After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
REST CEF
uses the Common Event Format (CEF). CEF is a system of key:value pairs for key pieces of information about an artifact. The value is often referred to as the contains as shorthand.
/rest/cef
Get a list of available CEF.
Syntax
https://<username>:<password>@<host>/rest/cef
Usage details
Use parameters to get additional pages or sorting. All default CEFs have a type of "default." Custom CEFs have the type "custom." Only custom CEFs are mutable. CEFs with the type "default" cannot be modified.
GET
Get a list of available CEF.
Example request
Get a list of available CEF.
curl -k -u username:password https://localhost/rest/cef -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 151, "data": [ { "type": "default", "id": 1, "data_type": [ "mac address" ], "name": "dmac" }, … { "type": "custom", "id": 566, "data_type": ["myIp"], "name": "myDestination" } ], "num_pages": 16 }
POST
Add a custom CEF.
Example request
You can add a custom CEF by supplying a JSON formatted body.
curl -k -u username:password https://localhost/rest/cef \ -d '{ "name":"docs-test-cef", "data_type":["test"] }'
Example response
A successful response includes the numeric Id given to the CEF.
{ "id": 151, "success": true }
/rest/cef filters
You can use operators to sort or filter the results.
_filter_type | optional | string | Either "custom" or "default". Custom returns only custom CEFs, while default returns a list of all default CEFs. |
_filter_name | optional | string | A quoted name for the CEF you want information about. |
/rest/cef?_filter_type="custom"
Look up information about a CEF
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
GET
Get a list of all custom CEFs defined on the system.
Example request
Get a list of available CEF.
curl -k -u username:password https://localhost/rest/cef?_filter_type="custom" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 1, "data": [ { "type": "custom", "id": 151, "data_type": [ "test" ], "name": "docs-test-cef" } ], "num_pages": 1 }
/rest/cef?custom=true&page_size=3&page=0
Get a paginated list of all custom CEFs
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
Usage
You can set the page size to any valid integer.
GET
Get a list of all custom CEFs defined on the system, organized into pages.
Example request
Get a list of available CEF.
curl -k -u username:password https://localhost/rest/cef?custom=true&page_size=3&page=0 -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 151, "data": [ { "type": "default", "id": 1, "data_type": [ "mac address" ], "name": "dmac" }, { "type": "default", "id": 2, "data_type": [], "name": "act" }, { "type": "default", "id": 3, "data_type": [ "host name" ], "name": "dhost" }, { "type": "default", "id": 4, "data_type": [], "name": "app" }, { "type": "default", "id": 5, "data_type": [], "name": "deviceCustomDate2Label" }, { "type": "default", "id": 6, "data_type": [], "name": "applicationProtocol" }, { "type": "default", "id": 7, "data_type": [], "name": "deviceDirection" }, { "type": "default", "id": 8, "data_type": [], "name": "baseEventCount" }, { "type": "default", "id": 9, "data_type": [ "domain" ], "name": "dntdom" }, { "type": "default", "id": 10, "data_type": [], "name": "bytesIn" } ], "num_pages": 16 }
rest/cef?_filter_name="<name>"
Get information about a single CEF, by name.
Syntax
https://<username>:<password>@<host>rest/cef?_filter_name="<name>"
GET
Get information about a single CEF, by name.
Example request
Get a list of CEF called docs-test-cef.
curl -k -u username:password https://localhost/rest/cef?_filter_name="docs-test-cef" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.
{ "count": 1, "data": [ { "type": "custom", "id": 151, "data_type": [ "test" ], "name": "docs-test-cef" } ], "num_pages": 1 }
/rest/cef/<id>
Update a custom CEF.
Syntax
https://<username>:<password>@<host>/rest/cef/<id>
POST
Update a custom CEF by supplying the CEF Id and a JSON formatted body of the updates.
Example request
Update the custom CEF called docs-example-cef
curl -k -u username:password https://localhost/rest/cef/<id> \ -d '{ "name":"docs-example-cef", "data_type":["example"] } '
Example response
A successful response includes the numeric Id given to the CEF.
{ "id": 151, "success": true }
DELETE
Delete a custom CEF by supplying the CEF Id.
Example request
Delete the custom CEF with Id 151.
curl -k -u username:password https://localhost/rest/cef/151 -X DELETE
Example response
A successful response includes a success message.
{ "success": true }
REST Automation Broker | REST Cluster Nodes |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1
Feedback submitted, thanks!