REST App

Install Splunk SOAR (Cloud) apps and see which Python version the apps are.

/rest/app

Syntax 

https://<username>:<password>@<host>/rest/app

Usage details

The account used must have permissions to edit Apps.

POST

Install a Splunk SOAR (Cloud) app.

Example request

You can submit an HTTP POST to the following endpoint with a base64 encoded tarball or installer package. 

curl -k -u username:password https://localhost/rest/app \
-d '{
    "app": "<BASE64 ENCODED TARBALL OR INSTALLER PACKAGE>"
}'

Success example response

A successful response includes the import success message and the success true status. 

{
    "success": true,
    "message": "App successfully imported.",
    "id": 190
}

Failure example response

A failed response includes the import failure message and the failed true status. 

{
    "failed": true,
    "message": "App install failed."
}

Example Python request
Python example of how the API can be called. 

import json
import base64
import requests
file_contents = open('/path/to/myapp.tgz', 'rb').read()
encoded_contents = base64.b64encode(file_contents)
payload = {'app': encoded_contents}
requests.post('https://phantom.mycompany.com/rest/app',
                auth=('soar_local_admin', PASSWORD),
                data=json.dumps(payload))

The app file can be a supported installer package such as a tarball or .rpm file. The app can be updated by simply POSTing the new app in the exact same manner as the original install.

DELETE

Delete a Splunk SOAR (Cloud) app.

Example request

Delete the app with Id 151. 

curl -k -u username:password https://localhost/rest/app/151 -X DELETE

/rest/app/<app-id>

Get the details of the specified app, including the Python version number.

Syntax 

https://<username>:<password>@<host>/rest/app/<app-id>

Usage details

The account used must have permissions to view Apps.

GET

See the Python version number of the specified App.

Example request

Get the details of app id 112. 

curl -k -u username:password https://localhost/rest/app/112?pretty -G -X GET

Example response

A successful GET will return back a JSON formatted list of key names and their values. 

{
  "app_config_render": null,
  "product_version_regex": ".*",
  "python_version": "3.6",
  "uber_view": null,
  "disabled": false,
  "logo": "logo_abuseipdb.svg",
  "install_time": "2019-07-15T01:31:42.560831Z",
  "id": 112,
  "logo_dark": "logo_abuseipdb_dark.svg",
  "rest_handler": null,
  "appname": "-",
  "_pretty_invalid_assets": [],
  "version": 1,
  "_pretty_actions": [
    {
      "description": "Report an IP for abusive behavior",
      "name": "post ip"
    },
    {
      "description": "Queries IP info",
      "name": "lookup ip"
    },
    {
      "description": "Validate the asset configuration for connectivity using supplied configuration",
      "name": "test connectivity"
    }
  ],
  "app_version": "1.0.9",
  "type": "reputation",
  "product_name": "AbuseIPDB",
  "description": "This app integrates with AbuseIPDB to perform investigative actions",
  "tags": [],
  "_pretty_asset_count": 1,
  "app_config": {},
  "_pretty_install_time": "Jul 15 at 01:31 AM",
  "configuration": {
    "api_key": {
      "required": true,
      "description": "API Key",
      "data_type": "password"
    }
  },
  "product_vendor": "AbuseIPDB",
  "publisher": "Splunk",
  "name": "AbuseIPDB",
  "release_tag": null,
  "consolidate_widgets": true,
  "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5",
  "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5",
  "_pretty_dark_logo": "logo_abuseipdb_dark.svg",
  "require_auth_token": false,
  "main_module": "abuseipdb_connector.pyc",
  "known_versions": [
    "1.0.9"
  ]
}

The return values of note follow:

Field Type Description
app_version string The version of the app.
configuration JSON object Key value pairs for configuration. Required and optional values are defined by the Apps. See individual App documentation for more info. For example: 
{...
	"configuration": {
		"api_key": {
			"required": true,
			"order": 0,
			"data_type": "password",
			"description": "API Key"
		}
	},
...
}
description string A brief description of the app.
id string The Id of the app.
install_time string The time that the app was installed, in epoch UTC format.
logo string The product logo in .svg or .png format.
logo_dark string The dark mode product logo in .svg or .png format.
name string Short name for the asset. Used when invoking an action on this asset.
product_name string Official name of the product. Used when invoking an action on this asset.
product_vendor string The name of the app vendor. Used when invoking an action on this asset.
publisher string The publisher of the app, such as Splunk SOAR (Cloud) or Splunk or SentinelOne.
python_version string Python version number.
tags array of strings 0 or more tags associated with the asset. A simple string can also be used for a single tag. Optional, for use with Playbooks.
type string A brief categorization of this asset.

For information on the app status API, see Status endpoints.