apps.

POST

Install a app.

Example request
You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package.

curl -k -u username:password https://localhost/rest/app \
-d '{
    "app": "<BASE64 ENCODED TARBALL OR INSTALLER PACKAGE>"
}'

Success example response
A successful response includes the import success message and the success true status.

{
    "success": true,
    "message": "App successfully imported.",
    "id": 190
}

Failure example response
A failed response includes the import failure message and the failed true status.

{
    "failed": true,
    "message": "App install failed."
}


Example Python request
Python example of how the API can be called.

import json
import base64
import requests
file_contents = open('/path/to/myapp.tgz', 'rb').read()
encoded_contents = base64.b64encode(file_contents)
payload = {'app': encoded_contents}
requests.post('https://phantom.mycompany.com/rest/app',
                auth=('soar_local_admin', PASSWORD),
                data=json.dumps(payload))

The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.

DELETE

Delete a app.

Example request
Delete the app with Id 151.

curl -k -u username:password https://localhost/rest/app/151 -X DELETE

/rest/app/<app-id>

Get the details of the specified app, including the Python version number.

Syntax

https://<username>:<password>@<host>/rest/app/<app-id>

Usage details
The account used must have permissions to view Apps.

GET

See the Python version number of the specified App.

Example request
Get the details of app id 112.

curl -k -u username:password https://localhost/rest/app/112?pretty -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their values.

{
  "app_config_render": null,
  "product_version_regex": ".*",
  "python_version": "3.6",
  "uber_view": null,
  "disabled": false,
  "logo": "logo_abuseipdb.svg",
  "install_time": "2019-07-15T01:31:42.560831Z",
  "id": 112,
  "logo_dark": "logo_abuseipdb_dark.svg",
  "rest_handler": null,
  "appname": "-",
  "_pretty_invalid_assets": [],
  "version": 1,
  "_pretty_actions": [
    {
      "description": "Report an IP for abusive behavior",
      "name": "post ip"
    },
    {
      "description": "Queries IP info",
      "name": "lookup ip"
    },
    {
      "description": "Validate the asset configuration for connectivity using supplied configuration",
      "name": "test connectivity"
    }
  ],
  "app_version": "1.0.9",
  "type": "reputation",
  "product_name": "AbuseIPDB",
  "description": "This app integrates with AbuseIPDB to perform investigative actions",
  "tags": [],
  "_pretty_asset_count": 1,
  "app_config": {},
  "_pretty_install_time": "Jul 15 at 01:31 AM",
  "configuration": {
    "api_key": {
      "required": true,
      "description": "API Key",
      "data_type": "password"
    }
  },
  "product_vendor": "AbuseIPDB",
  "publisher": "Splunk",
  "name": "AbuseIPDB",
  "release_tag": null,
  "consolidate_widgets": true,
  "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5",
  "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5",
  "_pretty_dark_logo": "logo_abuseipdb_dark.svg",
  "require_auth_token": false,
  "main_module": "abuseipdb_connector.pyc",
  "known_versions": [
    "1.0.9"
  ]
}

The return values of note follow:

Field Type Description
app_version string The version of the app.
configuration JSON object Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example:
{...
	"configuration": {
		"api_key": {
			"required": true,
			"order": 0,
			"data_type": "password",
			"description": "API Key"
		}
	},
...
}
description string A brief description of the app.
id string The Id of the app.
install_time string The time that the app was installed, in epoch UTC format.
logo string The product logo in .svg or .png format.
logo_dark string The dark mode product logo in .svg or .png format.
name string Short name for the asset. Used when invoking an action on this asset.
product_name string Official name of the product. Used when invoking an action on this asset.
product_vendor string The name of the app vendor. Used when invoking an action on this asset.
publisher string The publisher of the app, such as or Splunk or SentinelOne.
python_version string Python version number.
tags array of strings 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks.
type string A brief categorization of this asset.


For information on the app status API, see Status endpoints.

Last modified on 06 November, 2024
REST Aggregation Rules   REST Approval

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters