creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 14:44:58 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-soar-playbook-for-phishing/references/api-reference.md
T

2.5 KiB
Raw Blame History

SOAR Phishing Playbook API Reference

Splunk SOAR REST API

Authentication

All requests require the ph-auth-token header:

ph-auth-token: <your-api-token>

Create Container (Incident)

POST /rest/container

{
  "name": "Phishing: Suspicious invoice email",
  "description": "User reported phishing email",
  "label": "phishing",
  "severity": "high",
  "status": "new",
  "sensitivity": "amber",
  "owner_id": 1,
  "tags": ["phishing", "email"]
}

Response: {"success": true, "id": 1542}

Create Artifact

POST /rest/artifact

{
  "container_id": 1542,
  "name": "Sender Email",
  "label": "email",
  "type": "email",
  "severity": "high",
  "cef": {
    "fromAddress": "attacker@evil.com",
    "toAddress": "victim@company.com",
    "emailSubject": "Urgent Invoice #9921",
    "sourceAddress": "198.51.100.23",
    "requestURL": "https://evil-phish.com/login"
  },
  "run_automation": true
}

Response: {"success": true, "id": 8834}

Trigger Playbook

POST /rest/playbook_run

{
  "container_id": 1542,
  "playbook_id": "local/phishing_investigate",
  "scope": "new",
  "run": true
}

List Action Runs

GET /rest/action_run?_filter_container=1542&page_size=100

Get Container Details

GET /rest/container/{container_id}
GET /rest/container/{container_id}/artifacts
GET /rest/container/{container_id}/actions

Update Container Status

POST /rest/container/{container_id}

{"status": "closed", "close_reason": "resolved"}

XSOAR (Cortex XSOAR) API Comparison

Create Incident

POST /incident

{
  "name": "Phishing Report",
  "type": "Phishing",
  "severity": 3,
  "labels": [
    {"type": "Email/from", "value": "attacker@evil.com"},
    {"type": "Email/subject", "value": "Urgent Invoice"}
  ]
}

Run Playbook on Incident

POST /incident/investigate

{"id": "1542", "playbookId": "phishing_investigation"}

Common Phishing Playbook Actions

Action App Description
url reputation VirusTotal Check URL against VT database
domain reputation VirusTotal Check sender domain reputation
ip reputation AbuseIPDB Check originating IP reputation
whois domain WHOIS Domain registration lookup
detonate url URLScan.io Sandbox URL detonation
get email headers IMAP Retrieve full email headers
block sender Exchange Block sender at email gateway
quarantine email O365 Remove email from all mailboxes
Reference in New Issue View Git Blame Copy Permalink