src/app.py

This document will dive deeper into the initial structure of the app.py file when starting working with Apps.

The file consists of a few main parts:

  1. Logger initialization

  2. Asset definition

  3. App initialization

  4. Actions definitions

  5. App CLI invocation

Here’s an example app.py file which uses a wide variety of the features available in the SDK:

  1from collections.abc import Generator, Iterator
  2from datetime import UTC, datetime
  3from zoneinfo import ZoneInfo
  4
  5from soar_sdk.abstract import SOARClient
  6from soar_sdk.action_results import ActionOutput, MakeRequestOutput, OutputField
  7from soar_sdk.app import App
  8from soar_sdk.asset import AssetField, BaseAsset, FieldCategory
  9from soar_sdk.logging import getLogger
 10from soar_sdk.models.artifact import Artifact
 11from soar_sdk.models.container import Container
 12from soar_sdk.models.finding import Finding, FindingAttachment
 13from soar_sdk.params import (
 14    MakeRequestParams,
 15    OnESPollParams,
 16    OnPollParams,
 17    Param,
 18    Params,
 19)
 20
 21logger = getLogger()
 22
 23SAMPLE_EMAIL_TEMPLATE = """From: suspicious@example.com
 24To: {user}
 25Subject: Suspicious Activity Detected
 26Date: {date}
 27
 28This is a suspicious email that triggered the risk threshold.
 29Event ID: {event_id}
 30"""
 31
 32
 33class Asset(BaseAsset):
 34    base_url: str = AssetField(default="https://example")
 35    api_key: str = AssetField(sensitive=True, description="API key for authentication")
 36    key_header: str = AssetField(
 37        default="Authorization",
 38        value_list=["Authorization", "X-API-Key"],
 39        description="Header for API key authentication",
 40    )
 41    timezone: ZoneInfo
 42    timezone_with_default: ZoneInfo = AssetField(
 43        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
 44    )
 45
 46
 47app = App(
 48    asset_cls=Asset,
 49    name="example_app",
 50    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
 51    app_type="sandbox",
 52    product_vendor="Splunk Inc.",
 53    logo="logo.svg",
 54    logo_dark="logo_dark.svg",
 55    product_name="Example App",
 56    publisher="Splunk Inc.",
 57    min_phantom_version="6.2.2.134",
 58)
 59
 60
 61@app.test_connectivity()
 62def test_connectivity(soar: SOARClient, asset: Asset) -> None:
 63    soar.get("rest/version")
 64    container_id = soar.get_executing_container_id()
 65    logger.info(f"current executing container's container_id is: {container_id}")
 66    asset_id = soar.get_asset_id()
 67    logger.info(f"current executing container's asset_id is: {asset_id}")
 68    logger.info(f"testing connectivity against {asset.base_url}")
 69    logger.debug("hello")
 70    logger.warning("this is a warning")
 71    logger.progress("this is a progress message")
 72
 73
 74class ActionOutputSummary(ActionOutput):
 75    is_success: bool
 76
 77
 78@app.action()
 79def test_summary_with_list_output(
 80    params: Params, asset: Asset, soar: SOARClient
 81) -> list[ActionOutput]:
 82    soar.set_summary(ActionOutputSummary(is_success=True))
 83    return [ActionOutput(), ActionOutput()]
 84
 85
 86@app.action()
 87def test_empty_list_output(
 88    params: Params, asset: Asset, soar: SOARClient
 89) -> list[ActionOutput]:
 90    return []
 91
 92
 93class JsonOutput(ActionOutput):
 94    name: str = OutputField(example_values=["John", "Jane", "Jim"], column_name="Name")
 95    age: int = OutputField(example_values=[25, 30, 35], column_name="Age")
 96
 97
 98class TableParams(Params):
 99    company_name: str = Param(column_name="Company Name", default="Splunk")
100
101
102@app.action(render_as="json")
103def test_json_output(params: Params, asset: Asset, soar: SOARClient) -> JsonOutput:
104    return JsonOutput(name="John", age=25)
105
106
107@app.action(render_as="table")
108def test_table_output(
109    params: TableParams, asset: Asset, soar: SOARClient
110) -> JsonOutput:
111    return JsonOutput(name="John", age=25)
112
113
114from .actions.reverse_string import render_reverse_string_view
115
116app.register_action(
117    "actions.reverse_string:reverse_string",
118    action_type="investigate",
119    verbose="Reverses a string.",
120    view_template="reverse_string.html",
121    view_handler=render_reverse_string_view,
122)
123
124
125app.register_action(
126    "actions.permissive_action:permissive_reverse_string",
127    action_type="investigate",
128    verbose="Reverses a string but doesn't care if it gets all its output fields.",
129    view_template="reverse_string.html",
130    view_handler=render_reverse_string_view,
131)
132
133from .actions.generate_category import render_statistics_chart
134
135app.register_action(
136    "actions.generate_category:generate_statistics",
137    action_type="investigate",
138    verbose="Generate statistics with pie chart reusable component.",
139    view_handler=render_statistics_chart,
140)
141
142
143class MakeRequestParamsCustom(MakeRequestParams):
144    endpoint: str = Param(
145        description="The endpoint to send the request to. Base url is already included in the endpoint.",
146        required=True,
147    )
148
149
150@app.make_request()
151def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
152    logger.info(f"HTTP action triggered with params: {params}")
153    return MakeRequestOutput(
154        status_code=200,
155        response_body=f"Base url is {asset.base_url}",
156    )
157
158
159@app.on_poll()
160def on_poll(
161    params: OnPollParams, soar: SOARClient, asset: Asset
162) -> Iterator[Container | Artifact]:
163    if params.is_manual_poll():
164        logger.info("Manual poll (poll now) detected")
165    else:
166        logger.info("Scheduled poll detected")
167
168    # Create container first for artifacts
169    yield Container(
170        name="Network Alerts",
171        description="Some network-related alerts",
172        severity="medium",
173    )
174
175    # Simulate collecting 2 network artifacts that will be put in the network alerts container
176    for i in range(1, 3):
177        logger.info(f"Processing network artifact {i}")
178
179        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
180        artifact = Artifact(
181            name=f"Network Alert {i}",
182            label="alert",
183            severity="medium",
184            source_data_identifier=alert_id,
185            type="network",
186            description=f"Example network alert {i} from polling operation",
187            data={
188                "alert_id": alert_id,
189                "source_ip": f"10.0.0.{i}",
190                "destination_ip": "192.168.0.1",
191                "protocol": "TCP",
192            },
193        )
194
195        yield artifact
196
197
198@app.on_es_poll()
199def on_es_poll(
200    params: OnESPollParams, soar: SOARClient, asset: Asset
201) -> Generator[Finding, int | None]:
202    for i in range(1, 3):
203        logger.info(f"Processing ES finding {i}")
204
205        email_content = SAMPLE_EMAIL_TEMPLATE.format(
206            user=f"user{i}@example.com",
207            date=datetime.now(UTC).strftime("%a, %d %b %Y %H:%M:%S +0000"),
208            event_id=f"EVT-{i:04d}",
209        )
210
211        yield Finding(
212            rule_title=f"Risk threshold exceeded for user-{i}",
213            rule_description="Risk Threshold Exceeded for an object over a 24 hour period",
214            risk_object=f"user{i}@example.com",
215            risk_object_type="user",
216            risk_score=75.0 + (i * 10),
217            status="New",
218            attachments=[
219                FindingAttachment(
220                    file_name=f"suspicious_email_user{i}.eml",
221                    data=email_content.encode("utf-8"),
222                    is_raw_email=True,
223                )
224            ],
225        )
226
227
228app.register_action(
229    "actions.async_action:async_process",
230    action_type="investigate",
231    verbose="Processes a message asynchronously with concurrent HTTP requests.",
232)
233
234app.register_action(
235    "actions.async_action:sync_process",
236    action_type="investigate",
237    verbose="Processes a message synchronously with sequential HTTP requests.",
238)
239
240
241class GeneratorActionOutput(ActionOutput):
242    iteration: int
243
244
245class GeneratorActionSummary(ActionOutput):
246    total_iterations: int
247
248
249@app.action(summary_type=GeneratorActionSummary)
250def generator_action(
251    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
252) -> Iterator[GeneratorActionOutput]:
253    """Generates a sequence of numbers."""
254    logger.info(f"Generator action triggered with params: {params}")
255    for i in range(5):
256        yield GeneratorActionOutput(iteration=i)
257    soar.set_summary(GeneratorActionSummary(total_iterations=5))
258
259
260@app.action()
261def write_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
262    asset.cache_state.clear()
263    assert asset.cache_state == {}
264    asset.cache_state["value"] = "banana"
265    return ActionOutput()
266
267
268@app.action()
269def read_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
270    assert asset.cache_state == {"value": "banana"}
271    return ActionOutput()
272
273
274if __name__ == "__main__":
275    app.cli()

Components of the app.py File

Let’s dive deeper into each part of the app.py file above:

Logger Initialization

Logger initialization
 9from soar_sdk.logging import getLogger
10from soar_sdk.models.artifact import Artifact
11from soar_sdk.models.container import Container
12from soar_sdk.models.finding import Finding, FindingAttachment
13from soar_sdk.params import (
14    MakeRequestParams,
15    OnESPollParams,
16    OnPollParams,
17    Param,
18    Params,
19)
20
21logger = getLogger()

The SDK provides a logging interface via the getLogger() function. This is a standard Python logger which is pre-configured to work with either the local CLI or the Splunk SOAR platform. Within the platform,

  • logger.debug() and logger.warning() messages are written to the spawn.log file at DEBUG level.

  • logger.error() and logger.critical() messages are written to the spawn.log file at ERROR level.

  • logger.info() messages are sent to the Splunk SOAR platform as persistent action progress messages, visible in the UI.

  • logger.progress() messages are sent to the Splunk SOAR platform as transient action progress messages, visible in the UI, but overwritten by subsequent progress messages.

When running locally via the CLI, all log messages are printed to the console, in colors corresponding to their log level.

Asset Definition

Asset definition
33class Asset(BaseAsset):
34    base_url: str = AssetField(default="https://example")
35    api_key: str = AssetField(sensitive=True, description="API key for authentication")
36    key_header: str = AssetField(
37        default="Authorization",
38        value_list=["Authorization", "X-API-Key"],
39        description="Header for API key authentication",
40    )
41    timezone: ZoneInfo
42    timezone_with_default: ZoneInfo = AssetField(
43        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
44    )

Apps should define an asset class to hold configuration information for the app. The asset class should be a pydantic model that inherits from BaseAsset and defines the app’s configuration fields. Fields requiring metadata should be defined using an instance of AssetField(). The SDK uses this information to generate the asset configuration form in the Splunk SOAR platform UI.

App Initialization

App initialization
47app = App(
48    asset_cls=Asset,
49    name="example_app",
50    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
51    app_type="sandbox",
52    product_vendor="Splunk Inc.",
53    logo="logo.svg",
54    logo_dark="logo_dark.svg",
55    product_name="Example App",
56    publisher="Splunk Inc.",
57    min_phantom_version="6.2.2.134",
58)

This is how you initialize the basic App instance. The app object will be used to register actions, views, and/or webhooks. Keep in mind this object variable and its path are referenced by pyproject.toml so the Splunk SOAR platform knows where the app instance is provided.

Action Definitions

Actions are defined as standalone functions, with a few important rules and recommendations.

Action Metadata

Action definition carry with them important metadata which is used by the Splunk SOAR platform to present the action in the UI, and to generate the app’s manifest. Often, this metadata can be derived automatically from the action function’s signature:

  • The action’s “identifier” is, by default, the name of the action function (e.g. my_action).

  • The action’s “name” is, by default, the action function’s name with spaces instead of underscores (e.g. my action).

  • The action’s “description” is, by default, the action function’s docstring.

  • The action’s “type” is, by default, generic unless the action is one of the reserved names like test connectivity or on poll.

Note

By convention, action names should be lowercase, with 2-3 words. Keep action names short but descriptive, and avoid using the name of the app or external service in action names. Where feasible, it’s recommended to consider reusing action names across different apps (e.g. get email) to provide a more consistent user experience.

Action Arguments

There is a magic element, similar to pytest fixtures, in the action arguments. The type hints for the argument definitions of an action function are critical to this mechanism. The rules are as follows:

  • The first positional argument of an action function must be the params argument, and its type hint must be a Pydantic model inheriting from Params. The position and type of this argument are required. The name params is a convention, but not strictly required.

  • If an action function has any argument named soar, at runtime the SDK will provide an instance of a SOARClient implementation as that argument, which is already authenticated with Splunk SOAR. The type hint for this argument should be SOARClient.

  • If an action function has any argument named asset, at runtime the SDK will provide an instance of the app’s asset class, populated with the asset configuration for the current action run. The type hint for this argument should be the app’s asset class.

Note

The special actions which define their own decorators have stricter rules about the type of the params argument. For example, the on poll action must take an OnPollParams instance as its params argument, and test connectivity must take no params argument at all.

Action Returns

An action’s return type annotation is critical for the Splunk SOAR platform to understand, via datapaths, what an action’s output looks like. In practice, this means that you must define a class inheriting from ActionOutput to represent the action’s output, and then return an instance of that class from your action function:

from soar_sdk.action_results import ActionOutput

class MyActionOutput(ActionOutput):
    field1: str
    field2: int

@app.action()
def my_action(params: MyActionParams) -> MyActionOutput:
    # action logic here
    return MyActionOutput(field1="value", field2=42)
Advanced Return Types

For more advanced use cases, an action’s return type can be a list, Iterator, or AsyncGenerator that yields multiple ActionOutput objects:

@app.action()
def my_action_list(params: MyActionParams) -> list[MyActionOutput]:
    # action logic here
    return [
        MyActionOutput(field1="value1", field2=1),
        MyActionOutput(field1="value2", field2=2)
    ]

from typing import Iterator

@app.action()
def my_action_iterator(params: MyActionParams) -> Iterator[MyActionOutput]:
    # action logic here
    yield MyActionOutput(field1="value1", field2=1)
    yield MyActionOutput(field1="value2", field2=2)

from typing import AsyncGenerator

@app.action()
async def my_action_async_generator(
    params: MyActionParams,
    asset: Asset,
) -> AsyncGenerator[MyActionOutput]:
    async with client = httpx.AsyncClient() as client:
        async for i in range(10):
            response = await client.get(
                f"{asset.base_url}/data",
                params={"page": i}
            )
            yield MyActionOutput(**response.json())

test connectivity Action

Test connectivity action definition
61@app.test_connectivity()
62def test_connectivity(soar: SOARClient, asset: Asset) -> None:
63    soar.get("rest/version")
64    container_id = soar.get_executing_container_id()
65    logger.info(f"current executing container's container_id is: {container_id}")
66    asset_id = soar.get_asset_id()
67    logger.info(f"current executing container's asset_id is: {asset_id}")
68    logger.info(f"testing connectivity against {asset.base_url}")
69    logger.debug("hello")
70    logger.warning("this is a warning")
71    logger.progress("this is a progress message")

All apps must register exactly one test connectivity action in order to be considered valid by Splunk SOAR. This action takes no parameters, and is used to verify that the app and its associated asset configuration are working correctly. Running test connectivity on the Splunk SOAR platform should answer the questions:

  • Can the app connect to the external service?

  • Can the app authenticate with the external service?

  • Does the app have the necessary permissions to perform its actions?

A successful test connectivity action should return None, and a failure should raise an ActionFailure with a descriptive error message.

on poll Action

on poll action definition
159@app.on_poll()
160def on_poll(
161    params: OnPollParams, soar: SOARClient, asset: Asset
162) -> Iterator[Container | Artifact]:
163    if params.is_manual_poll():
164        logger.info("Manual poll (poll now) detected")
165    else:
166        logger.info("Scheduled poll detected")
167
168    # Create container first for artifacts
169    yield Container(
170        name="Network Alerts",
171        description="Some network-related alerts",
172        severity="medium",
173    )
174
175    # Simulate collecting 2 network artifacts that will be put in the network alerts container
176    for i in range(1, 3):
177        logger.info(f"Processing network artifact {i}")
178
179        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
180        artifact = Artifact(
181            name=f"Network Alert {i}",
182            label="alert",
183            severity="medium",
184            source_data_identifier=alert_id,
185            type="network",
186            description=f"Example network alert {i} from polling operation",
187            data={
188                "alert_id": alert_id,
189                "source_ip": f"10.0.0.{i}",
190                "destination_ip": "192.168.0.1",
191                "protocol": "TCP",
192            },
193        )
194
195        yield artifact

on poll is another special action that apps may choose to implement. This action always takes an OnPollParams instance as its parameter. If defined, this action will be called in order to ingest new data into the Splunk SOAR platform. The action should yield Container and/or Artifact instances representing the new data to be ingested. The SDK will handle actually creating the containers and artifacts in the platform.

Make Request Action

Make request action definition
150@app.make_request()
151def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
152    logger.info(f"HTTP action triggered with params: {params}")
153    return MakeRequestOutput(
154        status_code=200,
155        response_body=f"Base url is {asset.base_url}",
156    )

Apps may define a special “make request” action, which can be used to interact with the underlying external service’s REST API directly. Having this action available can be useful when there are parts of the REST API that don’t have dedicated actions implemented in the app.

We create an action by decorating a function with the app.action decorator. The default action_type is generic, so usually you will not have to provide this argument for the decorator. This is not the case for the test action type though, so we provide this type here explicitly.

Custom Actions

Actions can be registered one of two ways:

Using the action() decorator to decorate a standalone function.

decorated action definition
249@app.action(summary_type=GeneratorActionSummary)
250def generator_action(
251    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
252) -> Iterator[GeneratorActionOutput]:
253    """Generates a sequence of numbers."""
254    logger.info(f"Generator action triggered with params: {params}")
255    for i in range(5):
256        yield GeneratorActionOutput(iteration=i)
257    soar.set_summary(GeneratorActionSummary(total_iterations=5))

Using the register_action() method to register a function which may be defined in another module.

The two methods are functionally equivalent. The decorator method is often more convenient for simple actions, while the registration method may be preferable for larger apps where actions are defined in separate modules. Apps may use either or both methods to register their actions.

App CLI Invocation

App CLI invocation
274if __name__ == "__main__":
275    app.cli()

A generic invocation to the app’s cli() method, which enables running the app actions directly from command line. The app template created by soarapps init includes this snippet by default, and it is recommended to keep it in order to facilitate local testing and debugging of your app actions.