Splunk SOAR (f.k.a. Phantom)

Delete containers with a playbook

drew19
Path Finder

Is there a way to automatically delete some containers within a playbook?

Labels (1)
Tags (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

phanTom
SplunkTrust
SplunkTrust

@drew19 i meant a HTTP DELETE request to the endpoint (e.g. /rest/container/100).

This action can be done either by using the HTTP app to interact with Phantom REST or the new phantom.build_phantom_rest_url() & phantom.requests() APIs (Docs here)

0 Karma

drew19
Path Finder

Dear Phantom,

as written before, I understand what you meant. Please navigate to the first URL provided by you (https://docs.splunk.com/Documentation/Phantom/4.10/PlatformAPI/RESTContainers) then press CTRL + F (find something in the page) then look for "DELETE": there are no results.
My question is: where this information (i.e. use an HTTP DELETE to achieve Container deletion) is written? Is it so obvious so that it is it left as an implicit information?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 yes, but you have to use REST and a HTTP DELETE request to the container endpoint (Docs link). If you can get a list of container ids, you can use the HTTP app with a format block before it to build a list and pass it to the HTTP app to iterate through and delete the containers.

drew19
Path Finder

Dear Tom,

thank you. I understand what you are writing and I would accept it as a solution but I cannot find any reference to DELETE requests in the link provided by you. Where it is written?

Thank you again

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...