Splunk® SOAR (On-premises)

REST API Reference for Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST Evidence

Evidence endpoint for managing evidence in indicators, events, or cases. This endpoint supports creating or deleting evidence objects.

/rest/evidence

Manage evidence.

Syntax 

https://<username>:<password>@<host>/rest/evidence

POST

Add evidence to a container.

The body of the request is a JSON object with the following fields.

Field Required Description
container_id required Id of the container to which you are adding evidence.
object_id required Id of object to be added -- artifact id, note id, etc.
content_type required The content type of the object to add as evidence. One of the types:
  • containerattachment
  • artifact
  • actionrun
  • container
  • note

Example request
Add an artifact of Id 17 to container Id 9. 

curl -k -u username:password https://localhost/rest/evidence \
-d '{
    "container_id": 9,
    "object_id": 17,
    "content_type": "artifact",
}'

Example response
A successful POST will return a success indicator and the Id of the newly created evidence. 

{
    "id": 4,
    "success": true
}

/rest/evidence optional query parameters and filters

Query all evidence by using query parameters and filters. You can search for container attachments, artifacts, action runs, containers, and notes.

See REST Query Data for further information about query parameters.

Syntax 

https://<username>:<password>@<host>/rest/evidence?<parameter>&_<filter>=<container id>

Parameters

  • _special_content_object - Specify that the query is for a special content object. Use in conjunction with the _filter_content_type__model filter.
  • _special_content_type=True - Specify that the object will be in the special content objects.

Filters

  • _filter_content_type__model - adds a string to the JSON returned that gives the type of evidence. Valid models are:
    • container attachments
    • artifacts
    • action runs
    • containers
    • notes
  • _filter_container=<container id> - filters the query to a single container.

For cases or containers that have large collections of evidence, consider adding paging parameters.

Examples

Examples of query parameters used with /rest/evidence.

GET

Find items marked as evidence which have specific text in an attached note.

Example request

curl -k -u username:password https://localhost/rest/evidence?_special_content_object&_filter_content_type__model="note"&search="Find Me"

Example response
A successful GET returns a list of notes that include the searched for text. 

{
    "count": 1,
    "num_pages": 1,
    "data": [
        {
            "id": 1,
            "create_time": "2023-02-16T19:40:23.450331Z",
            "modified_time": "2023-02-16T19:40:23.450905Z",
            "container": 1,
            "object_id": 2,
            "content_type": 90
        }
    ]
}

GET

Find items marked as evidence for a specific container.

Example request

curl -k -u username:password https://localhost/rest/evidence?&_special_content_type=True&_filter_container=<container id> -G -X GET

Example response
A successful GET returns a JSON block for the specified container. 

{
    "count": 1,
    "num_pages": 1,
    "data": [
        {
            "id": 1,
            "create_time": "2023-02-16T19:40:23.450331Z",
            "modified_time": "2023-02-16T19:40:23.450905Z",
            "container": 1,
            "object_id": 2,
            "content_type": 90
        }
    ]
}

GET

Return information about a note's attachments when it is marked as evidence.

Example request

curl -k -u username:password https://localhost/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true -G -X GET

Example response
A successful GET returns information about containers which have a note marked as evidence. 

{
    "count": 1,
    "num_pages": 1,
    "data": [
        {
            "id": 1,
            "create_time": "2023-02-16T19:40:23.450331Z",
            "modified_time": "2023-02-16T19:40:23.450905Z",
            "container": 1,
            "object_id": 2,
            "content_type": 90
        }
    ]
}


GET

Get a list of evidence for container Id 5 with a page size of 5 and special content type true.

Example request

curl -k -u username:password https://localhost/rest/evidence?page_size=5&_special_content_type=True&_filter_container=5 -G -X GET

Example response
A successful GET will return a JSON formatted list of key names and data. 

{
    "count": 1,
    "data": [
        {
            "container": 5,
            "modified_time": "2019-05-23T17:18:39.595829Z",
            "_special_content_type": "artifact",
            "create_time": "2019-05-23T17:18:39.595528Z",
            "object_id": 20,
            "content_type": 52,
            "id": 1
        }
    ],
    "num_pages": 1
}

GET

Return information about a note's attachments when it is marked as evidence.

Example request

curl -k -u username:password https://localhost/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Example response
A successful GET will return a JSON formatted list of key names and data. 

{
    "count": 1,
    "num_pages": 1,
    "data": [
        {
            "id": 1,
            "create_time": "2023-02-16T19:40:23.450331Z",
            "modified_time": "2023-02-16T19:40:23.450905Z",
            "container": 1,
            "object_id": 2,
            "content_type": 90
        }
    ]
}

GET

Return information about the note's attachments.

Example request
Return information about the note's attachments. 

/rest/evidence?special_content_object&_filter_content_type_model="note"&search=[]&_annotation_container_attachments=true

Example response
A successful GET provides information about the size, name, and container attachment ID of the note. 

{
'id': 605, 
'create_time': '2020-04-14T02:26:41.993230Z', 
'modified_time': '2020-04-14T02:26:41.993413Z', 
'container': 9738, 
'object_id': 5203, 
'content_type': 96, 
'_special_content_object': 
{
'id': 5203,
 'title': '',
 'content': 'note_content_fosecdYXmfSG',
 'create_time': '2020-04-14T02:26:41.297248Z',
 'modified_time': '2020-04-14T02:26:41.938770Z',
 'note_type': 'g',
 'author': 1640,
 'phase': None,
 'container': 9739,
 'task': None,
 'artifact': None,
 'container_attachments': 
[{'name': 'container_attachment_ciYQzbVNGnjr', 'size': 0, 'container_attachment_id': 1514}, 
{'name': 'container_attachment_YaLEONTFIpSj', 'size': 0, 'container_attachment_id': 1515}, 
{'name': 'container_attachment_BwdoyghERKcn', 'size': 0, 'container_attachment_id': 1516}]
}
}

/rest/evidence/<evidence id>

Manage one item by evidence Id.

DELETE

Delete an item from evidence.

Example request
Delete the evidence with Id 5. 

curl -k -u username:password https://localhost/rest/evidence/5 -X DELETE

Example response
A successful response includes a success message. 

{
    "id": 5,
    "success": true
}
Last modified on 17 February, 2023
REST Custom Function   REST Feature Flag

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters