Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Use Python scripts and the REST API to manage your deployment

Administrators can use scripts and the REST API to manage their deployment.

For example, this script uses the REST API to send an email alert when containers with the specified label and tag combination reach a predefined percentage of the total containers.

import requests
import urllib
import time
import json

    from requests.packages.urllib3.exceptions import InsecureRequestWarning

config = {
        'url': '',
        'token': '',  # unnecessary for localhost
        'label': '',
        'tag': '',
        'threshold': .1,
        'email': '',
        'email_asset': 'smtp'

headers = {}
token = config['token']
if token:
    headers = {'ph-auth-token': token}

total_url = '{0}/rest/container?_filter_status="closed"&_filter_label="{1}"'.format(config['url'], config['label'])
response = requests.get(total_url, headers=headers, verify=False)
resp_json = response.json()
total = resp_json['count']

url = '{0}/rest/container?_filter_status="closed"&_filter_label="{1}"&_filter_tags__contains="{2}"'.format(config['url'], config['label'], config['tag'])
response = requests.get(url, headers=headers, verify=False)
resp_json = response.json()
count = resp_json['count']

if float(count) / total < config['threshold']:
    print "Threshold not hit. Taking no action."

print "Hit threshold. Notifying {0}".format(config['email'])

if config.get('app_id'):
    appid = config['app_id']

    build_action_url = '{0}/rest/build_action'.format(config['url'])
    response = requests.get(build_action_url, headers=headers, verify=False)
    build_json = response.json()
    assets = build_json['assets']
    for asset in assets:
        if asset['name'] == config['email_asset']:
            appid = asset['apps'][0]

action_body = {
        'action': 'send email',
        'container_id': resp_json['data'][0]['id'],
        'name': 'notification email',
        'targets': [
                'assets': [config['email_asset']],
                'parameters': [
                        'to': config['email'],
                        'from': 'Phantom notifications',
                        'subject': 'You are opening a lot of alerts',
                        'body': 'Please consider opening fewer alerts. See {0}/browse/{1}'.format(config['url'], urllib.quote(config['label']))
                'app_id': appid
        'type': 'generic'

action_url = '{0}/rest/action_run'.format(config['url'])
response = requests.post(action_url, data=json.dumps(action_body), headers=headers, verify=False)
print response.json()

Set the desired values in the config dictionary. This table defines the expected values.

Dictionary entry Values
url URL of the instance. Use the loopback address ( if the script is run on the localhost.
token API token for a remote connection. If the script is run on the localhost, you don't need to supply the API token.
label The label name to check.
tag The tag name to check for items with the required label.
threshold A percentage, expressed as a decimal, of containers with the given label and tag that will trigger the alert.
email The email address that recieves the alert.
email_asset The SMTP asset name from which the email server configuration is obtained.

Sample "config"

config = {
        'url': '',
        'token': '',  # unnecessary for localhost
        'label': 'soc_alert',
        'tag': 'red_alert',
        'threshold': .1,
        'email': 'soc@contoso.com',
        'email_asset': 'smtp'

This script is provided as an example of ways administrators can use Python and the REST API to manage their on-premises deployment of Phantom.

On Splunk SOAR (On-premises) 5.0.1 or later releases you must use Python 3 to write your management scripts.

Last modified on 31 January, 2023
Use ITSI to monitor the health of your deployment
An overview of the Splunk SOAR (On-premises) clustering feature

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters