Splunk® SOAR (On-premises)

REST API Reference for Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST Automation Broker

The Splunk Automation Broker provides a path for your instance to securely communicate with and run actions using on-premises assets or applications. Use these APIs to manage your Splunk Automation Broker.

For more information on the Splunk Automation Broker, see About Splunk Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

/rest/automation_proxy

Syntax

https://<username>:<password>@<instance_name>.splunkcloud.com/rest/automation_proxy

Usage details
The account used must have the following permissions depending on the type of request:

  • GET - View System Settings permissions
  • POST - Edit System Settings permissions


GET

Get information about an Automation Broker.

Request parameters
A GET request to the /rest/automation_proxy endpoint requires no arguments and returns a list. See Query for Data for additional arguments that can be used with most Splunk SOAR queries to filter and sort query results.

Example request
Get information about the installed and launched Automation Brokers.

curl -X GET -u 'https://<username>:<password>@<instance_name>.splunkcloud.com/rest/automation_proxy/rest/automation_proxy'

Example response
A successful GET will return a 200 response, and a JSON formatted list of the installed and launched automation brokers and their settings.

{
  "count": 1,
  "num_pages": 1,
  "data": [
    {
      "id": 5,
      "name": "foo",
      "owner": 1,
      "service_account": 9,
      "create_time": "2021-06-30T15:12:40.857733Z",
      "update_time": "2021-06-30T15:12:58.567980Z",
      "keys_rotated_time": "2021-06-30T15:12:58.567086Z",
      "type": "ACTION_BROKER",
      "version": "4.12.2.58336",
      "status": "complete",
      "last_seen_status": "active"
    }
  ]
}

POST

Add an installed Automation Broker to Splunk SOAR.

Request parameters
These are the parameters to pass in your POST to the /rest/automation_proxy endpoint.

Field Required Type Description
auth_code required string This is the Splunk SOAR authorization code generated when the Splunk Automation Broker is installed. The authorization code expires after 15 minutes. See Install Splunk Automation Broker in Set Up Automation in Splunk SOAR.
broker_encrypt_public_key required string This is the Splunk SOAR Automation Broker encryption key generated when the Splunk Automation Broker is installed. See Install Splunk Automation Broker in Set Up Automation in Splunk SOAR.
name required string This is the name you give your Automation Broker. Names must be unique.

Example request
Add an installed, launched, and currently unpaired Automation Broker to Splunk SOAR.

curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"auth_code": <authorization code>, "broker_encrypt_public_key": <automation broker encryption key>, "name": "name to assign to the automation broker" }'

Example response
A successful POST will return a success message with a status code of 200.

{
  "success": true,
  "id": 5,
  "message": "Proxy Pairing and Identity creation completed successfully"
}

/rest/automation_proxy/<id>

Syntax

https://<username>:<password>@<host>/rest/automation_proxy/<id>

Usage details
The account used must have the following permissions depending on the type of request:

  • GET - View System Settings permissions
  • POST - Edit System Settings permissions
  • DELETE - Edit System Settings permissions

GET

Get information about an Automation Broker.

Example request
Get information about the named Automation Broker.

curl -X GET -u <username>:<password> 'http://<host>:<port>/rest/automation_proxy/<id>'

Example response
A successful GET will return a 200 response, and a JSON formatted list of the specified automation broker's settings.

{
  "id": 6,
  "name": "foo",
  "owner": 1,
  "service_account": 10,
  "create_time": "2021-06-30T16:40:07.740125Z",
  "update_time": "2021-06-30T16:40:26.068649Z",
  "keys_rotated_time": "2021-06-30T16:40:26.067635Z",
  "type": "ACTION_BROKER",
  "version": "4.12.2.58336",
  "status": "complete",
  "last_seen_status": "inactive"
}


POST

Examples for changing the name of an Automation Broker, and rotating the encryption keys of an Automation Broker.

Request parameters

Field Required Type Description
name optional string The name of the Automation Borker. Names must be unique.
rotate optional boolean Set this to "true" to rotate the Automation Broker's encryption keys and authentication token.

Example request
Change the Automation Broker's name.

curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"name": "foobar"}'

Example response
A successful POST will return a success message with a status code of 200.

{
  "success": true,
  "id": 5,
  "message": "Updated name"
}

Example request
Rotate the Automation Broker's encryption keys.

curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"rotate": true}'

Example response
A successful POST will return a success message with a status code of 200.

{
  "success": true,
  "id": 5,
  "message": "Rotated encryption keys, rotated on prem token"
}

DELETE

An example of deleting an Automation Broker from Splunk SOAR.

Request parameters
A DELETE call to the /rest/automation_proxy/<id> API endpoint only takes the <id> parameter, which is the numeric id of the Automation Broker.

Example request
Delete the specified Automation Broker from Splunk SOAR.

curl -X DELETE -u soar_local_admin:password -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' 

Example response
A successful DELETE will return a return a success message.

{
  "success": true,
  "id": 5,
  "message": "Operation successful"
}
Last modified on 17 February, 2023
REST Audit   REST CEF

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters