About bongo

bongo · ‎08-04-2021

After some experimentation I found that the endpoint will return all data if passed the following general JSON object after it's converted to a query string: { "page_number": 1, "min_time": "2018-01-01T00:00:00.000000Z", "max_time": "2038-01-01T00:00:00.000000Z", "count": 10000, "artifact": { "count": 10000, "min_time": "2018-01-01T00:00:00.000000Z", "max_time": "2038-01-01T00:00:00.000000Z", }, "event": { "count": 10000, "min_time": "2018-01-01T00:00:00.000000Z", "max_time": "2038-01-01T00:00:00.000000Z", }, "playbook": { "count": 10000, "min_time": "2018-01-01T00:00:00.000000Z", "max_time": "2038-01-01T00:00:00.000000Z", }, "action": { "count": 10000, "min_time": "2018-01-01T00:00:00.000000Z", "max_time": "2038-01-01T00:00:00.000000Z", } } For example: /rest/container/<container ID>/timeline?query_params={"page_number":1,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z","count":10000,"artifact":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"event":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"playbook":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"},"action":{"count":10000,"min_time":"2018-01-01T00:00:00.000000Z","max_time":"2038-01-01T00:00:00.000000Z"}}

bongo · ‎08-03-2021

This is indeed possible. You must start with the parent container ID to generate a list of all its related attachment IDs: /rest/container/{container id}/attachments For each of the attachment IDs returned, construct and call the following URL with the ID of one or more attachments you want to download: /rest/container/{container_id}/export?file_list[]={id of attached file 1}&file_list[]={id of attached file 2}&file_list[]={id of attached file 3} ... etc This is the same process used by "EXPORT" menu on the investigation page. I've requested documentation on many of these useful undocumented APIs from Splunk. They said these APIs are for internal use only, are not supported, and are subject to change.

bongo · ‎07-27-2021

Hi. I need to extract container timeline events via the REST API in order to generate analyst, playbook and action timeline reports. The closest endpoint I can find is briefly mentioned in the REST API documentation: /rest/container/<container id>/actions I can't find any other mention of this endpoint in the documentation. This endpoint is useful however it only provides action history, not analyst or playbook activity history. The Phantom web portal calls an undocumented API which returns exactly what I need: /rest/container/<container ID>/timeline?<many required query parameters> ...however it requires many query parameters. If you don't get the query parameters correct it returns empty results. My questions: 1. Can someone refer me to documentation for the container timeline API endpoint mentioned above? 2. If not, is there an alternative "documented" endpoint that will return all container timeline information? Thanks

bongo · ‎07-27-2021

@venkatasri Thanks for the reply, but I'm referring to reports in Phantom, not Splunk. The reporting area I'm referring to is located under Home --> Reporting.

bongo · ‎07-26-2021

How can you delete reports that have been created on the /reports page? I have administrator rights but can't see any option to delete, only create. Thanks

Posts	5
Solutions	2
Karma Given	0
Karma Received	4
Member Since	‎07-26-2021

Online Status	Offline
Date Last Visited	‎03-31-2022 01:02 AM

Get container timeline history via REST

Deleting reports

Re: Get container timeline history via REST

Re: Download files from Phantom case via REST API

Get container timeline history via REST

Re: Deleting reports

Deleting reports