REST CEF
Splunk SOAR (On-premises) uses the Common Event Format (CEF). CEF is a system of key:value pairs for key pieces of information about an artifact. The value is often referred to as the contains as shorthand.
/rest/cef
Get a list of available CEF.
Syntax
https://<username>:<password>@<host>/rest/cef
Usage details
Use parameters to get additional pages or sorting. All default CEFs have a type of "default." Custom CEFs have the type "custom." Only custom CEFs are mutable. CEFs with the type "default" cannot be modified.GET
Get a list of available CEF.
Example request
Get a list of available CEF.curl -k -u username:password https://localhost/rest/cef -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.{
"count": 151,
"data": [
{
"type": "default",
"id": 1,
"data_type": [
"mac address"
],
"name": "dmac"
},
…
{
"type": "custom",
"id": 566,
"data_type": ["myIp"],
"name": "myDestination"
}
],
"num_pages": 16
}
POST
Add a custom CEF.
Example request
You can add a custom CEF by supplying a JSON formatted body.curl -k -u username:password https://localhost/rest/cef \
-d '{
"name":"docs-test-cef",
"data_type":["test"]
}'
Example response
A successful response includes the numeric Id given to the CEF.{
"id": 151,
"success": true
}
/rest/cef filters
You can use operators to sort or filter the results.
| _filter_type | optional | string | Either "custom" or "default". Custom returns only custom CEFs, while default returns a list of all default CEFs. |
| _filter_name | optional | string | A quoted name for the CEF you want information about. |
/rest/cef?_filter_type="custom"
Look up information about a CEF
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
GET
Get a list of all custom CEFs defined on the system.
Example request
Get a list of available CEF.curl -k -u username:password https://localhost/rest/cef?_filter_type="custom" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.{
"count": 1,
"data": [
{
"type": "custom",
"id": 151,
"data_type": [
"test"
],
"name": "docs-test-cef"
}
],
"num_pages": 1
}
/rest/cef?custom=true&page_size=3&page=0
Get a paginated list of all custom CEFs
Syntax
https://<username>:<password>@<host>/rest/cef?_filter_type="custom"
Usage
You can set the page size to any valid integer.GET
Get a list of all custom CEFs defined on the system, organized into pages.
Example request
Get a list of available CEF.curl -k -u username:password https://localhost/rest/cef?custom=true&page_size=3&page=0 -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.{
"count": 151,
"data": [
{
"type": "default",
"id": 1,
"data_type": [
"mac address"
],
"name": "dmac"
},
{
"type": "default",
"id": 2,
"data_type": [],
"name": "act"
},
{
"type": "default",
"id": 3,
"data_type": [
"host name"
],
"name": "dhost"
},
{
"type": "default",
"id": 4,
"data_type": [],
"name": "app"
},
{
"type": "default",
"id": 5,
"data_type": [],
"name": "deviceCustomDate2Label"
},
{
"type": "default",
"id": 6,
"data_type": [],
"name": "applicationProtocol"
},
{
"type": "default",
"id": 7,
"data_type": [],
"name": "deviceDirection"
},
{
"type": "default",
"id": 8,
"data_type": [],
"name": "baseEventCount"
},
{
"type": "default",
"id": 9,
"data_type": [
"domain"
],
"name": "dntdom"
},
{
"type": "default",
"id": 10,
"data_type": [],
"name": "bytesIn"
}
],
"num_pages": 16
}
rest/cef?_filter_name="<name>"
Get information about a single CEF, by name.
Syntax
https://<username>:<password>@<host>rest/cef?_filter_name="<name>"
GET
Get information about a single CEF, by name.
Example request
Get a list of CEF called docs-test-cef.curl -k -u username:password https://localhost/rest/cef?_filter_name="docs-test-cef" -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and their contains data.{
"count": 1,
"data": [
{
"type": "custom",
"id": 151,
"data_type": [
"test"
],
"name": "docs-test-cef"
}
],
"num_pages": 1
}
/rest/cef/<id>
Update a custom CEF.
Syntax
https://<username>:<password>@<host>/rest/cef/<id>
POST
Update a custom CEF by supplying the CEF Id and a JSON formatted body of the updates.
Example request
Update the custom CEF called docs-example-cefcurl -k -u username:password https://localhost/rest/cef/<id> \
-d '{
"name":"docs-example-cef",
"data_type":["example"]
}
'
Example response
A successful response includes the numeric Id given to the CEF.{
"id": 151,
"success": true
}
DELETE
Delete a custom CEF by supplying the CEF Id.
Example request
Delete the custom CEF with Id 151.curl -k -u username:password https://localhost/rest/cef/151 -X DELETE
Example response
A successful response includes a success message.{
"success": true
}