Splunk® SOAR (Cloud)

REST API Reference for Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST Status

You can manage status using REST. Supported methods are GET, POST, and DELETE.

Statuses are grouped into three categories or types: New, Open, and Resolved. Your business processes may require additional statuses, so lets you create additional statuses in each category, up to a maximum of 30 total statuses. Additional app statuses cannot be created.

Rules for status labels:

  • There must be at least one active status label for each status type: New, Open, and Resolved.
  • You can have a maximum of 30 status labels.
  • You can delete the labels New, Open, and Closed, removing them from the active list. You cannot rename these labels, because they are required for backward compatibility with apps and playbooks.
  • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
  • A status label cannot exceed 128 characters.

A status label's JSON object includes an "id" field populated with an integer. The integer can be used in many REST API queries in place of the status label's name, such as in filtering. See Query for Data.

To maintain backwards compatibility with apps and existing playbooks, if the status labels New, Open, or Closed have been deleted, ingestion apps and the REST API can still assign the statuses New, Open, and Closed to containers.

/rest/container_status

List all status labels.

Syntax

https://<username>:<password>@<host>/rest/container_status

GET

Get a list of all status labels.

Example request
Get a list of all status labels.

curl -k -u username:password https://localhost/rest/container_status -G -X GET

Example response
A successful GET will return a 200 response, and a JSON formatted list of statuses.

{
    "count": 4,
    "data": [
        {
            "disabled": false,
            "name": "closed",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.466124Z",
            "id": 3,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.465988Z",
            "order": 0,
            "status_type": "resolved"
        },
        {
            "disabled": false,
            "name": "new",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.464784Z",
            "id": 1,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.464504Z",
            "order": 0,
            "status_type": "new"
        },
        {
            "disabled": false,
            "name": "ripe",
            "is_mutable": true,
            "modified_time": "2019-05-30T00:06:49.758771Z",
            "id": 6,
            "is_default": false,
            "create_time": "2019-05-30T00:06:49.756331Z",
            "order": 1,
            "status_type": "new"
        },
        {
            "disabled": false,
            "name": "open",
            "is_mutable": false,
            "modified_time": "2019-05-29T20:22:09.465676Z",
            "id": 2,
            "is_default": true,
            "create_time": "2019-05-29T20:22:09.465519Z",
            "order": 0,
            "status_type": "open"
        }
    ],
    "num_pages": 1
}

POST

Create a new status label.

Request parameters The "System Settings Edit" permission is required to add statuses. An argument string must include the following parameters:

Field Required Type Description
name required string The name of the new status.
status_type required string One of "New", "Open", or "Resolved".
is_default required bool A status with "is_default'" set to True becomes the default status.

Example request
You can create a new status label by supplying a JSON formatted body.

curl -k -u username:password https://localhost/rest/container_status \
-d '{
    name: "fresh", 
    status_type: "new" 
}'

Example response
A successful request will result in a 200 response returning the new status id and success as JSON.

{
    "id": 4,
    "success": true
}

DELETE

Delete a status label.

Example request
The "System Settings Edit" permission is required to delete statuses. Delete a status label with Id 4.

curl -k -u soar_local_admin:changeme https://localhost/rest/container_status/4 -X DELETE

Example response
A successful request will result in a 200 response returning the new status id and success as JSON.

{
    "id": 4,
    "success": true
}


For more information on APIs for containers, see Container endpoints.

/rest/app_status

List the status of apps or connectors based on the results of the "test connectivity" action.

Syntax

https://<username>:<password>@<host>/rest/app_status

GET

Get a list of all apps or connectors and their status by checking "test connectivity."

Example request
Get a list of all apps or connectors statuses.

curl -k -u username:password https://localhost/rest/app_status -G -X GET

Example response
A successful GET returns a JSON formatted list of apps or connectors statuses.

{
    "count": 246,
    "num_pages": 25,
    "data": [
        {
            "id": 5,
            "create_time": "2023-01-10T17:56:40.436000Z",
            "asset": 146,
            "app": 91,
            "status": "success",
            "message": "Testing asset connectivity for 'mongodb' using app 'MongoDB' For Tenant(0) : 1 action succeeded. "
        },
        {
            "id": 36,
            "create_time": "2023-01-10T18:00:25.149000Z",
            "asset": 48,
            "app": 8,
            "status": "success",
            "message": "Testing asset connectivity for 'cloudpassagehalo' using app 'CloudPassage Halo' For Tenant(0) : "
        },
        {
            "id": 3,
            "create_time": "2023-01-10T17:56:50.884000Z",
            "asset": 3,
            "app": 130,
            "status": "success",
            "message": "Testing asset connectivity for 'phishtank' using app 'PhishTank' For Tenant(0) : "
        },
        {
            "id": 28,
            "create_time": "2023-01-10T18:00:26.249000Z",
            "asset": 33,
            "app": 20,
            "status": "success",
            "message": "Testing asset connectivity for 'bigquery' using app 'Big Query' For Tenant(0) : 1 action succeeded. "
        },
        {
            "id": 17,
            "create_time": "2023-01-10T17:59:34.690000Z",
            "asset": 21,
            "app": 45,
            "status": "",
            "message": "Testing asset connectivity for 'autofocus' using app 'AutoFocus' For Tenant(0) : "
        },
        {
            "id": 16,
            "create_time": "2023-01-10T17:59:54.297000Z",
            "asset": 20,
            "app": 44,
            "status": "failed",
            "message": "Testing asset connectivity for 'athena' using app 'AWS Athena' For Tenant(0) : 1 action failed. Test Connectivity Failed. boto3 call to Athena failed. Error string: 'An error occurred (UnrecognizedClientException) when calling the ListNamedQueries operation: The security token included in the request is invalid.'"
        },
        {
            "id": 20,
            "create_time": "2023-01-10T18:00:06.103000Z",
            "asset": 24,
            "app": 179,
            "status": "failed",
            "message": "Testing asset connectivity for 'awssts' using app 'AWS Security Token Service' For Tenant(0) : 1 action failed. Test Connectivity Failed.. boto3 call to STS failed. Error string: 'An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.'"
        },
        {
            "id": 157,
            "create_time": "2023-01-10T18:13:46.561000Z",
            "asset": 175,
            "app": 116,
            "status": "failed",
            "message": "Testing asset connectivity for 'postgres' using app 'PostgreSQL' For Tenant(0) : Failed to import the python connector module. For more details, ask an administrator to download the logs from Administration->System Health->Debugging. You may need to set the log level for the Action Daemon to DEBUG.. "
        },
        {
            "id": 21,
            "create_time": "2023-01-10T18:18:44.731000Z",
            "asset": 26,
            "app": 185,
            "status": "failed",
            "message": "Testing asset connectivity for 'ssm' using app 'AWS Systems Manager' For Tenant(0) : 1 action failed. Test Connectivity Failed.. boto3 call to SSM failed. Error string: 'An error occurred (UnrecognizedClientException) when calling the ListCommands operation: The security token included in the request is invalid.'"
        },
        {
            "id": 14,
            "create_time": "2023-01-10T18:00:12.394000Z",
            "asset": 16,
            "app": 32,
            "status": "success",
            "message": "Testing asset connectivity for 'archer' using app 'RSA Archer' For Tenant(0) : 1 action succeeded. Archer configuration test SUCCESS"
        }
    ]
}


For more information on APIs for apps, see App endpoints.

Last modified on 06 November, 2024
REST Source Control Repository   REST System Settings

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters