After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
REST Evidence
Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.
/rest/evidence
Manage evidence.
Syntax
https://<username>:<password>@<host>/rest/evidence
POST
Add evidence to a container.
The body of the request is a JSON object with the following fields.
Field | Required | Description |
---|---|---|
container_id | required | Id of the container to which you are adding evidence. |
object_id | required | Id of object to be added -- artifact id, note id, etc. |
content_type | required | The content type of the object to add as evidence. One of the types:
|
Example request
Add an artifact of Id 17 to container Id 9.
curl -k -u username:password https://localhost/rest/evidence \ -d '{ "container_id": 9, "object_id": 17, "content_type": "artifact", }'
Example response
A successful POST will return a success indicator and the Id of the newly created evidence.
{ "id": 4, "success": true }
/rest/evidence optional query parameters and filters
Query all evidence by using query parameters and filters. You can search for container attachments, artifacts, action runs, containers, and notes.
See REST Query Data for further information about query parameters.
Syntax
https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>
Parameters
_special_content_object
- Specify that the query is for a special content object. Use in conjunction with the_filter_content_type__model
filter._special_content_type=True
- Specify that the object will be in the special content objects.
Filters
_filter_content_type__model
- adds a string to the JSON returned that gives the type of evidence. Valid models are:- container attachments
- artifacts
- action runs
- containers
- notes
_filter_container=<container id>
- filters the query to a single container.
For cases or containers that have large collections of evidence, consider adding paging parameters.
Examples
Examples of query parameters used with /rest/evidence.
GET
Find items marked as evidence which have specific text in an attached note.
Example request
curl -k -u username:password https://localhost/rest/evidence?_special_content_object&_filter_content_type__model="note"&search="Find Me"
Example response
A successful GET returns a list of notes that include the searched for text.
{ "count": 1, "num_pages": 1, "data": [ { "id": 1, "create_time": "2023-02-16T19:40:23.450331Z", "modified_time": "2023-02-16T19:40:23.450905Z", "container": 1, "object_id": 2, "content_type": 90 } ] }
GET
Find items marked as evidence for a specific container.
Example request
curl -k -u username:password https://localhost/rest/evidence?&_special_content_type=True&_filter_container=<container id> -G -X GET
Example response
A successful GET returns a JSON block for the specified container.
{ "count": 1, "num_pages": 1, "data": [ { "id": 1, "create_time": "2023-02-16T19:40:23.450331Z", "modified_time": "2023-02-16T19:40:23.450905Z", "container": 1, "object_id": 2, "content_type": 90 } ] }
GET
Return information about a note's attachments when it is marked as evidence.
Example request
curl -k -u username:password https://localhost/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true -G -X GET
Example response
A successful GET returns information about containers which have a note marked as evidence.
{ "count": 1, "num_pages": 1, "data": [ { "id": 1, "create_time": "2023-02-16T19:40:23.450331Z", "modified_time": "2023-02-16T19:40:23.450905Z", "container": 1, "object_id": 2, "content_type": 90 } ] }
GET
Get a list of evidence for container Id 5 with a page size of 5 and special content type true.
Example request
curl -k -u username:password https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET
Example response
A successful GET will return a JSON formatted list of key names and data.
{ "count": 1, "data": [ { "container": 5, "modified_time": "2019-05-23T17:18:39.595829Z", "_special_content_type": "artifact", "create_time": "2019-05-23T17:18:39.595528Z", "object_id": 20, "content_type": 52, "id": 1 } ], "num_pages": 1 }
GET
Return information about a note's attachments when it is marked as evidence.
Example request
curl -k -u username:password https://localhost/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true
Example response
A successful GET will return a JSON formatted list of key names and data.
{ "count": 1, "num_pages": 1, "data": [ { "id": 1, "create_time": "2023-02-16T19:40:23.450331Z", "modified_time": "2023-02-16T19:40:23.450905Z", "container": 1, "object_id": 2, "content_type": 90 } ] }
GET
Return information about the note's attachments.
Example request
Return information about the note's attachments.
/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true
Example response
A successful GET provides information about the size, name, and container attachment ID of the note.
{ 'id': 605, 'create_time': '2020-04-14T02:26:41.993230Z', 'modified_time': '2020-04-14T02:26:41.993413Z', 'container': 9738, 'object_id': 5203, 'content_type': 96, '_special_content_object': { 'id': 5203, 'title': '', 'content': 'note_content_fosecdYXmfSG', 'create_time': '2020-04-14T02:26:41.297248Z', 'modified_time': '2020-04-14T02:26:41.938770Z', 'note_type': 'g', 'author': 1640, 'phase': None, 'container': 9739, 'task': None, 'artifact': None, 'container_attachments': [{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, {'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, {'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}] } }
/rest/evidence/<evidence id>
Manage one item by evidence Id.
DELETE
Delete an item from evidence.
Example request
Delete the evidence with Id 5.
curl -k -u username:password https://localhost/rest/evidence/5 -X DELETE
Example response
A successful response includes a success message.
{ "id": 5, "success": true }
REST Custom Function | REST Feature Flag |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!