Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jerodg/53.phantom-api-client
Splunk Phantom REST API Client
https://github.com/jerodg/53.phantom-api-client
api client phantom python rest splunk
Last synced: 6 days ago
JSON representation
Splunk Phantom REST API Client
- Host: GitHub
- URL: https://github.com/jerodg/53.phantom-api-client
- Owner: jerodg
- License: other
- Created: 2019-07-24T19:30:34.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2020-03-07T00:06:27.000Z (over 4 years ago)
- Last Synced: 2024-02-12T23:44:01.561Z (9 months ago)
- Topics: api, client, phantom, python, rest, splunk
- Language: Python
- Homepage:
- Size: 911 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE.md
Awesome Lists containing this project
README
```
___ _ _ _ ___ ___ ___ _ _ _
| _ \ |_ __ _ _ _| |_ ___ _ __ /_\ | _ \_ _| / __| (_)___ _ _| |_
| _/ ' \/ _` | ' \ _/ _ \ ' \ / _ \| _/| | | (__| | / -_) ' \ _|
|_| |_||_\__,_|_||_\__\___/_|_|_| /_/ \_\_| |___| \___|_|_\___|_||_\__|
```
# Splunk-Phantom, API client.
Client library for Phantom's REST API.
Developed for use with Phantom v4.5+, however, most functionality *should work
with previous versions.
Developed for use with Python3.8+, however, it should work with 3.6/7+. There is
no guarantee that future development won't utilize 3.8+ specifc syntax.
__*Not Affiliated with Splunk or Phantom__
## Installation
```bash
pip install phantom-api-client
```
## Basic Usage
This modules primary use-case is inheritance from other REST API clients.
```python
```
## API Implementation, Categories (2/24) ~8.3%, Functions (36/123) ~29.2%
- [ ] Actions:
- [ ] Run Action
- [ ] Cancel Running Action
- [ ] Aggregation Rules:
- [ ] Create Rule
- [ ] Update Rule
- [ ] Delete Rule
- [ ] Apps:
- [ ] Install App
- [x] Artifacts: (16/16) 100.0%
- [x] Get All Artifacts Count
- [x] Get All Artifacts Count Filtered
- [x] Get One Container Artifacts Count
- [x] Get One Artifact
- [x] Get All Artifacts
- [x] Get All Artifacts Filtered
- [x] Get All Artifacts Date-Filtered
- [x] Get All Container Artifacts
- [x] Get All Container Artifacts Date-Filtered
- [x] Create One Artifact
- [x] Create Many Artifacts
- [x] Update One Artifact
- [x] Update Many Artifacts
- [x] Delete One Artifact
- [x] Delete Many Artifacts
- [x] Delete All Container Artifacts
- [ ] Assets:
- [ ] Create Assets
- [ ] Attachments:
- [ ] Get Attachment
- [ ] Get Attachments
- [ ] Create Attachment
- [ ] Delete Attachment
- [ ] Audit:
- [ ] Get One User Audit Data
- [ ] Get Many Users Audit Data
- [ ] Get One Role Audit Data
- [ ] Get Many Role Audit Data
- [ ] Get Authentication Audit Data
- [ ] Get Administration Audit Data
- [ ] Get One Playbook Audit Data
- [ ] Get Many Playbooks Audit Data
- [x] Get One Container Audit Data
- [ ] Get Many Containers Audit Data
- [ ] Get All Audit Data
- [ ] CEF:
- [ ] Get Available CEFs
- [ ] Create Custom CEF
- [ ] Get Custom CEFs
- [ ] Get Custom CEF
- [ ] Update Custom CEF
- [ ] Delete Custom CEF
- [ ] Clustering:
- [ ] Get Nodes
- [x] Containers: (16/16) 100%
- [x] Get All Containers Count
- [x] Get All Containers Count Filtered
- [x] Get All Containers
- [x] Get All Containers Filtered
- [x] Get All Containers Date Filtered (Custom Date Filtering)
- [x] Get One Container
- [x] Get One Container Whitelist Users
- [x] Get One Container Whitelist Candidates
- [x] Get One Container Phases
- [x] Get Many Containers
- [x] Create One Container
- [x] Create Many Containers
- [x] Update One Container
- [x] Update Many Containers
- [x] Delete One Container
- [x] Delete Many Containers
- [ ] Custom Lists:
- [ ] Get List
- [ ] Create List
- [ ] Update List
- [ ] Delete List
- [ ] Evidence:
- [ ] Get Container Evidence
- [ ] Create Container Evidence
- [ ] Delete Container Evidence
- [ ] HUD:
- [ ] Pin Container
- [ ] Update Pin
- [ ] Indicators:
- [ ] Get Indicator Counts
- [ ] Get Top Event Labels
- [ ] Get Top Indicator Types
- [ ] Get Top Indicator Values
- [ ] Get Indicators
- [ ] Get Indicator
- [ ] Get Artifacts by Indicator
- [ ] Get Indicator Timeline by Value
- [ ] Get Containers by Indicator
- [ ] Informational:
- [ ] Get Version
- [ ] Get System Info
- [ ] Get License
- [ ] Get System Health
- [ ] Get App Status Info
- [ ] Get Widget Info
- [ ] Notes:
- [ ] Create Container Note
- [ ] Create Containers Notes
- [ ] Create Artifact Note
- [ ] Create Task Note
- [ ] Update Container Note
- [ ] Get Container Notes
- [ ] Get Container Note
- [ ] Delete Note
- [ ] Get Artifact Notes
- [ ] Get Task Notes
- [ ] Search Notes
- [ ] Playbooks:
- [ ] Update Playbook Status
- [ ] Run Playbook
- [ ] Cancel Running Playbook
- [ ] Update Source Control Repository
- [ ] Search:
- [ ] Run Search
- [ ] Severity:
- [ ] Get Severity's
- [ ] Create Severity
- [ ] Delete Severity
- [ ] Update Severity
- [ ] Status:
- [ ] Get Status Labels
- [ ] Create Status Label
- [ ] Delete Status Label
- [ ] System Settings:
- [ ] Update System Settings
- [ ] Tenants:
- [ ] Create Tenant
- [ ] Update Tenant
- [ ] Users:
- [x] Get Users Count
- [x] Get All Users
- [x] Get One User
- [ ] Create One User
- [ ] Update One User
- [ ] Delete One User
- [ ] Create Role/Permissions
- [ ] Workbooks (formerly known as Case Templates):
- [ ] Create Case Workflow Template
- [ ] Create Phase Object
- [ ] Create Task Object
- [ ] Add Phase Template to Workflow Template
- [ ] Add Task to Phase Template
- [ ] Get Workbook Phases
## Test Coverage
platform linux, python 3.8.0-beta-3
-
| Name | Stmts | Miss | Cover |
| ------------------------------------------ |-------- |------- |-------: |
| phantom_api_client/__init__.py | 3 | 0 | 100% |
| phantom_api_client/client.py | 80 | 4 | 95% |
| phantom_api_client/models/__init__.py | 11 | 0 | 100% |
| phantom_api_client/models/artifact.py | 51 | 1 | 98% |
| phantom_api_client/models/attachment.py | 34 | 15 | 56% |
| phantom_api_client/models/audit.py | 27 | 27 | 0% |
| phantom_api_client/models/cef.py | 159 | 3 | 98% |
| phantom_api_client/models/comment.py | 9 | 1 | 89% |
| phantom_api_client/models/container.py | 62 | 2 | 97% |
| phantom_api_client/models/custom_fields.py | 33 | 8 | 76% |
| phantom_api_client/models/exceptions.py | 22 | 12 | 45% |
| phantom_api_client/models/note.py | 12 | 1 | 92% |
| phantom_api_client/models/pin.py | 25 | 11 | 56% |
| phantom_api_client/models/query.py | 245 | 46 | 81% |
| ____________________________________________ | ____ | _____ | ____ |
| TOTAL | 773 | 131 | 83% |
## Performance Notes
Phantom v4.2.7532 | Intel(R) Xeon(R) CPU E7-8860 v4 @ 2.20GHz (8 Cores VMWare) | 32GB RAM
#### Get Containers
_No Pretty or Expensive_
| Semaphore | PageSize | ResultsCount | Duration (seconds) | Records/Sec. |
|----------- |---------- |-------------- |-------------------- | ------------ |
| 1 | 0 | 10260 | 550.368098 | 18.642069 |
| 1 | 100 | 10242 | 506.718879 | 20.212390 |
| 1 | 250 | 10245 | 507.401462 | 20.191112 |
| 1 | 500 | 10247 | 505.141626 | 20.285400 |
| 1 | 1000 | 10248 | 499.583309 | **20.513095** |
| 5 | 100 | 10252 | 103.920112 | 98.652703 |
| 5 | 250 | 10252 | 104.045734 | 98.533592 |
| 5 | 500 | 10252 | 103.959837 | **98.615006** |
| 5 | 1000 | 10252 | 103.284216 | 99.260084 |
| 10 | 100 | 10252 | 62.194716 | 164.83715 |
| 10 | 250 | 10252 | 61.711901 | **166.12678** |
| 10 | 500 | 10252 | 61.747280 | 166.03160 |
| 10 | 1000 | 10252 | 61.791430 | 165.91297 |
| 15 | 100 | 10252 | 53.376854 | 192.068269 |
| 15 | 250 | 10252 | 53.870317 | 190.308884 |
| 15 | 500 | 10252 | 53.380755 | 192.054232 |
| 15 | 1000 | 10252 | 53.107964 | **193.040729** |
| 25 | 100 | 10252 | 52.471258 | 195.383156 |
| 25 | 250 | 10252 | 52.522734 | 195.191668 |
| 25 | 500 | 10253 | 54.730120 | 187.337430 |
| 25 | 1000 | 10253 | 52.401570 | **195.662075** |
| 50 | 100 | 10253 | 52.405708 | **195.646626** |
| 50 | 250 | 10253 | 53.681816 | 190.995773 |
| 50 | 500 | 10253 | 53.105051 | 193.070148 |
| 50 | 1000 | 10253 | 52.813425 | 194.136245 |
| 75 | 100 | 10258 | 59.042822 | **173.738309** |
| 75 | 250 | 10258 | 60.795224 | 168.730359 |
| 75 | 500 | 10258 | 62.890662 | 163.108475 |
| 75 | 1000 | 10258 | 65.159076 | 157.430102 |
More than 100 simultaneous connections/queries results in missing records.
| Semaphore | PageSize | ResultsCount | Duration (seconds) | Records/Sec. |
|----------- |---------- |-------------- |-------------------- | ------------ |
| 100 | 100 | 7995 | 47.714157 | **167.560332** |
| 100 | 250 | 1483 | 14.284200 | 103.821007 |
| 100 | 500 | 1501 | 15.164913 | 98.978475 |
| 100 | 1000 | 1012 | 12.785591 | 79.151602 |
| 250 | 100 | 1043 | 13.511003 | 77.196340 |
| 250 | 250 | 1568 | 17.039635 | 92.020751 |
| 250 | 500 | 1592 | 16.626970 | **95.748051** |
| 250 | 1000 | 1493 | 17.328146 | 86.160400 |
## Documentation
[GitHub Pages](https://jerodg.github.io/phantom-api-client/)
- Work in Process
## Known Issues
Mass deleting records quits early with timeout error. It would seem the more
records that are being deleted adds an exponential increase in wait between
deletes. So far in testing >= 47 (254) 114 at once results in timeout-error.
Phantom v4.2 and earlier has completely broken pagination. You will receive
duplicate and missing records. You should set the query filter 'page_size' to
a number greater than the max expected results in order to receive all records
in a single page.
## License
Copyright © 2019 Jerod Gawne
This program is free software: you can redistribute it and/or modify
it under the terms of the Server Side Public License (SSPL) as
published by MongoDB, Inc., either version 1 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
SSPL for more details.
You should have received a copy of the SSPL along with this program.
If not, see .