Splunk® SOAR (On-premises)

REST API Reference for Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST Feature Flag

Manage a subset of features.

/rest/feature_flag

Get and manage information about features.

Syntax 

https://<username>:<password>@<host>/rest/feature_flag

GET

Returns a JSON formatted list of all features and their database representations. These features support all the optional query parameters listed in Query for Data.

Example request
Get a JSON formatted list of all features and their database representations. 

curl -k -u username:password https://localhost/rest/feature_flag -G -X GET

Example response
A successful GET will return the feature's data as JSON in the response body. 

{
    "count": 10,
    "num_pages": 1,
    "data": [
        {
            "name": "mobile",
            "id": 3,
            "enabled": false,
            "immutable": false,
            "config": {
                "app_names": [
                    "com.splunk.mobile.Stargate",
                    "com.splunk.mobile.Alerts",
                    "com.splunk.mobile.ARDemo",
                    "com.splunk.mobile.SplunkAR"
                ]
            }
        },
        {
            "name": "fullstory",
            "id": 4,
            "enabled": false,
            "immutable": false,
            "config": {}
        },
        ...
    ]
}

/rest/feature_flag/<feature_flag_name>

GET

A successful GET will return the feature's data as JSON in the response body.

Example request
Get a JSON formatted list of all features and their database representations. 

curl -k -u username:password https://localhost/rest/feature_flag/{cloud} -G -X GET

Example response
A successful GET will return the feature's data as JSON in the response body. 

{
    "name": "cloud",
    "id": 2,
    "enabled": true,
    "immutable": false,
    "config": {
        "key": true
    }
}

POST

Turn a feature on or off, or modify its configuration.

Request parameters

Field Required Type Description
id optional integer The number id for the feature flag.
name optional string The name of the feature flag.
enabled optional boolean Whether or not the feature flag is set to on or off. Valid values are either "true" for on, or "false" for off.
immutable optional boolean Whether or not the feature flag can be changed using this API. Valid values are either "true" when the value can be changed, or "false" when the value cannot be changed by this API.
config optional JSON Object A set of key and value pairs that define the configuration of the feature. Valid values depend on the feature. Use the /rest/feature_flag/{feature_name} REST API endpoint to get the current values for a feature.

Available feature flags

Id Feature flag Description
1 mobile Whether SOAR can be paired to the Splunk SOAR mobile app.
  • This feature is only available for Splunk SOAR (On-premises).
  • This is set to "false" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.


See About the Splunk Mobile App for Splunk SOAR (On-premises) in Get Started with the Splunk Mobile App for Splunk SOAR (On-premises).

2 telemetry Toggles on or off sending telemetry data.
  • This is set to "true" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.


See Share data from in Administer for more information on telemetry.

3 cloud Sets whether this is a SOAR (Cloud) or (On-premises) deployment.
  • This is set to "true" for SOAR (Cloud) deployments.
  • This is set to "false" for SOAR (On-premises) deployments.
  • This feature flag is immutable in all SOAR deployments.
4 automation_broker Controls whether SOAR is allowed to use an Automation broker to run actions.
See About Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.
5 resource_scoring Gain insight into how playbooks consume resources on SOAR
6 indicators Toggles whether SOAR generates indicators for new artifacts.
7 rum Toggles on or off RUM. RUM is a UI telemetry feature.
  • This is set to "false" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.


See Share data from in Administer for more information on telemetry.

8 fullstory Toggles Fullstory on or off. Fullstory is a UI telemetry feature.
  • This is set to "false" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.


See Share data from in Administer for more information on telemetry.

9 multi_tenant Allow multiple tenants per instance.
  • This feature is only available for Splunk SOAR (On-premises).
  • This is set to "false" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.
10 clickable_urls Enable users to click urls in the SOAR UI.
11 whitelist If enabled, allow setting authorized users lists on containers
12 check_min_phantom_version Check min phantom version when installing SOAR connectors.
13 prompt_responses If enabled, prompts will display the most commonly chosen answers to each question
14 generate_playbook_run_report Whether or not to generate playbook run reports
15 clustering Controls whether SOAR (On Premises) is deployed as a cluster of multiple nodes.
  • This feature is only available for Splunk SOAR (On-premises).
  • This is set to "false" for SOAR (Cloud) deployments.
  • This feature flag is immutable for SOAR (Cloud) deployments.

It is better to control clustering from the user interface.

See also:

16 multi_condition If enabled, allow support for multi downstream edges to the same block in VPE
17 cyberark_rest If enabled, allow the use of CyberArk's credential management REST API
18 classic_playbook_deprecation_banner If enabled, show users a banner at the top of most UI pages advertising the deprecation of classic playbooks
19 severity_inheritance If enabled, automatically increase the severity of a container if an artifact is added to the container with a higher severity.
20 restrict_global_search When enabled, restrict which database tables are queried in global searches. Defaults to on or "true", except for the playbook_run table, which is set to "false".

Additional parameter

  • max_age_days - Integer for the maximum age in days of data to search. The default value is 30 days.
    Setting this value to 0 makes searches cover all specified database table entries regardless of age.

Database table names

  • app
  • note
  • asset
  • app_run
  • artifact
  • playbook
  • container
  • action_run
  • decided_list
  • playbook_run
  • custom_function
  • container_comment
  • container_attachment

Example request
Modify a feature's configuration, or turn a feature on or off. 

curl -u username:password -X POST https://localhost/rest/feature_flag/{cloud_feature_id}> -k -d '{"enabled": false}'

Example response
A successful POST will return the feature's data as JSON in the response body. 

{
    "name": "cloud",
    "data": {
      "id": 2,
      "enabled": false,
      "immutable": false,
      "config": {
          "key": true
      }
    }
}

Example request
Change global search settings. 

curl -u username:password -X POST -d '{"playbook_run": true}' https://localhost/rest/feature_flag/restrict_global_search

Example response
A successful POST will return the new global search settings in JSON in the response body. 

{
  "success": true,
  "data": {
    "id": 20,
    "name": "restrict_global_search",
    "enabled": true,
    "immutable": false,
    "config": {
      "app": true,
      "note": true,
      "asset": true,
      "app_run": false,
      "artifact": false,
      "playbook": true,
      "container": true,
      "action_run": false,
      "decided_list": true,
      "max_age_days": 30,
      "playbook_run": true,
      "custom_function": true,
      "container_comment": true,
      "container_attachment": true
    }
  }
}

/rest/feature_flag/<feature_flag_name>/<detail>

Returns a single field of the feature flag; enabled, config, immutable, name, or id.

Example request
Returns a single field of the feature flag telemetry and whether or not it is enabled. 

curl -k -u username:password https://localhost/rest/feature_flag/{telemetry}/{enabled} -G -X GET

Example response
A successful GET will return the specified feature's data as JSON in the response body. 

{
    "enabled": true
}
Last modified on 02 April, 2024
REST Evidence   REST HUD

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1, 6.2.2, 6.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters