Splunk api documentation12/9/2023 ![]() Research, State: VIC, Country: Australia\"",Ī string object that was specified in the action phantom.act() call for passing data between action and callbacks. "message": "'geolocate_ip_1' on asset 'maxmind': 1 ![]() The results JSON object provides full visibility into the execution of the action on all matching assets using all matching apps for all specified parameters. But, in one action call the user can specify many different IP addresses. The parameters in the example is a list of dictionaries and contains one IP. The two queries still constitute one action, so the callback file_reputation_cb is called once when both the queries complete. The single action file reputation results in the hash being queried twice, once on each asset. In a more complex example, if there are two apps, both of which support file reputation, then this one simple action results in a file hash queried on both of the assets. In this simple form, one app supports the geolocate IP action and there is one Maxmind asset that is configured, which results in one IP being queried once on one asset. This simple action can result in various execution strategies and outcomes, depending on how the system is configured. Phantom.act('geolocate ip', parameters=parameters,Īssets=, callback=geolocate_ip_cb, The time when the action is scheduled for execution. For objects bigger than 4k, use the save_data() and get_data() APIs instead. The size of the handle object is limited to 4k. It is best to use handles to pass objects from action to callbacks instead of global variables. Handle is always saved with the action and passed to the callback. Users can save any Python object that the user needs to access in the context of the callback from the action called. SLA escalation settings affect how long the action is held for approval.Ī string object that, when specified, is passed on to the callback. If Splunk Phantom is provided a comma- separated list or group, only one approval by any member of the list is required. The user receives an approval request with all of the details of the action and its parameters. Use the callback function to either serialize actions where you intend to run the actions one after the other, or where the subsequent action is dependent on the outcome or results of the first action.Ī username, email address, or group that receives an approval request to review the action before it is run. Use the callback to evaluate the outcome of one action and then take more actions. If tags and assets are both specified, then the action is run only on assets tagged with the matching tag.Ī specified callback function to be called upon completion of the action. For example, if the asset is tagged critical and the action is block IP, the action is run only on assets that are tagged as critical. You can assign assets a tag when they are configured. Setting appropriate approvals on assets can help to minimize this risk.Ī list of asset tags that help specify certain assets to be used for executing the action. For example, if you begin your deployment with a simple network-based topology and configure a perimeter firewall that supports block IP, and then add an active directory (AD) server which has an associated app that also reads block IP, that action is run on both the firewall and AD server. If new assets or apps are added to the Splunk Phantom platform, they might run actions that you hadn't intended to run. If multiple apps provide the same action for the same product, the system automatically uses the latest installed app. If the asset is not specified, the action is run on all possible assets on which the action can be run. If the assets are configured with primary and secondary owners, the owners are required to approve an action before it can be run. Assets are a list of asset IDs, as specified when an asset is configured. If the user intends to take the action on a specific asset, it must be specified in this parameter. The name of the keys are specific to the action being taken.Ī list of assets on which the action is run. Actions include block IP, list VM, or file reputation that are supported by the apps installed on the platform.Ī list of dictionaries that contain the parameters expected by the action. The name of the action that the user intends to run. Start_time=None, name=None, asset_type=None, Phantom.act(action, parameters=, assets=None, tags=None,Ĭallback=None, reviewer=None, handle=None,
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |