Splunk SOAR (f.k.a. Phantom)

Delete containers with a playbook

drew19
Path Finder

Is there a way to automatically delete some containers within a playbook?

Labels (1)
Tags (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@drew19 it's not written anywhere how to use this as it's from my exp of delivering 100's of playbooks over the last couple of years as a SOAR Solutions Architect. There is no specific walkthough on how to use this as HTTP DELETE is a standard capability which is made available to you on Phantom by using either the HTTP app or using the phantom.requests.delete() capability (similar to standard python requests lib). 

Not everything can be documented to the degree of a walkthrough with Phantom as there are 1000 ways to do the same thing on the platform, it's mostly personal choice/knowledge that drives how you implement something in Phantom. 

I would highly recommend leaving feedback on the documentation if you feel it is missing. 

phanTom
SplunkTrust
SplunkTrust

@drew19 i meant a HTTP DELETE request to the endpoint (e.g. /rest/container/100).

This action can be done either by using the HTTP app to interact with Phantom REST or the new phantom.build_phantom_rest_url() & phantom.requests() APIs (Docs here)

0 Karma

drew19
Path Finder

Dear Phantom,

as written before, I understand what you meant. Please navigate to the first URL provided by you (https://docs.splunk.com/Documentation/Phantom/4.10/PlatformAPI/RESTContainers) then press CTRL + F (find something in the page) then look for "DELETE": there are no results.
My question is: where this information (i.e. use an HTTP DELETE to achieve Container deletion) is written? Is it so obvious so that it is it left as an implicit information?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 yes, but you have to use REST and a HTTP DELETE request to the container endpoint (Docs link). If you can get a list of container ids, you can use the HTTP app with a format block before it to build a list and pass it to the HTTP app to iterate through and delete the containers.

drew19
Path Finder

Dear Tom,

thank you. I understand what you are writing and I would accept it as a solution but I cannot find any reference to DELETE requests in the link provided by you. Where it is written?

Thank you again

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...