Splunk SOAR (f.k.a. Phantom)

Delete containers with a playbook

drew19
Path Finder

Is there a way to automatically delete some containers within a playbook?

Labels (1)
Tags (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

phanTom
SplunkTrust
SplunkTrust

@drew19 i meant a HTTP DELETE request to the endpoint (e.g. /rest/container/100).

This action can be done either by using the HTTP app to interact with Phantom REST or the new phantom.build_phantom_rest_url() & phantom.requests() APIs (Docs here)

0 Karma

drew19
Path Finder

Dear Phantom,

as written before, I understand what you meant. Please navigate to the first URL provided by you (https://docs.splunk.com/Documentation/Phantom/4.10/PlatformAPI/RESTContainers) then press CTRL + F (find something in the page) then look for "DELETE": there are no results.
My question is: where this information (i.e. use an HTTP DELETE to achieve Container deletion) is written? Is it so obvious so that it is it left as an implicit information?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 yes, but you have to use REST and a HTTP DELETE request to the container endpoint (Docs link). If you can get a list of container ids, you can use the HTTP app with a format block before it to build a list and pass it to the HTTP app to iterate through and delete the containers.

drew19
Path Finder

Dear Tom,

thank you. I understand what you are writing and I would accept it as a solution but I cannot find any reference to DELETE requests in the link provided by you. Where it is written?

Thank you again

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...