11/10/2023 0 Comments Splunk phantom rest api![]() ![]() ![]() Admins always have access to all containers, so they don't need to be added to the authorized list. Some teams only want to allow certain people to work on particular types of cases, so just because people are assigned to the label, it doesn't mean they all need access to a particular case. Authorized access can only be granted to the subset of users who are already assigned to a label that has edit permissions on the container. The authorized user list is always updated to include only the list passed by this command. The user IDs as per the /rest/ph_user API, for example. The workbook ID can be found using the /rest/workbook_template API. If provided, the phases and tasks from the specified workbook will be added to this container. The ID of the workbook to apply to this container. Containers with the 'default' type are events in the user interface. While this field is optional, it is required if multi-tenancy is enabled. The tenant ID as per the /rest/tenant API. ![]() A simple string can also be used for a single tag. Either one of New, Open, Closed, or a custom status created by an administrator.Ġ or more tags associated with the asset. the container was retrieved from a SIEM, this is the Id in the SIEM) Must be unique per container, if no identifier is provided, a unique value is generated.ĭate and time (in UTC) when the behavior tracked by the container started.ĭate and time (in UTC) when the container was opened or reopened.Ĭurrent status of the container. Id which can be used to find this container in the source product. Either one of Low, Medium, High, or a custom severity name created by an administrator. Helps to determine the SLA applied to Actions related to the container. One of:ĭescribes how severe material related to the container is. Not a container data field: This parameter instructs to run automation upon creation or update of the container, and defaults to False.ĭescribes how sensitive material related to the container is. You can use owner_id or role_id, but not both at the same time. Id of the role that is the current owner of the container, if you don't know the username of the owner. Role name or numeric Id as per the /rest/role API. ID of the user who is the current owner of the container. Some example labels:Īccount username or numeric ID. Specifying a label overrides the default. This field is required, however if the label can be determined using the app or an automation user's default label, then it may be omitted. Id of the app which produced the container. See the Administrator's Guide for details.Ī brief useful description of the behavior tracked by this container.ĭate and time (in UTC) when the SLA for this container will expire.ĭate and time (in UTC) when the behavior tracked by the container stopped. There may be required fields defined in the administration settings. JSON objects contains key/value pairs for custom container fields. Id of the asset which produced the container.ĭate and time (in UTC) when the container was closed. See the REST documentation on artifacts regarding artifact format and the note below on run_automation for additional information. Must be a list of JSON objects containing the artifact data. Containers are modified with the following parameters.Įnables creation of artifacts in the same POST with the container. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |