Activity Feed
- Karma Re: API Filtering in Splunk SOAR - Access child elements in JSON for SOARt_of_Lost. a month ago
- Posted Re: Splunk SOAR access environment variables on Splunk SOAR. a month ago
- Posted Re: API Filtering in Splunk SOAR - Access child elements in JSON on Splunk SOAR. 03-09-2025 05:58 AM
- Posted Splunk SOAR access environment variables on Splunk SOAR. 03-09-2025 05:54 AM
- Posted Re: API Filtering in Splunk SOAR - Access child elements in JSON on Splunk SOAR. 03-09-2025 05:21 AM
- Got Karma for API Filtering in Splunk SOAR - Access child elements in JSON. 03-05-2025 12:11 PM
- Posted API Filtering in Splunk SOAR - Access child elements in JSON on Splunk SOAR. 02-24-2025 05:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 |
a month ago
We worked with Splunk support to solve this. Recording the response since others might find it useful 1)phantom.get_base_url() helps access the URL set in the above screenshot (Base URL for Splunk SOAR) - Previous attempts did not work which is bizarre 2)Accessing environment variables import os import django import sys os.environ.setdefault("DJANGO_SETTINGS_MODULE", "phantom_ui.settings") django.setup() from phantom_ui.ui.models import SystemSettings s = SystemSettings.get_settings() envVars = s.environment_variables phantom.debug(envVars) If your variable is called abc, you can now access its value in a variable by abcvalue = envVars['abc']['value'] 3) If your environment variable is stored as a secret , step 2 returns a salted variable which is no good for the authentication. Use the below to decrypt it before usage. import encryption_helper clear_text_password = encryption_helper.decrypt(abcvalue, 'Splunk>Phantom') By using 2 and 3, you can programmatically access environment variables including secret tokens and avoid specifying plaintext auth creds in your code block / custom functions!
... View more
03-09-2025
05:58 AM
@SOARt_of_Lost Going by your profile name, would appreciate your thoughts on this question as well! TIA https://community.splunk.com/t5/Splunk-SOAR/Splunk-SOAR-access-environment-variables/td-p/741231
... View more
03-09-2025
05:54 AM
We have a playbook which is making calls to SOAR REST API artifacts endpoint. We are having to pass the auth token for the REST API call in the script as plain text which isn't ideal. Given we haven't configured a vault/vault like solution (CA,Vault etc.) , 1)We set a SOAR global environment variable and stored the value as a secret but how do we call this in our script? Have tried looking at all possible attributes in the phantom library - Documentation is next to none for this - I also tried os.environ.get but custom variables are not going to be present in it. I am able to access value of variables like NO_PROXY and it returns the respective value. Any ideas around this will help. 2)I am also trying to get the base URL for constructing the REST call Using build_phantom_rest_url or get_base_url is returning the URL as local address 127.0.0.1 and not our specific URL. In short, trying to access the values in the image within our custom function and haven't found a solution Making a REST API call requires auth and that option is ruled out for getting the API token. Any inputs will help. Thanks in advance.
... View more
Labels
- Labels:
-
using SOAR ⁄ Phantom
03-09-2025
05:21 AM
@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter. The DJANGO 'in' filter expects a comma even if just one value is found for the custom field So the python script in the custom function looks at /rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values & /rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found. As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.
... View more
02-24-2025
05:08 AM
1 Karma
Working on a use case which entails finding All containers/artifacts that match certain field conditions. The idea is to run an API query against SOAR artifact end point to get all the artifacts and use the returned artifact fields in further fulfilling automation. A few questions in this respect 1)Does SOAR support API filtering like described in this article - https://medium.com/@lovely_peel_hamster_92/splunk-phantom-rest-api-filters-956a58854bfc Specifically the ability to access child objects in JSON. Documentation does not seem to mention anything about accessing child objects. https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTQueryData 3)Also when filters are applied, we seem to lose the ability to restrict the output to a list of fields. It returns the entire JSON while the requirement is for specific fields. What we are actually trying to achieve - Check for closed SNow INCs and close corresponding Splunk ES notables, and SOAR containers. We have broken down the approach into modules and have the component parts working but the aforementioned filtering is tripping us up - Solving the problem will help us complete the playbook. I also found this and we are attempting something very similar - https://community.splunk.com/t5/Splunk-SOAR/Playbook-run-on-bulk-events/m-p/667251. Again, the filtering is key to completing this. Also, open to suggestions on approach to achieve the above. Thanks! in advance.
... View more
Labels
- Labels:
-
using SOAR ⁄ Phantom
