Splunk SOAR SDK Documentation¶
The Splunk SOAR SDK is the official tool and library for building connectors that integrate with Splunk SOAR. You can use it to create new apps, convert old-style apps to the new format, and test your apps locally before deploying them to a Splunk SOAR instance.
If you want to learn more about how to use the SDK, check out the following resources:
Getting Started: A step-by-step guide to creating your first Splunk SOAR app using the SDK.
App Structure: Detailed information on the structure of a Splunk SOAR app and its components.
API Reference: Comprehensive reference for the SDK’s Python API.
CLI Reference: Documentation for the SDK’s command-line interface (CLI) tool.
If you find bugs, need help, or have suggestions, please visit the Splunk SOAR SDK GitHub repository and file an issue.
What is a Splunk SOAR App and What are Actions?¶
Apps (aka Connectors) in Splunk SOAR are extensions that enrich the platform functionality. Each app provides a new set of actions that can be used to automate security investigations and response. Usually, a single app adds actions which integrate with a specific tool or 3rd party service (e.g. whois lookup or geolocation).
This SDK is a set of tools to build, test and run your own app that will extend Splunk SOAR by implementing actions which integrate with 3rd parties.
Splunk SOAR Compatibility¶
The Splunk SOAR SDK codifies its minimum supported Splunk SOAR version under soar_sdk.compat.MIN_PHANTOM_VERSION:
MIN_PHANTOM_VERSION = "7.0.0"
By default, any Splunk SOAR app developed with this version of the SDK will run on all released Splunk SOAR versions above that minimum*.
Both Splunk SOAR Cloud and Splunk SOAR On-Prem are supported at this defined minimum version and above.
Note
* Forward-compatibility is not guaranteed, but is strived for. Backward-compatibility is guaranteed down to the MIN_PHANTOM_VERSION
Contents¶
- Getting Started
- App Structure
- Custom Views
- API Reference
- Jump to a Section:
- The App Class
- APIs
- Data Models
ArtifactArtifact.model_configArtifact.nameArtifact.labelArtifact.descriptionArtifact.typeArtifact.severityArtifact.source_data_identifierArtifact.container_idArtifact.dataArtifact.run_automationArtifact.owner_idArtifact.cefArtifact.cef_typesArtifact.ingest_app_idArtifact.tagsArtifact.start_timeArtifact.end_timeArtifact.kill_chainArtifact.to_dict()
ContainerContainer.model_configContainer.nameContainer.labelContainer.descriptionContainer.source_data_identifierContainer.external_idContainer.severityContainer.statusContainer.tagsContainer.owner_idContainer.sensitivityContainer.artifactsContainer.asset_idContainer.close_timeContainer.custom_fieldsContainer.dataContainer.due_timeContainer.end_timeContainer.ingest_app_idContainer.kill_chainContainer.role_idContainer.run_automationContainer.start_timeContainer.open_timeContainer.tenant_idContainer.container_typeContainer.template_idContainer.authorized_usersContainer.artifact_countContainer.container_idContainer.to_dict()
VaultAttachmentVaultAttachment.idVaultAttachment.created_viaVaultAttachment.containerVaultAttachment.taskVaultAttachment.create_timeVaultAttachment.nameVaultAttachment.userVaultAttachment.vault_documentVaultAttachment.mime_typeVaultAttachment.es_attachment_idVaultAttachment.hashVaultAttachment.vault_idVaultAttachment.sizeVaultAttachment.pathVaultAttachment.metadataVaultAttachment.akaVaultAttachment.container_idVaultAttachment.containsVaultAttachment.open()VaultAttachment.model_config
ViewContextResultSummary
- Logging
- Exceptions
- CLI Reference
- Changelog