src/app.py

This document will dive deeper into the initial structure of the app.py file when starting working with Apps.

The file consists of a few main parts:

  1. Logger initialization

  2. Asset definition

  3. App initialization

  4. Actions definitions

  5. App CLI invocation

Here’s an example app.py file which uses a wide variety of the features available in the SDK:

  1from collections.abc import Generator, Iterator
  2from datetime import UTC, datetime
  3from zoneinfo import ZoneInfo
  4
  5from soar_sdk.abstract import SOARClient
  6from soar_sdk.action_results import ActionOutput, MakeRequestOutput, OutputField
  7from soar_sdk.app import App
  8from soar_sdk.asset import AssetField, BaseAsset, FieldCategory
  9from soar_sdk.logging import getLogger
 10from soar_sdk.models.artifact import Artifact
 11from soar_sdk.models.container import Container
 12from soar_sdk.models.finding import Finding, FindingAttachment, FindingEmail
 13from soar_sdk.params import (
 14    MakeRequestParams,
 15    OnESPollParams,
 16    OnPollParams,
 17    Param,
 18    Params,
 19)
 20
 21logger = getLogger()
 22
 23SAMPLE_EMAILS = [
 24    {
 25        "from": "phishing@malicious-domain.example.com",
 26        "to": "employee1@company.example.com",
 27        "subject": "Urgent: Verify your account",
 28        "date": None,
 29        "body": (
 30            "Dear user,\n\n"
 31            "Your account has been compromised. Please click the link below "
 32            "to verify your identity immediately.\n\n"
 33            "https://malicious-login.example.com/verify?token=abc123\n\n"
 34            "Regards,\nIT Support"
 35        ),
 36        "urls": [
 37            "https://malicious-login.example.com/verify?token=abc123",
 38        ],
 39        "attachment_name": "invoice.pdf",
 40        "attachment_data": b"fake pdf attachment content",
 41    },
 42    {
 43        "from": "spam@spoofed-bank.example.com",
 44        "to": "employee2@company.example.com",
 45        "subject": "Your payment is overdue",
 46        "date": None,
 47        "body": (
 48            "Hello,\n\n"
 49            "We noticed an outstanding balance on your account. "
 50            "Please review the attached statement and submit payment.\n\n"
 51            "https://fake-payment.example.com/pay\n\n"
 52            "Thank you,\nBilling Department"
 53        ),
 54        "urls": [
 55            "https://fake-payment.example.com/pay",
 56        ],
 57        "attachment_name": "statement.xlsx",
 58        "attachment_data": b"fake spreadsheet content",
 59    },
 60]
 61
 62
 63class Asset(BaseAsset):
 64    base_url: str = AssetField(default="https://example")
 65    api_key: str = AssetField(sensitive=True, description="API key for authentication")
 66    key_header: str = AssetField(
 67        default="Authorization",
 68        value_list=["Authorization", "X-API-Key"],
 69        description="Header for API key authentication",
 70    )
 71    timezone: ZoneInfo
 72    timezone_with_default: ZoneInfo = AssetField(
 73        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
 74    )
 75
 76
 77app = App(
 78    asset_cls=Asset,
 79    name="example_app",
 80    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
 81    app_type="sandbox",
 82    product_vendor="Splunk Inc.",
 83    logo="logo.svg",
 84    logo_dark="logo_dark.svg",
 85    product_name="Example App",
 86    publisher="Splunk Inc.",
 87    min_phantom_version="6.2.2.134",
 88)
 89
 90
 91@app.test_connectivity()
 92def test_connectivity(soar: SOARClient, asset: Asset) -> None:
 93    soar.get("rest/version")
 94    container_id = soar.get_executing_container_id()
 95    logger.info(f"current executing container's container_id is: {container_id}")
 96    asset_id = soar.get_asset_id()
 97    logger.info(f"current executing container's asset_id is: {asset_id}")
 98    logger.info(f"testing connectivity against {asset.base_url}")
 99    logger.debug("hello")
100    logger.warning("this is a warning")
101    logger.progress("this is a progress message")
102
103
104class ActionOutputSummary(ActionOutput):
105    is_success: bool
106
107
108@app.action()
109def test_summary_with_list_output(
110    params: Params, asset: Asset, soar: SOARClient
111) -> list[ActionOutput]:
112    soar.set_summary(ActionOutputSummary(is_success=True))
113    return [ActionOutput(), ActionOutput()]
114
115
116@app.action()
117def test_empty_list_output(
118    params: Params, asset: Asset, soar: SOARClient
119) -> list[ActionOutput]:
120    return []
121
122
123class JsonOutput(ActionOutput):
124    name: str = OutputField(example_values=["John", "Jane", "Jim"], column_name="Name")
125    age: int = OutputField(example_values=[25, 30, 35], column_name="Age")
126
127
128class TableParams(Params):
129    company_name: str = Param(column_name="Company Name", default="Splunk")
130
131
132@app.action(render_as="json")
133def test_json_output(params: Params, asset: Asset, soar: SOARClient) -> JsonOutput:
134    return JsonOutput(name="John", age=25)
135
136
137@app.action(render_as="table")
138def test_table_output(
139    params: TableParams, asset: Asset, soar: SOARClient
140) -> JsonOutput:
141    return JsonOutput(name="John", age=25)
142
143
144from .actions.reverse_string import render_reverse_string_view
145
146app.register_action(
147    "actions.reverse_string:reverse_string",
148    action_type="investigate",
149    verbose="Reverses a string.",
150    view_template="reverse_string.html",
151    view_handler=render_reverse_string_view,
152)
153
154
155app.register_action(
156    "actions.permissive_action:permissive_reverse_string",
157    action_type="investigate",
158    verbose="Reverses a string but doesn't care if it gets all its output fields.",
159    view_template="reverse_string.html",
160    view_handler=render_reverse_string_view,
161)
162
163from .actions.generate_category import render_statistics_chart
164
165app.register_action(
166    "actions.generate_category:generate_statistics",
167    action_type="investigate",
168    verbose="Generate statistics with pie chart reusable component.",
169    view_handler=render_statistics_chart,
170)
171
172
173class MakeRequestParamsCustom(MakeRequestParams):
174    endpoint: str = Param(
175        description="The endpoint to send the request to. Base url is already included in the endpoint.",
176        required=True,
177    )
178
179
180@app.make_request()
181def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
182    logger.info(f"HTTP action triggered with params: {params}")
183    return MakeRequestOutput(
184        status_code=200,
185        response_body=f"Base url is {asset.base_url}",
186    )
187
188
189@app.on_poll()
190def on_poll(
191    params: OnPollParams, soar: SOARClient, asset: Asset
192) -> Iterator[Container | Artifact]:
193    if params.is_manual_poll():
194        logger.info("Manual poll (poll now) detected")
195    else:
196        logger.info("Scheduled poll detected")
197
198    # Create container first for artifacts
199    yield Container(
200        name="Network Alerts",
201        description="Some network-related alerts",
202        severity="medium",
203    )
204
205    # Simulate collecting 2 network artifacts that will be put in the network alerts container
206    for i in range(1, 3):
207        logger.info(f"Processing network artifact {i}")
208
209        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
210        artifact = Artifact(
211            name=f"Network Alert {i}",
212            label="alert",
213            severity="medium",
214            source_data_identifier=alert_id,
215            type="network",
216            description=f"Example network alert {i} from polling operation",
217            data={
218                "alert_id": alert_id,
219                "source_ip": f"10.0.0.{i}",
220                "destination_ip": "192.168.0.1",
221                "protocol": "TCP",
222            },
223        )
224
225        yield artifact
226
227
228@app.on_es_poll()
229def on_es_poll(
230    params: OnESPollParams, soar: SOARClient, asset: Asset
231) -> Generator[Finding, int | None]:
232    for i, email_data in enumerate(SAMPLE_EMAILS, start=1):
233        logger.info(f"Processing test finding {i}")
234
235        date_str = datetime.now(UTC).strftime("%a, %d %b %Y %H:%M:%S +0000")
236        raw_eml = (
237            f"From: {email_data['from']}\r\n"
238            f"To: {email_data['to']}\r\n"
239            f"Subject: {email_data['subject']}\r\n"
240            f"Date: {date_str}\r\n"
241            f"MIME-Version: 1.0\r\n"
242            f"Content-Type: text/plain; charset=utf-8\r\n"
243            f"\r\n"
244            f"{email_data['body']}"
245        )
246
247        yield Finding(
248            rule_title=f"Test Finding {i}: {email_data['subject']}",
249            email=FindingEmail(
250                headers={
251                    "From": email_data["from"],
252                    "To": email_data["to"],
253                    "Subject": email_data["subject"],
254                    "Date": date_str,
255                    "Content-Type": "text/plain; charset=utf-8",
256                },
257                body=email_data["body"],
258                urls=email_data["urls"],
259            ),
260            attachments=[
261                FindingAttachment(
262                    file_name=f"email_{i}.eml",
263                    data=raw_eml.encode("utf-8"),
264                    is_raw_email=True,
265                ),
266                FindingAttachment(
267                    file_name=email_data["attachment_name"],
268                    data=email_data["attachment_data"],
269                    is_raw_email=False,
270                ),
271            ],
272        )
273
274
275app.register_action(
276    "actions.async_action:async_process",
277    action_type="investigate",
278    verbose="Processes a message asynchronously with concurrent HTTP requests.",
279)
280
281app.register_action(
282    "actions.async_action:sync_process",
283    action_type="investigate",
284    verbose="Processes a message synchronously with sequential HTTP requests.",
285)
286
287
288class GeneratorActionOutput(ActionOutput):
289    iteration: int
290
291
292class GeneratorActionSummary(ActionOutput):
293    total_iterations: int
294
295
296@app.action(summary_type=GeneratorActionSummary)
297def generator_action(
298    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
299) -> Iterator[GeneratorActionOutput]:
300    """Generates a sequence of numbers."""
301    logger.info(f"Generator action triggered with params: {params}")
302    for i in range(5):
303        yield GeneratorActionOutput(iteration=i)
304    soar.set_summary(GeneratorActionSummary(total_iterations=5))
305
306
307@app.action()
308def write_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
309    asset.cache_state.clear()
310    assert asset.cache_state == {}
311    asset.cache_state["value"] = "banana"
312    return ActionOutput()
313
314
315@app.action()
316def read_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
317    assert asset.cache_state == {"value": "banana"}
318    return ActionOutput()
319
320
321if __name__ == "__main__":
322    app.cli()

Components of the app.py File

Let’s dive deeper into each part of the app.py file above:

Logger Initialization

Logger initialization
 9from soar_sdk.logging import getLogger
10from soar_sdk.models.artifact import Artifact
11from soar_sdk.models.container import Container
12from soar_sdk.models.finding import Finding, FindingAttachment, FindingEmail
13from soar_sdk.params import (
14    MakeRequestParams,
15    OnESPollParams,
16    OnPollParams,
17    Param,
18    Params,
19)
20
21logger = getLogger()

The SDK provides a logging interface via the getLogger() function. This is a standard Python logger which is pre-configured to work with either the local CLI or the Splunk SOAR platform. Within the platform,

  • logger.debug() and logger.warning() messages are written to the spawn.log file at DEBUG level.

  • logger.error() and logger.critical() messages are written to the spawn.log file at ERROR level.

  • logger.info() messages are sent to the Splunk SOAR platform as persistent action progress messages, visible in the UI.

  • logger.progress() messages are sent to the Splunk SOAR platform as transient action progress messages, visible in the UI, but overwritten by subsequent progress messages.

When running locally via the CLI, all log messages are printed to the console, in colors corresponding to their log level.

Asset Definition

Asset definition
63class Asset(BaseAsset):
64    base_url: str = AssetField(default="https://example")
65    api_key: str = AssetField(sensitive=True, description="API key for authentication")
66    key_header: str = AssetField(
67        default="Authorization",
68        value_list=["Authorization", "X-API-Key"],
69        description="Header for API key authentication",
70    )
71    timezone: ZoneInfo
72    timezone_with_default: ZoneInfo = AssetField(
73        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
74    )

Apps should define an asset class to hold configuration information for the app. The asset class should be a pydantic model that inherits from BaseAsset and defines the app’s configuration fields. Fields requiring metadata should be defined using an instance of AssetField(). The SDK uses this information to generate the asset configuration form in the Splunk SOAR platform UI.

App Initialization

App initialization
77app = App(
78    asset_cls=Asset,
79    name="example_app",
80    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
81    app_type="sandbox",
82    product_vendor="Splunk Inc.",
83    logo="logo.svg",
84    logo_dark="logo_dark.svg",
85    product_name="Example App",
86    publisher="Splunk Inc.",
87    min_phantom_version="6.2.2.134",
88)

This is how you initialize the basic App instance. The app object will be used to register actions, views, and/or webhooks. Keep in mind this object variable and its path are referenced by pyproject.toml so the Splunk SOAR platform knows where the app instance is provided.

Action Definitions

Actions are defined as standalone functions, with a few important rules and recommendations.

Action Metadata

Action definition carry with them important metadata which is used by the Splunk SOAR platform to present the action in the UI, and to generate the app’s manifest. Often, this metadata can be derived automatically from the action function’s signature:

  • The action’s “identifier” is, by default, the name of the action function (e.g. my_action).

  • The action’s “name” is, by default, the action function’s name with spaces instead of underscores (e.g. my action).

  • The action’s “description” is, by default, the action function’s docstring.

  • The action’s “type” is, by default, generic unless the action is one of the reserved names like test connectivity or on poll.

Note

By convention, action names should be lowercase, with 2-3 words. Keep action names short but descriptive, and avoid using the name of the app or external service in action names. Where feasible, it’s recommended to consider reusing action names across different apps (e.g. get email) to provide a more consistent user experience.

Action Arguments

There is a magic element, similar to pytest fixtures, in the action arguments. The type hints for the argument definitions of an action function are critical to this mechanism. The rules are as follows:

  • The first positional argument of an action function must be the params argument, and its type hint must be a Pydantic model inheriting from Params. The position and type of this argument are required. The name params is a convention, but not strictly required.

  • If an action function has any argument named soar, at runtime the SDK will provide an instance of a SOARClient implementation as that argument, which is already authenticated with Splunk SOAR. The type hint for this argument should be SOARClient.

  • If an action function has any argument named asset, at runtime the SDK will provide an instance of the app’s asset class, populated with the asset configuration for the current action run. The type hint for this argument should be the app’s asset class.

Note

The special actions which define their own decorators have stricter rules about the type of the params argument. For example, the on poll action must take an OnPollParams instance as its params argument, and test connectivity must take no params argument at all.

Action Returns

An action’s return type annotation is critical for the Splunk SOAR platform to understand, via datapaths, what an action’s output looks like. In practice, this means that you must define a class inheriting from ActionOutput to represent the action’s output, and then return an instance of that class from your action function:

from soar_sdk.action_results import ActionOutput

class MyActionOutput(ActionOutput):
    field1: str
    field2: int

@app.action()
def my_action(params: MyActionParams) -> MyActionOutput:
    # action logic here
    return MyActionOutput(field1="value", field2=42)
Advanced Return Types

For more advanced use cases, an action’s return type can be a list, Iterator, or AsyncGenerator that yields multiple ActionOutput objects:

@app.action()
def my_action_list(params: MyActionParams) -> list[MyActionOutput]:
    # action logic here
    return [
        MyActionOutput(field1="value1", field2=1),
        MyActionOutput(field1="value2", field2=2)
    ]

from typing import Iterator

@app.action()
def my_action_iterator(params: MyActionParams) -> Iterator[MyActionOutput]:
    # action logic here
    yield MyActionOutput(field1="value1", field2=1)
    yield MyActionOutput(field1="value2", field2=2)

from typing import AsyncGenerator

@app.action()
async def my_action_async_generator(
    params: MyActionParams,
    asset: Asset,
) -> AsyncGenerator[MyActionOutput]:
    async with client = httpx.AsyncClient() as client:
        async for i in range(10):
            response = await client.get(
                f"{asset.base_url}/data",
                params={"page": i}
            )
            yield MyActionOutput(**response.json())

test connectivity Action

Test connectivity action definition
 91@app.test_connectivity()
 92def test_connectivity(soar: SOARClient, asset: Asset) -> None:
 93    soar.get("rest/version")
 94    container_id = soar.get_executing_container_id()
 95    logger.info(f"current executing container's container_id is: {container_id}")
 96    asset_id = soar.get_asset_id()
 97    logger.info(f"current executing container's asset_id is: {asset_id}")
 98    logger.info(f"testing connectivity against {asset.base_url}")
 99    logger.debug("hello")
100    logger.warning("this is a warning")
101    logger.progress("this is a progress message")

