topic Re: API Filtering in Splunk SOAR - Access child elements in JSON in Splunk SOAR

API Filtering in Splunk SOAR - Access child elements in JSON

JustntherSplker — Mon, 24 Feb 2025 13:08:33 GMT

Working on a use case which entails finding All containers/artifacts that match certain field conditions.

The idea is to run an API query against SOAR artifact end point to get all the artifacts and use the returned artifact fields in further fulfilling automation.

A few questions in this respect

1)Does SOAR support API filtering like described in this article - https://medium.com/@lovely_peel_hamster_92/splunk-phantom-rest-api-filters-956a58854bfc

Specifically the ability to access child objects in JSON. Documentation does not seem to mention anything about accessing child objects.

https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTQueryData

3)Also when filters are applied, we seem to lose the ability to restrict the output to a list of fields. It returns the entire JSON while the requirement is for specific fields.

What we are actually trying to achieve -

Check for closed SNow INCs and close corresponding Splunk ES notables, and SOAR containers.

We have broken down the approach into modules and have the component parts working but the aforementioned filtering is tripping us up - Solving the problem will help us complete the playbook.

I also found this and we are attempting something very similar - https://community.splunk.com/t5/Splunk-SOAR/Playbook-run-on-bulk-events/m-p/667251. Again, the filtering is key to completing this.

Also, open to suggestions on approach to achieve the above. Thanks! in advance.

Re: API Filtering in Splunk SOAR - Access child elements in JSON

SOARt_of_Lost — Wed, 05 Mar 2025 21:05:14 GMT

Thanks for linking that article, I haven't seen it and it's got some handy tips.

1) Yes. In my limited testing, this works.

3) Unfortunately, that seems to be the tradeoff based on what you're trying to do. When you filter (rest/artifact) you're look for any artifacts which match your search results. When you request object detail, (rest/artifact/5/name) you're restricting your results to artifact 5 specifically.

If you want to give an example of your specific flow, we can probably come up with a more detailed answer. I'm guessing you're going to want something roughly along these lines:

/rest/artifact?_filter_cef__destinationAddress={SNOW INC CI}&_filter_status="new"&page_size=0

Unfortunately, I don't think you'll be able to avoid looping through the results one way or another.

Re: API Filtering in Splunk SOAR - Access child elements in JSON

SOARt_of_Lost — Wed, 05 Mar 2025 21:58:10 GMT

Thanks for linking that article, I haven't seen it and it's got some handy tips.

1) Yes, this works.

Based on your question, I'm guessing you're going to want something along these lines:

/rest/artifact?_filter_cef__destinationAddress={SNow CI}&page_size=0

I don't think you'll be able to get of looping through your results one way or another.

Re: API Filtering in Splunk SOAR - Access child elements in JSON

JustntherSplker — Sun, 09 Mar 2025 12:23:22 GMT

@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter.

The DJANGO 'in' filter expects a comma even if just one value is found for the custom field

So the python script in the custom function looks at

/rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values &

/rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found.

As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.

Re: API Filtering in Splunk SOAR - Access child elements in JSON

JustntherSplker — Sun, 09 Mar 2025 12:58:05 GMT

@SOARt_of_Lost Going by your profile name, would appreciate your thoughts on this question as well! TIA

https://community.splunk.com/t5/Splunk-SOAR/Splunk-SOAR-access-environment-variables/td-p/741231