REST Automation Broker
The Splunk Automation Broker provides a path for your Splunk SOAR (On-premises) instance to securely communicate with and run actions using on-premises assets or applications. Use these APIs to manage your Splunk Automation Broker.
For more information on the Splunk Automation Broker, see About Splunk Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.
/rest/automation_proxy
Syntax
https://<username>:<password>@<instance_name>.splunkcloud.com/rest/automation_proxy
Usage details
The account used must have the following permissions depending on the type of request:- GET - View System Settings permissions
- POST - Edit System Settings permissions
GET
Get information about an Automation Broker.
Request parameters
A GET request to the /rest/automation_proxy endpoint requires no arguments and returns a list. See Query for Data for additional arguments that can be used with most Splunk SOAR queries to filter and sort query results.Example request
Get information about the installed and launched Automation Brokers.curl -X GET -u 'https://<username>:<password>@<instance_name>.splunkcloud.com/rest/automation_proxy/rest/automation_proxy'
Example response
A successful GET will return a 200 response, and a JSON formatted list of the installed and launched automation brokers and their settings.{
"count": 1,
"num_pages": 1,
"data": [
{
"id": 5,
"name": "foo",
"owner": 1,
"service_account": 9,
"create_time": "2021-06-30T15:12:40.857733Z",
"update_time": "2021-06-30T15:12:58.567980Z",
"keys_rotated_time": "2021-06-30T15:12:58.567086Z",
"type": "ACTION_BROKER",
"version": "4.12.2.58336",
"status": "complete",
"last_seen_status": "active"
}
]
}
POST
Add an installed Automation Broker to Splunk SOAR.
Request parameters
These are the parameters to pass in your POST to the /rest/automation_proxy endpoint.| Field | Required | Type | Description |
|---|---|---|---|
| auth_code | required | string | This is the Splunk SOAR authorization code generated when the Splunk Automation Broker is installed. The authorization code expires after 15 minutes. See Install Splunk Automation Broker in Set Up Automation in Splunk SOAR. |
| broker_encrypt_public_key | required | string | This is the Splunk SOAR Automation Broker encryption key generated when the Splunk Automation Broker is installed. See Install Splunk Automation Broker in Set Up Automation in Splunk SOAR. |
| name | required | string | This is the name you give your Automation Broker. Names must be unique. |
Example request
Add an installed, launched, and currently unpaired Automation Broker to Splunk SOAR.curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"auth_code": <authorization code>, "broker_encrypt_public_key": <automation broker encryption key>, "name": "name to assign to the automation broker" }'
Example response
A successful POST will return a success message with a status code of 200.{
"success": true,
"id": 5,
"message": "Proxy Pairing and Identity creation completed successfully"
}
/rest/automation_proxy/<id>
Syntax
https://<username>:<password>@<host>/rest/automation_proxy/<id>
Usage details
The account used must have the following permissions depending on the type of request:- GET - View System Settings permissions
- POST - Edit System Settings permissions
- DELETE - Edit System Settings permissions
GET
Get information about an Automation Broker.
Example request
Get information about the named Automation Broker.curl -X GET -u <username>:<password> 'http://<host>:<port>/rest/automation_proxy/<id>'
Example response
A successful GET will return a 200 response, and a JSON formatted list of the specified automation broker's settings.{
"id": 6,
"name": "foo",
"owner": 1,
"service_account": 10,
"create_time": "2021-06-30T16:40:07.740125Z",
"update_time": "2021-06-30T16:40:26.068649Z",
"keys_rotated_time": "2021-06-30T16:40:26.067635Z",
"type": "ACTION_BROKER",
"version": "4.12.2.58336",
"status": "complete",
"last_seen_status": "inactive"
}
POST
Examples for changing the name of an Automation Broker, and rotating the encryption keys of an Automation Broker.
Request parameters
| Field | Required | Type | Description |
|---|---|---|---|
| name | optional | string | The name of the Automation Broker. Names must be unique. |
| rotate | optional | boolean | Set this to "true" to rotate the Automation Broker's encryption keys and authentication token. |
Example request
Change the Automation Broker's name.curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"name": "foobar"}'
Example response
A successful POST will return a success message with a status code of 200.{
"success": true,
"id": 5,
"message": "Updated name"
}
Example request
Rotate the Automation Broker's encryption keys.curl -X POST -u <username>:<password> -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>' --data '{"rotate": true}'
Example response
A successful POST will return a success message with a status code of 200.{
"success": true,
"id": 5,
"message": "Rotated encryption keys, rotated on prem token"
}
DELETE
An example of deleting an Automation Broker from Splunk SOAR.
Request parameters
A DELETE call to the /rest/automation_proxy/<id> API endpoint only takes the <id> parameter, which is the numeric id of the Automation Broker.Example request
Delete the specified Automation Broker from Splunk SOAR.curl -X DELETE -u soar_local_admin:password -H "Content-Type: application/json" 'http://<host>:<port>/rest/automation_proxy/<id>'
Example response
A successful DELETE will return a return a success message.{
"success": true,
"id": 5,
"message": "Operation successful"
}