Splunk® Intelligence Management (Legacy)

User Guide

Use the REST API or Python SDK to access scored emails

The extensibility of Splunk Intelligence Management provides different ways to respond to a user-reported suspicious email, allowing you to customize workflows according to your organization's automation maturity level.

As part of the phishing triage intel workflow, Splunk Intelligence Management offers the ability to access scored emails through the REST API or Python SDK.

Use the Splunk Intelligence Management API

Use the following Splunk Intelligence Management API endpoints to view email submissions, retrieve Indicators, and set triage status:

Get phishing submissions

post /1.3/triage/submissions 

Get phishing indicators

post /1.3/triage/indicators

Set triage status

post /1.3/triage/submissions/{submissionId}/status

Use the Python SDK

Use the Python SDK to view email submissions, retrieve Indicators, and set triage status:

Get phishing submissions

Fetches all phishing submissions that fit a given criteria

TruStar.get_phishing_submissions(from_time=None, to_time=None, priority_event_score=None, enclave_ids=None, status=None, cursor=None)

Parameters

Parameter Description
from_time (int) Start of time window in milliseconds since epoch (defaults to 7 days ago)
to_time (int) End of time window in milliseconds since epoch (defaults to current time)
normalized_triage_score (list(int)) List of desired scores of phishing submission on a scale of 0-3 (default: [3]).
enclave_ids (list(string)) List of enclave ids to pull submissions from. (defaults to all of a user's enclaves).
status (list(string)) List of statuses to filter submissions by.
Options include:
  • UNRESOLVED
  • CONFIRMED
  • IGNORED
  • UNRESOLVED (Default value)
cursor (string) A Base64-encoded string that contains information on how to retrieve the next page. If a cursor isn't passed, it will default to pageSize: 25, pageNumber: 0

Get phishing indicators

Get a page of phishing indicators that match the given criteria.

TruStar.get_phishing_indicators(from_time=None, to_time=None, normalized_indicator_score=None, priority_event_score=None, status=None, enclave_ids=None, cursor=None)


Parameters

Parameter Description
from_time (int) Start of time window in milliseconds since epoch (defaults to 7 days ago).
to_time (int) End of time window in milliseconds since epoch (defaults to current time).
normalized_source_score (list(int)) List of desired scores of intel sources on a scale of 0-3 (default: [3]).
normalized_triage_score (list(int)) List of desired scores of phishing indicators on a scale of 0-3 (default: [3]).
enclave_ids (list(string)) A list of enclave IDs to filter by. (defaults to all of a user's enclaves)
status (list(string)) List of statuses to filter indicators by.
Options include:
  • UNRESOLVED
  • CONFIRMED
  • IGNORED
  • UNRESOLVED (Default value)
cursor (string) A Base64-encoded string that contains information on how to retrieve the next page. If a cursor isn't passed, it will default to pageSize: 25, pageNumber: 0

Set Triage status

TruStar.mark_triage_status(submission_id=None, status=None)

Marks a phishing email submission with one of the phishing namespace tags.

Parameters

Parameter Description
submission_id (string) ID of the email submission.
status (string) Triage status of submission.
Last modified on 21 April, 2022
Use the phishing triage workflow to automate suspicious email triage   How to use the phishing triage workflow

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters