Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

API Filtering in Splunk SOAR - Access child elements in JSON

JustntherSplker
Explorer
‎02-24-2025 05:08 AM

Working on a use case which entails finding All containers/artifacts that match certain field conditions.

The idea is to run an API query against SOAR artifact end point to get all the artifacts and use the returned artifact fields in further fulfilling automation.

A few questions in this respect

1)Does SOAR support API filtering like described in this article - https://medium.com/@lovely_peel_hamster_92/splunk-phantom-rest-api-filters-956a58854bfc

Specifically the ability to access child objects in JSON. Documentation does not seem to mention anything about accessing child objects.

https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTQueryData

3)Also when filters are applied, we seem to lose the ability to restrict the output to a list of fields. It returns the entire JSON while the requirement is for specific fields.


What we are actually trying to achieve - 

Check for closed SNow INCs and close corresponding Splunk ES notables, and SOAR containers.

We have broken down the approach into modules and have the component parts working but the aforementioned filtering is tripping us up - Solving the problem will help us complete the playbook.

I also found this and we are attempting something very similar - https://community.splunk.com/t5/Splunk-SOAR/Playbook-run-on-bulk-events/m-p/667251. Again, the filtering is key to completing this.

Also, open to suggestions on approach to achieve the above. Thanks! in advance.

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

JustntherSplker
Explorer
‎03-09-2025 05:21 AM

@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter.

The DJANGO 'in' filter expects a comma even if just one value is found for the custom field

So the python script in the custom function looks at

/rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values &

/rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found.

As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.


View solution in original post

0 Karma
Reply
Solved! Jump to solution

JustntherSplker
Explorer
‎03-09-2025 05:58 AM

@SOARt_of_Lost Going by your profile name, would appreciate your thoughts on this question as well! TIA

https://community.splunk.com/t5/Splunk-SOAR/Splunk-SOAR-access-environment-variables/td-p/741231

0 Karma
Reply
Solved! Jump to solution
Solution

JustntherSplker
Explorer
‎03-09-2025 05:21 AM

@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter.

The DJANGO 'in' filter expects a comma even if just one value is found for the custom field

So the python script in the custom function looks at

/rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values &

/rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found.

As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.


0 Karma
Reply
Solved! Jump to solution

SOARt_of_Lost
Path Finder
‎03-05-2025 01:58 PM

Thanks for linking that article, I haven't seen it and it's got some handy tips. 

1) Yes, this works.

3) Unfortunately, that seems to be the tradeoff based on what you're trying to do. When you filter (rest/artifact) you're look for any artifacts which match your search results. When you request object detail, (rest/artifact/5/name) you're restricting your results to artifact 5 specifically. 

Based on your question, I'm guessing you're going to want something along these lines:

/rest/artifact?_filter_cef__destinationAddress={SNow CI}&page_size=0

I don't think you'll be able to get of looping through your results one way or another. 

Reply
Solved! Jump to solution

SOARt_of_Lost
Path Finder
‎03-05-2025 01:05 PM

Thanks for linking that article, I haven't seen it and it's got some handy tips. 

1) Yes. In my limited testing, this works.

3) Unfortunately, that seems to be the tradeoff based on what you're trying to do. When you filter (rest/artifact) you're look for any artifacts which match your search results. When you request object detail, (rest/artifact/5/name) you're restricting your results to artifact 5 specifically. 

If you want to give an example of your specific flow, we can probably come up with a more detailed answer. I'm guessing you're going to want something roughly along these lines:

/rest/artifact?_filter_cef__destinationAddress={SNOW INC CI}&_filter_status="new"&page_size=0

 

Unfortunately, I don't think you'll be able to avoid looping through the results one way or another.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top