src/app.py

This document will dive deeper into the initial structure of the app.py file when starting working with Apps.

The file consists of a few main parts:

  1. Logger initialization

  2. Asset definition

  3. App initialization

  4. Actions definitions

  5. App CLI invocation

Here’s an example app.py file which uses a wide variety of the features available in the SDK:

  1from collections.abc import Generator, Iterator
  2from datetime import UTC, datetime
  3from zoneinfo import ZoneInfo
  4
  5from soar_sdk.abstract import SOARClient
  6from soar_sdk.action_results import ActionOutput, MakeRequestOutput, OutputField
  7from soar_sdk.app import App
  8from soar_sdk.asset import AssetField, BaseAsset, FieldCategory
  9from soar_sdk.logging import getLogger
 10from soar_sdk.models.artifact import Artifact
 11from soar_sdk.models.container import Container
 12from soar_sdk.models.finding import Finding, FindingAttachment, FindingEmail
 13from soar_sdk.params import (
 14    MakeRequestParams,
 15    OnESPollParams,
 16    OnPollParams,
 17    Param,
 18    Params,
 19)
 20
 21logger = getLogger()
 22
 23SAMPLE_EMAILS = [
 24    {
 25        "from": "phishing@malicious-domain.example.com",
 26        "to": "employee1@company.example.com",
 27        "subject": "Urgent: Verify your account",
 28        "date": None,
 29        "body": (
 30            "Dear user,\n\n"
 31            "Your account has been compromised. Please click the link below "
 32            "to verify your identity immediately.\n\n"
 33            "https://malicious-login.example.com/verify?token=abc123\n\n"
 34            "Regards,\nIT Support"
 35        ),
 36        "urls": [
 37            "https://malicious-login.example.com/verify?token=abc123",
 38        ],
 39        "attachment_name": "invoice.pdf",
 40        "attachment_data": b"fake pdf attachment content",
 41    },
 42    {
 43        "from": "spam@spoofed-bank.example.com",
 44        "to": "employee2@company.example.com",
 45        "subject": "Your payment is overdue",
 46        "date": None,
 47        "body": (
 48            "Hello,\n\n"
 49            "We noticed an outstanding balance on your account. "
 50            "Please review the attached statement and submit payment.\n\n"
 51            "https://fake-payment.example.com/pay\n\n"
 52            "Thank you,\nBilling Department"
 53        ),
 54        "urls": [
 55            "https://fake-payment.example.com/pay",
 56        ],
 57        "attachment_name": "statement.xlsx",
 58        "attachment_data": b"fake spreadsheet content",
 59    },
 60]
 61
 62
 63class Asset(BaseAsset):
 64    base_url: str = AssetField(default="https://example")
 65    api_key: str = AssetField(sensitive=True, description="API key for authentication")
 66    secret_alias: str = AssetField(
 67        sensitive=True,
 68        alias="bearer_token",
 69        description="Secret asset param with an alias",
 70    )
 71    key_header: str = AssetField(
 72        default="Authorization",
 73        value_list=["Authorization", "X-API-Key"],
 74        description="Header for API key authentication",
 75    )
 76    timezone: ZoneInfo
 77    timezone_with_default: ZoneInfo = AssetField(
 78        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
 79    )
 80
 81
 82app = App(
 83    asset_cls=Asset,
 84    name="example_app",
 85    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
 86    app_type="sandbox",
 87    product_vendor="Splunk Inc.",
 88    logo="logo.svg",
 89    logo_dark="logo_dark.svg",
 90    product_name="Example App",
 91    publisher="Splunk Inc.",
 92    min_phantom_version="6.2.2.134",
 93)
 94
 95
 96@app.test_connectivity()
 97def test_connectivity(soar: SOARClient, asset: Asset) -> None:
 98    soar.get("rest/version")
 99    container_id = soar.get_executing_container_id()
100    logger.info(f"current executing container's container_id is: {container_id}")
101    asset_id = soar.get_asset_id()
102    logger.info(f"current executing container's asset_id is: {asset_id}")
103    logger.info(f"testing connectivity against {asset.base_url}")
104    logger.debug("hello")
105    logger.warning("this is a warning")
106    logger.progress("this is a progress message")
107    logger.info(f"secret_alias value is {asset.secret_alias}")
108    assert asset.secret_alias == "example bearer"
109
110
111class ActionOutputSummary(ActionOutput):
112    is_success: bool
113
114
115@app.action()
116def test_summary_with_list_output(
117    params: Params, asset: Asset, soar: SOARClient
118) -> list[ActionOutput]:
119    soar.set_summary(ActionOutputSummary(is_success=True))
120    return [ActionOutput(), ActionOutput()]
121
122
123@app.action()
124def test_empty_list_output(
125    params: Params, asset: Asset, soar: SOARClient
126) -> list[ActionOutput]:
127    return []
128
129
130class JsonOutput(ActionOutput):
131    name: str = OutputField(example_values=["John", "Jane", "Jim"], column_name="Name")
132    age: int = OutputField(example_values=[25, 30, 35], column_name="Age")
133
134
135class TableParams(Params):
136    company_name: str = Param(column_name="Company Name", default="Splunk")
137
138
139@app.action(render_as="json")
140def test_json_output(params: Params, asset: Asset, soar: SOARClient) -> JsonOutput:
141    return JsonOutput(name="John", age=25)
142
143
144@app.action(render_as="table")
145def test_table_output(
146    params: TableParams, asset: Asset, soar: SOARClient
147) -> JsonOutput:
148    return JsonOutput(name="John", age=25)
149
150
151from .actions.reverse_string import render_reverse_string_view
152
153app.register_action(
154    "actions.reverse_string:reverse_string",
155    action_type="investigate",
156    verbose="Reverses a string.",
157    view_template="reverse_string.html",
158    view_handler=render_reverse_string_view,
159)
160
161
162app.register_action(
163    "actions.permissive_action:permissive_reverse_string",
164    action_type="investigate",
165    verbose="Reverses a string but doesn't care if it gets all its output fields.",
166    view_template="reverse_string.html",
167    view_handler=render_reverse_string_view,
168)
169
170from .actions.generate_category import render_statistics_chart
171
172app.register_action(
173    "actions.generate_category:generate_statistics",
174    action_type="investigate",
175    verbose="Generate statistics with pie chart reusable component.",
176    view_handler=render_statistics_chart,
177)
178
179
180class MakeRequestParamsCustom(MakeRequestParams):
181    endpoint: str = Param(
182        description="The endpoint to send the request to. Base url is already included in the endpoint.",
183        required=True,
184    )
185
186
187@app.make_request()
188def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
189    logger.info(f"HTTP action triggered with params: {params}")
190    return MakeRequestOutput(
191        status_code=200,
192        response_body=f"Base url is {asset.base_url}",
193    )
194
195
196@app.on_poll()
197def on_poll(
198    params: OnPollParams, soar: SOARClient, asset: Asset
199) -> Iterator[Container | Artifact]:
200    if params.is_manual_poll():
201        logger.info("Manual poll (poll now) detected")
202    else:
203        logger.info("Scheduled poll detected")
204
205    # Create container first for artifacts
206    yield Container(
207        name="Network Alerts",
208        description="Some network-related alerts",
209        severity="medium",
210    )
211
212    # Simulate collecting 2 network artifacts that will be put in the network alerts container
213    for i in range(1, 3):
214        logger.info(f"Processing network artifact {i}")
215
216        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
217        artifact = Artifact(
218            name=f"Network Alert {i}",
219            label="alert",
220            severity="medium",
221            source_data_identifier=alert_id,
222            type="network",
223            description=f"Example network alert {i} from polling operation",
224            data={
225                "alert_id": alert_id,
226                "source_ip": f"10.0.0.{i}",
227                "destination_ip": "192.168.0.1",
228                "protocol": "TCP",
229            },
230        )
231
232        yield artifact
233
234
235@app.on_es_poll()
236def on_es_poll(
237    params: OnESPollParams, soar: SOARClient, asset: Asset
238) -> Generator[Finding, int | None]:
239    for i, email_data in enumerate(SAMPLE_EMAILS, start=1):
240        logger.info(f"Processing test finding {i}")
241
242        date_str = datetime.now(UTC).strftime("%a, %d %b %Y %H:%M:%S +0000")
243        raw_eml = (
244            f"From: {email_data['from']}\r\n"
245            f"To: {email_data['to']}\r\n"
246            f"Subject: {email_data['subject']}\r\n"
247            f"Date: {date_str}\r\n"
248            f"MIME-Version: 1.0\r\n"
249            f"Content-Type: text/plain; charset=utf-8\r\n"
250            f"\r\n"
251            f"{email_data['body']}"
252        )
253
254        yield Finding(
255            rule_title=f"Test Finding {i}: {email_data['subject']}",
256            email=FindingEmail(
257                headers={
258                    "From": email_data["from"],
259                    "To": email_data["to"],
260                    "Subject": email_data["subject"],
261                    "Date": date_str,
262                    "Content-Type": "text/plain; charset=utf-8",
263                },
264                body=email_data["body"],
265                urls=email_data["urls"],
266            ),
267            attachments=[
268                FindingAttachment(
269                    file_name=f"email_{i}.eml",
270                    data=raw_eml.encode("utf-8"),
271                    is_raw_email=True,
272                ),
273                FindingAttachment(
274                    file_name=email_data["attachment_name"],
275                    data=email_data["attachment_data"],
276                    is_raw_email=False,
277                ),
278            ],
279        )
280
281
282app.register_action(
283    "actions.async_action:async_process",
284    action_type="investigate",
285    verbose="Processes a message asynchronously with concurrent HTTP requests.",
286)
287
288app.register_action(
289    "actions.async_action:sync_process",
290    action_type="investigate",
291    verbose="Processes a message synchronously with sequential HTTP requests.",
292)
293
294
295class GeneratorActionOutput(ActionOutput):
296    iteration: int
297
298
299class GeneratorActionSummary(ActionOutput):
300    total_iterations: int
301
302
303@app.action(summary_type=GeneratorActionSummary)
304def generator_action(
305    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
306) -> Iterator[GeneratorActionOutput]:
307    """Generates a sequence of numbers."""
308    logger.info(f"Generator action triggered with params: {params}")
309    for i in range(5):
310        yield GeneratorActionOutput(iteration=i)
311    soar.set_summary(GeneratorActionSummary(total_iterations=5))
312
313
314@app.action()
315def write_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
316    asset.cache_state.clear()
317    assert asset.cache_state == {}
318    asset.cache_state["value"] = "banana"
319    return ActionOutput()
320
321
322@app.action()
323def read_state(params: Params, soar: SOARClient, asset: Asset) -> ActionOutput:
324    assert asset.cache_state == {"value": "banana"}
325    return ActionOutput()
326
327
328if __name__ == "__main__":
329    app.cli()

Components of the app.py File

Let’s dive deeper into each part of the app.py file above:

Logger Initialization

Logger initialization
 9from soar_sdk.logging import getLogger
10from soar_sdk.models.artifact import Artifact
11from soar_sdk.models.container import Container
12from soar_sdk.models.finding import Finding, FindingAttachment, FindingEmail
13from soar_sdk.params import (
14    MakeRequestParams,
15    OnESPollParams,
16    OnPollParams,
17    Param,
18    Params,
19)
20
21logger = getLogger()

The SDK provides a logging interface via the getLogger() function. This is a standard Python logger which is pre-configured to work with either the local CLI or the Splunk SOAR platform. Within the platform,

  • logger.debug() and logger.warning() messages are written to the spawn.log file at DEBUG level.

  • logger.error() and logger.critical() messages are written to the spawn.log file at ERROR level.

  • logger.info() messages are sent to the Splunk SOAR platform as persistent action progress messages, visible in the UI.

  • logger.progress() messages are sent to the Splunk SOAR platform as transient action progress messages, visible in the UI, but overwritten by subsequent progress messages.

When running locally via the CLI, all log messages are printed to the console, in colors corresponding to their log level.

Asset Definition

Asset definition
63class Asset(BaseAsset):
64    base_url: str = AssetField(default="https://example")
65    api_key: str = AssetField(sensitive=True, description="API key for authentication")
66    secret_alias: str = AssetField(
67        sensitive=True,
68        alias="bearer_token",
69        description="Secret asset param with an alias",
70    )
71    key_header: str = AssetField(
72        default="Authorization",
73        value_list=["Authorization", "X-API-Key"],
74        description="Header for API key authentication",
75    )
76    timezone: ZoneInfo
77    timezone_with_default: ZoneInfo = AssetField(
78        default=ZoneInfo("America/Denver"), category=FieldCategory.ACTION
79    )

Apps should define an asset class to hold configuration information for the app. The asset class should be a pydantic model that inherits from BaseAsset and defines the app’s configuration fields. Fields requiring metadata should be defined using an instance of AssetField(). The SDK uses this information to generate the asset configuration form in the Splunk SOAR platform UI.

App Initialization

App initialization
82app = App(
83    asset_cls=Asset,
84    name="example_app",
85    appid="9b388c08-67de-4ca4-817f-26f8fb7cbf55",
86    app_type="sandbox",
87    product_vendor="Splunk Inc.",
88    logo="logo.svg",
89    logo_dark="logo_dark.svg",
90    product_name="Example App",
91    publisher="Splunk Inc.",
92    min_phantom_version="6.2.2.134",
93)

This is how you initialize the basic App instance. The app object will be used to register actions, views, and/or webhooks. Keep in mind this object variable and its path are referenced by pyproject.toml so the Splunk SOAR platform knows where the app instance is provided.

Action Definitions

Actions are defined as standalone functions, with a few important rules and recommendations.

Action Metadata

Action definition carry with them important metadata which is used by the Splunk SOAR platform to present the action in the UI, and to generate the app’s manifest. Often, this metadata can be derived automatically from the action function’s signature:

  • The action’s “identifier” is, by default, the name of the action function (e.g. my_action).

  • The action’s “name” is, by default, the action function’s name with spaces instead of underscores (e.g. my action).

  • The action’s “description” is, by default, the action function’s docstring.

  • The action’s “type” is, by default, generic unless the action is one of the reserved names like test connectivity or on poll.

Note

By convention, action names should be lowercase, with 2-3 words. Keep action names short but descriptive, and avoid using the name of the app or external service in action names. Where feasible, it’s recommended to consider reusing action names across different apps (e.g. get email) to provide a more consistent user experience.

Action Arguments

There is a magic element, similar to pytest fixtures, in the action arguments. The type hints for the argument definitions of an action function are critical to this mechanism. The rules are as follows:

  • The first positional argument of an action function must be the params argument, and its type hint must be a Pydantic model inheriting from Params. The position and type of this argument are required. The name params is a convention, but not strictly required.

  • If an action function has any argument named soar, at runtime the SDK will provide an instance of a SOARClient implementation as that argument, which is already authenticated with Splunk SOAR. The type hint for this argument should be SOARClient.

  • If an action function has any argument named asset, at runtime the SDK will provide an instance of the app’s asset class, populated with the asset configuration for the current action run. The type hint for this argument should be the app’s asset class.

Note

The special actions which define their own decorators have stricter rules about the type of the params argument. For example, the on poll action must take an OnPollParams instance as its params argument, and test connectivity must take no params argument at all.

Action Returns

An action’s return type annotation is critical for the Splunk SOAR platform to understand, via datapaths, what an action’s output looks like. In practice, this means that you must define a class inheriting from ActionOutput to represent the action’s output, and then return an instance of that class from your action function:

from soar_sdk.action_results import ActionOutput

class MyActionOutput(ActionOutput):
    field1: str
    field2: int

@app.action()
def my_action(params: MyActionParams) -> MyActionOutput:
    # action logic here
    return MyActionOutput(field1="value", field2=42)
Advanced Return Types

For more advanced use cases, an action’s return type can be a list, Iterator, or AsyncGenerator that yields multiple ActionOutput objects:

@app.action()
def my_action_list(params: MyActionParams) -> list[MyActionOutput]:
    # action logic here
    return [
        MyActionOutput(field1="value1", field2=1),
        MyActionOutput(field1="value2", field2=2)
    ]

from typing import Iterator

@app.action()
def my_action_iterator(params: MyActionParams) -> Iterator[MyActionOutput]:
    # action logic here
    yield MyActionOutput(field1="value1", field2=1)
    yield MyActionOutput(field1="value2", field2=2)

from typing import AsyncGenerator

@app.action()
async def my_action_async_generator(
    params: MyActionParams,
    asset: Asset,
) -> AsyncGenerator[MyActionOutput]:
    async with client = httpx.AsyncClient() as client:
        async for i in range(10):
            response = await client.get(
                f"{asset.base_url}/data",
                params={"page": i}
            )
            yield MyActionOutput(**response.json())

test connectivity Action

Test connectivity action definition
 96@app.test_connectivity()
 97def test_connectivity(soar: SOARClient, asset: Asset) -> None:
 98    soar.get("rest/version")
 99    container_id = soar.get_executing_container_id()
100    logger.info(f"current executing container's container_id is: {container_id}")
101    asset_id = soar.get_asset_id()
102    logger.info(f"current executing container's asset_id is: {asset_id}")
103    logger.info(f"testing connectivity against {asset.base_url}")
104    logger.debug("hello")
105    logger.warning("this is a warning")
106    logger.progress("this is a progress message")
107    logger.info(f"secret_alias value is {asset.secret_alias}")
108    assert asset.secret_alias == "example bearer"

All apps must register exactly one test connectivity action in order to be considered valid by Splunk SOAR. This action takes no parameters, and is used to verify that the app and its associated asset configuration are working correctly. Running test connectivity on the Splunk SOAR platform should answer the questions:

  • Can the app connect to the external service?

  • Can the app authenticate with the external service?

  • Does the app have the necessary permissions to perform its actions?

A successful test connectivity action should return None, and a failure should raise an ActionFailure with a descriptive error message.

on poll Action

on poll action definition
196@app.on_poll()
197def on_poll(
198    params: OnPollParams, soar: SOARClient, asset: Asset
199) -> Iterator[Container | Artifact]:
200    if params.is_manual_poll():
201        logger.info("Manual poll (poll now) detected")
202    else:
203        logger.info("Scheduled poll detected")
204
205    # Create container first for artifacts
206    yield Container(
207        name="Network Alerts",
208        description="Some network-related alerts",
209        severity="medium",
210    )
211
212    # Simulate collecting 2 network artifacts that will be put in the network alerts container
213    for i in range(1, 3):
214        logger.info(f"Processing network artifact {i}")
215
216        alert_id = f"testalert-{datetime.now(UTC).strftime('%Y%m%d')}-{i}"
217        artifact = Artifact(
218            name=f"Network Alert {i}",
219            label="alert",
220            severity="medium",
221            source_data_identifier=alert_id,
222            type="network",
223            description=f"Example network alert {i} from polling operation",
224            data={
225                "alert_id": alert_id,
226                "source_ip": f"10.0.0.{i}",
227                "destination_ip": "192.168.0.1",
228                "protocol": "TCP",
229            },
230        )
231
232        yield artifact

on poll is another special action that apps may choose to implement. This action always takes an OnPollParams instance as its parameter. If defined, this action will be called in order to ingest new data into the Splunk SOAR platform. The action should yield Container and/or Artifact instances representing the new data to be ingested. The SDK will handle actually creating the containers and artifacts in the platform.

Make Request Action

Make request action definition
187@app.make_request()
188def http_action(params: MakeRequestParamsCustom, asset: Asset) -> MakeRequestOutput:
189    logger.info(f"HTTP action triggered with params: {params}")
190    return MakeRequestOutput(
191        status_code=200,
192        response_body=f"Base url is {asset.base_url}",
193    )

Apps may define a special “make request” action, which can be used to interact with the underlying external service’s REST API directly. Having this action available can be useful when there are parts of the REST API that don’t have dedicated actions implemented in the app.

We create an action by decorating a function with the app.action decorator. The default action_type is generic, so usually you will not have to provide this argument for the decorator. This is not the case for the test action type though, so we provide this type here explicitly.

Custom Actions

Actions can be registered one of two ways:

Using the action() decorator to decorate a standalone function.

decorated action definition
303@app.action(summary_type=GeneratorActionSummary)
304def generator_action(
305    params: Params, soar: SOARClient[GeneratorActionSummary], asset: Asset
306) -> Iterator[GeneratorActionOutput]:
307    """Generates a sequence of numbers."""
308    logger.info(f"Generator action triggered with params: {params}")
309    for i in range(5):
310        yield GeneratorActionOutput(iteration=i)
311    soar.set_summary(GeneratorActionSummary(total_iterations=5))

Using the register_action() method to register a function which may be defined in another module.

The two methods are functionally equivalent. The decorator method is often more convenient for simple actions, while the registration method may be preferable for larger apps where actions are defined in separate modules. Apps may use either or both methods to register their actions.

App CLI Invocation

App CLI invocation
328if __name__ == "__main__":
329    app.cli()

A generic invocation to the app’s cli() method, which enables running the app actions directly from command line. The app template created by soarapps init includes this snippet by default, and it is recommended to keep it in order to facilitate local testing and debugging of your app actions.