topic Get container timeline history via REST in Splunk SOAR https://community.splunk.com/t5/Splunk-SOAR/Get-container-timeline-history-via-REST/m-p/561131#M678 <P>Hi.</P><P>I need to extract container timeline events via the REST API in order to generate analyst, playbook and action timeline reports.</P><P>The closest endpoint I can find is <A href="https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTQueryData#Requesting_Object_Detail" target="_self">briefly mentioned in the REST API documentation</A>:</P><P><EM>/rest/container/&lt;container id&gt;/actions</EM></P><P>I can't find any other mention of this endpoint in the documentation. This endpoint is useful however it only provides action history, not analyst or playbook activity history.</P><P>The Phantom web portal calls an undocumented API which returns exactly what I need:</P><P><EM>/rest/container/&lt;container ID&gt;/timeline?&lt;many required query parameters&gt;</EM></P><P>...however it requires many query parameters. If you don't get the query parameters&nbsp;correct it returns empty results.</P><P>My questions:</P><P>1. Can someone refer me to documentation for the container timeline API endpoint mentioned above?</P><P>2. If not, is there an alternative "documented" endpoint that will return all container timeline information?</P><P>Thanks</P> Wed, 28 Jul 2021 01:57:37 GMT bongo 2021-07-28T01:57:37Z Get container timeline history via REST https://community.splunk.com/t5/Splunk-SOAR/Get-container-timeline-history-via-REST/m-p/561131#M678 <P>Hi.</P><P>I need to extract container timeline events via the REST API in order to generate analyst, playbook and action timeline reports.</P><P>The closest endpoint I can find is <A href="https://docs.splunk.com/Documentation/Phantom/4.10.4/PlatformAPI/RESTQueryData#Requesting_Object_Detail" target="_self">briefly mentioned in the REST API documentation</A>:</P><P><EM>/rest/container/&lt;container id&gt;/actions</EM></P><P>I can't find any other mention of this endpoint in the documentation. This endpoint is useful however it only provides action history, not analyst or playbook activity history.</P><P>The Phantom web portal calls an undocumented API which returns exactly what I need:</P><P><EM>/rest/container/&lt;container ID&gt;/timeline?&lt;many required query parameters&gt;</EM></P><P>...however it requires many query parameters. If you don't get the query parameters&nbsp;correct it returns empty results.</P><P>My questions:</P><P>1. Can someone refer me to documentation for the container timeline API endpoint mentioned above?</P><P>2. If not, is there an alternative "documented" endpoint that will return all container timeline information?</P><P>Thanks</P> Wed, 28 Jul 2021 01:57:37 GMT https://community.splunk.com/t5/Splunk-SOAR/Get-container-timeline-history-via-REST/m-p/561131#M678 bongo 2021-07-28T01:57:37Z Re: Get container timeline history via REST https://community.splunk.com/t5/Splunk-SOAR/Get-container-timeline-history-via-REST/m-p/562026#M689 <P>After some experimentation I found that the endpoint will return all data if passed the following general JSON object after it's converted to a query string:</P><P>{<BR />"page_number": 1,<BR />"min_time": "2018-01-01T00:00:00.000000Z",<BR />"max_time": "2038-01-01T00:00:00.000000Z",<BR />"count": 10000,<BR />"artifact": {<BR />"count": 10000,<BR />"min_time": "2018-01-01T00:00:00.000000Z",<BR />"max_time": "2038-01-01T00:00:00.000000Z",<BR />},<BR />"event": {<BR />"count": 10000,<BR />"min_time": "2018-01-01T00:00:00.000000Z",<BR />"max_time": "2038-01-01T00:00:00.000000Z",<BR />},<BR />"playbook": {<BR />"count": 10000,<BR />"min_time": "2018-01-01T00:00:00.000000Z",<BR />"max_time": "2038-01-01T00:00:00.000000Z",<BR />},<BR />"action": {<BR />"count": 10000,<BR />"min_time": "2018-01-01T00:00:00.000000Z",<BR />"max_time": "2038-01-01T00:00:00.000000Z",<BR />}<BR />}</P><P>&nbsp;</P><P>For example:</P><P>/rest/container/<EM>&lt;container ID&gt;</EM>/timeline?query_params={"page_number":1,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z","count":10000,"artifact":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"event":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"playbook":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"action":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"}}</P> Wed, 04 Aug 2021 21:35:17 GMT https://community.splunk.com/t5/Splunk-SOAR/Get-container-timeline-history-via-REST/m-p/562026#M689 bongo 2021-08-04T21:35:17Z