All apps must register exactly one test connectivity action in order to be considered valid by Splunk SOAR. This action takes no parameters, and is used to verify that the app and its associated asset configuration are working correctly. Running test connectivity on the Splunk SOAR platform should answer the questions:

  • Can the app connect to the external service?

  • Can the app authenticate with the external service?

  • Does the app have the necessary permissions to perform its actions?

A successful test connectivity action should return None, and a failure should raise an ActionFailure with a descriptive error message.

on poll Action

on poll action definition
189@app.on_poll()
190def on_poll(
191    params: OnPollParams, soar: SOARClient, asset: Asset
192) -> Iterator[Container | Artifact]:
193    if params.is_manual_poll():
194        logger.info("Manual poll (poll now) detected")
195    else:
196        logger.info("Scheduled poll detected")
197
198    # Create container first for artifacts
199    yield Container(
200        name="Network Alerts",
201        description="Some network-related alerts",
202        severity="medium",
203    )
204
205    # Simulate collecting 2 network artifacts that will be put in the network alerts container
206    for i in range(1, 3):
207        logger.info(f"Processing network artifact {i}")
208
209        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
210        artifact = Artifact(
211            name=f"Network Alert {i}",
212            label="alert",
213            severity="medium",
214            source_data_identifier=alert_id,
215            type="network",
216            description=f"Example network alert {i} from polling operation",
217            data={
218                "alert_id": alert_id,
219                "source_ip": f"10.0.0.{i}",
220                "destination_ip": "192.168.0.1",
221                "protocol": "TCP",
222            },
223        )
224
225        yield artifact

on poll is another special action that apps may choose to implement. This action always takes an OnPollParams instance as its parameter. If defined, this action will be called in order to ingest new data into the Splunk SOAR platform. The action should yield Container and/or Artifact instances representing the new data to be ingested. The SDK will handle actually creating the containers and artifacts in the platform.

Make Request Action

Make request action definition
180@app.make_request()
181def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
182    logger.info(f"HTTP action triggered with params: {params}")
183    return MakeRequestOutput(
184        status_code=200,
185        response_body=f"Base url is {asset.base_url}",
186    )

Apps may define a special “make request” action, which can be used to interact with the underlying external service’s REST API directly. Having this action available can be useful when there are parts of the REST API that don’t have dedicated actions implemented in the app.

We create an action by decorating a function with the app.action decorator. The default action_type is generic, so usually you will not have to provide this argument for the decorator. This is not the case for the test action type though, so we provide this type here explicitly.

Custom Actions

Actions can be registered one of two ways:

Using the action() decorator to decorate a standalone function.

decorated action definition
296@app.action(summary_type=GeneratorActionSummary)
297def generator_action(
298    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
299) -> Iterator[GeneratorActionOutput]:
300    """Generates a sequence of numbers."""
301    logger.info(f"Generator action triggered with params: {params}")
302    for i in range(5):
303        yield GeneratorActionOutput(iteration=i)
304    soar.set_summary(GeneratorActionSummary(total_iterations=5))

Using the register_action() method to register a function which may be defined in another module.

The two methods are functionally equivalent. The decorator method is often more convenient for simple actions, while the registration method may be preferable for larger apps where actions are defined in separate modules. Apps may use either or both methods to register their actions.

App CLI Invocation

App CLI invocation
321if __name__ == "__main__":
322    app.cli()

A generic invocation to the app’s cli() method, which enables running the app actions directly from command line. The app template created by soarapps init includes this snippet by default, and it is recommended to keep it in order to facilitate local testing and debugging of your app actions.