Splunk® SOAR (On-premises)

REST API Reference for Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

REST CEF

uses the Common Event Format (CEF). CEF is a system of key:value pairs for key pieces of information about an artifact. The value is often referred to as the contains as shorthand.

/rest/cef

Get a list of available CEF.

Syntax

https://<username>:<password>@<host>/rest/cef

Usage details
Use parameters to get additional pages or sorting. All default CEFs have a type of "default." Custom CEFs have the type "custom." Only custom CEFs are mutable. CEFs with the type "default" cannot be modified.

GET

Get a list of available CEF.

Example request
Get a list of available CEF.

curl -k -u username:password https://localhost/rest/cef -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
        "count": 151,
        "data": [
            {
                "type": "default",
                "id": 1,
                "data_type": [
                    "mac address"
                ],
                "name": "dmac"
            },
            …
            {
                "type": "custom",
                "id": 566,
                "data_type": ["myIp"],
                "name": "myDestination"
            }
        ],
        "num_pages": 16
    }

POST

Add a custom CEF.

Example request
You can add a custom CEF by supplying a JSON formatted body.

curl -k -u username:password https://localhost/rest/cef \
-d '{
        "name":"docs-test-cef",
        "data_type":["test"]
    }'

Example response
A successful response includes the numeric Id given to the CEF.

{
        "id": 151,
        "success": true
}

/rest/cef filters

You can use operators to sort or filter the results.

_filter_type optional string Either "custom" or "default". Custom returns only custom CEFs, while default returns a list of all default CEFs.
_filter_name optional string A quoted name for the CEF you want information about.

/rest/cef?_filter_type="custom"

Look up information about a CEF

Syntax

https://<username>:<password>@<host>/rest/cef?_filter_type="custom"

GET

Get a list of all custom CEFs defined on the system.

Example request
Get a list of available CEF.

curl -k -u username:password https://localhost/rest/cef?_filter_type="custom" -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 1,
    "data": [
        {
            "type": "custom",
            "id": 151,
            "data_type": [
                "test"
            ],
            "name": "docs-test-cef"
        }
    ],
    "num_pages": 1
}

/rest/cef?custom=true&page_size=3&page=0

Get a paginated list of all custom CEFs

Syntax

https://<username>:<password>@<host>/rest/cef?_filter_type="custom"

Usage
You can set the page size to any valid integer.

GET

Get a list of all custom CEFs defined on the system, organized into pages.

Example request
Get a list of available CEF.

curl -k -u username:password https://localhost/rest/cef?custom=true&page_size=3&page=0 -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 151,
    "data": [
        {
            "type": "default",
            "id": 1,
            "data_type": [
                "mac address"
            ],
            "name": "dmac"
        },
        {
            "type": "default",
            "id": 2,
            "data_type": [],
            "name": "act"
        },
        {
            "type": "default",
            "id": 3,
            "data_type": [
                "host name"
            ],
            "name": "dhost"
        },
        {
            "type": "default",
            "id": 4,
            "data_type": [],
            "name": "app"
        },
        {
            "type": "default",
            "id": 5,
            "data_type": [],
            "name": "deviceCustomDate2Label"
        },
        {
            "type": "default",
            "id": 6,
            "data_type": [],
            "name": "applicationProtocol"
        },
        {
            "type": "default",
            "id": 7,
            "data_type": [],
            "name": "deviceDirection"
        },
        {
            "type": "default",
            "id": 8,
            "data_type": [],
            "name": "baseEventCount"
        },
        {
            "type": "default",
            "id": 9,
            "data_type": [
                "domain"
            ],
            "name": "dntdom"
        },
        {
            "type": "default",
            "id": 10,
            "data_type": [],
            "name": "bytesIn"
        }
    ],
    "num_pages": 16
}

rest/cef?_filter_name="<name>"

Get information about a single CEF, by name.

Syntax

https://<username>:<password>@<host>rest/cef?_filter_name="<name>"

GET

Get information about a single CEF, by name.

Example request
Get a list of CEF called docs-test-cef.

curl -k -u username:password https://localhost/rest/cef?_filter_name="docs-test-cef" -G -X GET

Example response
A successful GET will return back a JSON formatted list of key names and their contains data.

{
    "count": 1,
    "data": [
        {
            "type": "custom",
            "id": 151,
            "data_type": [
                "test"
            ],
            "name": "docs-test-cef"
        }
    ],
    "num_pages": 1
}  

/rest/cef/<id>

Update a custom CEF.

Syntax

https://<username>:<password>@<host>/rest/cef/<id>

POST

Update a custom CEF by supplying the CEF Id and a JSON formatted body of the updates.

Example request
Update the custom CEF called docs-example-cef

curl -k -u username:password https://localhost/rest/cef/<id> \
-d '{
        "name":"docs-example-cef",
        "data_type":["example"]
    }
'

Example response
A successful response includes the numeric Id given to the CEF.

{
        "id": 151,
        "success": true
}

DELETE

Delete a custom CEF by supplying the CEF Id.

Example request
Delete the custom CEF with Id 151.

curl -k -u username:password https://localhost/rest/cef/151 -X DELETE

Example response
A successful response includes a success message.

{
        "success": true
}
Last modified on 17 February, 2023
REST Automation Broker   REST Cluster Nodes

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters