Other endpoints support migrating the Company whitelist to a Safelist library, retrieve a Safelist library by its GUID, parse terms from a chunk of text, and get the list of summaries for the Safelist libraries for your organization.Įndpoints to search for Indicators and update tags.Įndpoints to get observables in a submission, search for observables, and remove or add tags to an observable.Įndpoints for submissions (Intelligence Sources, Events, or Indicators) that you can use to get status, search, redact text, or alter tags.Įndpoints to create, update, upsert, find, or delete Events.Įndpoints to create, update, upsert, find, or delete Indicators.Įndpoints to create, update, upsert, find, or delete Intelligence.Įndpoints that support Intel Workflow functionality. Gets a list of Enclaves that the user has permissions to access.Įndpoints to create a new Safelist library, add or delete entries, and delete a Safelist library. The API provides endpoints for these functional areas of the Splunk Intelligence Management platform:Įndpoints for Authentication (API Key and API Secret). See Splunk Intelligence Management Python SDK to interact with the Splunk Intelligence Management Rest API from within any Python program.Some endpoints can be used for any Submission, while other endpoints are specific to one type of Submission, for example, Submission Event endpoints. Introduces the term Submission to cover Intelligence Sources, Events, and Indicators.Version 2.0 introduces some changes from previous versions of the Splunk Intelligence Management REST API: All API access is over HTTPS, and all data is transmitted securely in JSON format. (defaults to "groups").The Splunk Intelligence Management REST API enables you to easily synchronize report information available in Splunk Intelligence Management with the monitoring tools and analysis workflows you use in your infrastructure. Used to locate group data in the SAML assertion, treated as a mapping object, e.g. Not required only if the FQDN has been set in Company Settings.įlag indicating if SSL is required (defaults to FALSE). Users will be redirected here for login when using SAML2.īase URL for the Phantom instance. URL used to gain user consent/authorization from the identity provider. This is used for out-of-band configuration. The XML containing the SAML provider metadata. For more information, see Maintenance Services Interface in the IT Service Intelligence REST API Reference manual. Use this interface to perform CRUD operations on maintenance windows in your environment. This is the preferred method of obtaining provider metadata since it should always be up-to-date. Manage maintenance windows through the REST API The Maintenance Service Interface encapsulates operations on maintenance windows in ITSI. The issuer ID (URI) given by your provider SAML2 providers are modified with the following keys. The "group" key should contain the name of the LDAP group that translates to the Phantom group The "role" key should contain the numeric ID of the Phantom role. The "external_attr" key should contain the name of the LDAP attribute used to populate the django attribute.Įach entry of the array should contain two key-value pairs. The "django_attr" key should have one of the following values. Requires the test_username to be set.Įach entry of the array should contain two key-value pairs. Used to verify the test_username is in the expected group. Username for testing LDAP access and queries. Required if using Cyberark as a credential manager. Identifies the Safe that contains the credentails in Cyberark. Path for identifying the password in the credential manager. Key for identifying the password in the credential manager. Required if not using a credential manager to store your password.įlag indicating if the service account password should be retrieved from the credential manager. The password for the service account used to query the provider. If set to true, will only connect using ldaps. For information on the Splunk platform REST API, see the Splunk REST API User Manual. You can use this API to interact programmatically and extend the functionality of ITSI. Username for the service account used to query the provider. This reference describes Splunk IT Service Intelligence (ITSI) REST API endpoints exposed via the splunkd management port 8089. ID of the provider, this should be a GUID-like entry.įlag indicating if the provider is enabled. Type of provider, should match the section. The name of the provider configuration entry. LDAP providers are modified with the following keys. Type should match the name of the section. Partial updates are not supported.Įach section is modified with the following keys at the top level.įlag indicating if this section is enabled (applies to all of each ldap/saml2/openid sections).Īn array of the provider configurations. The entirety of "auth_settings" must be submitted in a single post. Possible keys are:Ī complex data structure containing all authentication providers. Key-value pairs indicating which audit trail sections should be enabled. Audit trail settings and authentication providers are modified with the following parameters.
0 Comments
Leave a Reply. |