×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
JustntherSplker
Explorer
Member since: ‎06-15-2021
‎05-15-2025
Community Statistics
Posts 5
Solutions 2
Karma Given 1
Karma Received 1
Member Since ‎06-15-2021
View All

Re: Splunk SOAR access environment variables

by in Splunk SOAR
‎03-19-2025 12:01 AM
‎03-19-2025 12:01 AM
We worked with Splunk support to solve this. Recording the response since others might find it useful 1)phantom.get_base_url() helps access the URL set in the above screenshot (Base URL for Splunk SOAR) - Previous attempts did not work which is bizarre 2)Accessing environment variables     import os     import django      import sys           os.environ.setdefault("DJANGO_SETTINGS_MODULE", "phantom_ui.settings")     django.setup()          from phantom_ui.ui.models import SystemSettings     s = SystemSettings.get_settings()     envVars = s.environment_variables     phantom.debug(envVars) If your variable is called abc, you can now access its value in a variable by abcvalue = envVars['abc']['value'] 3) If your environment variable is stored as a secret , step 2 returns a salted variable which is no good for the authentication. Use the below to decrypt it before usage.  import encryption_helper clear_text_password = encryption_helper.decrypt(abcvalue, 'Splunk>Phantom') By using 2 and 3, you can programmatically access environment variables including secret tokens and avoid specifying plaintext auth creds in your code block / custom functions! ... View more

Re: API Filtering in Splunk SOAR - Access child el...

by in Splunk SOAR
‎03-09-2025 05:58 AM
‎03-09-2025 05:58 AM
@SOARt_of_Lost Going by your profile name, would appreciate your thoughts on this question as well! TIA https://community.splunk.com/t5/Splunk-SOAR/Splunk-SOAR-access-environment-variables/td-p/741231 ... View more

Splunk SOAR access environment variables

by in Splunk SOAR
‎03-09-2025 05:54 AM
‎03-09-2025 05:54 AM
We have a playbook which is making calls to SOAR REST API artifacts endpoint. We are having to pass the auth token for the REST API call in the script as plain text which isn't ideal. Given we haven't configured a vault/vault like solution (CA,Vault etc.) ,  1)We set a SOAR global environment variable and stored the value as a secret but how do we call this in our script? Have tried looking at all possible attributes in the phantom library - Documentation is next to none for this - I also tried os.environ.get but custom variables are not going to be present in it. I am able to access value of variables like NO_PROXY and it returns the respective value. Any ideas around this will help. 2)I am also trying to get the base URL for constructing the REST call  Using build_phantom_rest_url or get_base_url is  returning the URL as local address 127.0.0.1 and not our specific URL. In short, trying to access the values in the image within our custom function and haven't found a solution Making a REST API call requires auth and that option is ruled out for getting the API token. Any inputs will help. Thanks in advance. ... View more
Labels

Re: API Filtering in Splunk SOAR - Access child el...

by in Splunk SOAR
‎03-09-2025 05:21 AM
‎03-09-2025 05:21 AM
@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter. The DJANGO 'in' filter expects a comma even if just one value is found for the custom field So the python script in the custom function looks at /rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values & /rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found. As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go. ... View more

API Filtering in Splunk SOAR - Access child elemen...

by in Splunk SOAR
‎02-24-2025 05:08 AM
1 Karma
‎02-24-2025 05:08 AM
1 Karma
Working on a use case which entails finding All containers/artifacts that match certain field conditions. The idea is to run an API query against SOAR artifact end point to get all the artifacts and use the returned artifact fields in further fulfilling automation. A few questions in this respect 1)Does SOAR support API filtering like described in this article - https://medium.com/@lovely_peel_hamster_92/splunk-phantom-rest-api-filters-956a58854bfc Specifically the ability to access child objects in JSON. Documentation does not seem to mention anything about accessing child objects. https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTQueryData 3)Also when filters are applied, we seem to lose the ability to restrict the output to a list of fields. It returns the entire JSON while the requirement is for specific fields. What we are actually trying to achieve -  Check for closed SNow INCs and close corresponding Splunk ES notables, and SOAR containers. We have broken down the approach into modules and have the component parts working but the aforementioned filtering is tripping us up - Solving the problem will help us complete the playbook. I also found this and we are attempting something very similar - https://community.splunk.com/t5/Splunk-SOAR/Playbook-run-on-bulk-events/m-p/667251. Again, the filtering is key to completing this. Also, open to suggestions on approach to achieve the above. Thanks! in advance.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-15-2025 01:06 AM
Karma from
View All
Karma given to
View All