Splunk SOAR (f.k.a. Phantom)

Defining object detail in REST queries?



I'm running REST queries to retrieve containers that need to be reprocessed in function of the values of some of their artifacts values. My approach is querying the artifacts REST endpoint in this way:

/rest/artifact/?page_size=3000&_filter_name="my artifact of interest"&_filter_update_time__gt="2023-01-01T00:00:00"&_filter_[othercriteria]

The thing is these artifacts are quite heavy and in this particular case I only need their container ID field, so there is no point in retrieving all the other irrelevant fields data. 

If I were querying a single known artifact I could use the object detail specification documented, at https://docs.splunk.com/Documentation/SOARonprem/5.5.0/PlatformAPI/RESTQueryData#Requesting_Object_D...  I haven't seed any similar way do specify which fields shall be retrieved while querying for an object list. Is there any way to do this?


Also, Is there any way one can query artifacts whose associated container has some properties?

Right now I'm doing a massive artifact query, a massive container query and matching the results in a playbook. That's something that would be trivial and much more lighter to do by SQL-querying the underlying posrtgresql database.


Hints about this would be much appreciated.

Labels (3)
0 Karma


@Iñigo you can query for artifact values a few ways, as you have probably seen. The artifact table is always going to be much heavier to query than the container one, for example, due to numbers. 

You can access artifact values through the container rest endpoint such as below:


Note the double _ which basically jumps to the artifact table but via the container REST endpoint.  With this you should be able to have filters at both container and artifact level and pull back the data possibly in 1 go?

The double _ can be used a lot in this way but requires the field before it to have a context in another table. 

I wish they would put more examples like this in the docs so when you get this working it might be worth adding something to the feedback section of the docs page for REST so they can add something relevant?

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...