Anthropic-Cybersecurity-Skills/skills/triaging-security-alerts-in-splunk/references/api-reference.md

API Reference: Triaging Security Alerts in Splunk

splunklib (Splunk SDK for Python)

Installation

pip install splunk-sdk

Connection

import splunklib.client as client
service = client.connect(host="localhost", port=8089,
                         username="admin", password="password")

Running Searches

# Blocking search (wait for results)
job = service.jobs.create(query, exec_mode="blocking")

# Parse results
import splunklib.results as results
for result in results.JSONResultsReader(job.results(output_mode="json")):
    if isinstance(result, dict):
        print(result)

Search Parameters

Parameter	Description
exec_mode	blocking (wait) or normal (async)
earliest_time	Search time range start (e.g., -24h)
latest_time	Search time range end (e.g., now)
output_mode	json, xml, or csv

Key SPL Commands for Triage

Command	Purpose
`notable`	Macro to access ES notable events
lookup asset_lookup_by_cidr	Enrich with asset information
lookup identity_lookup_expanded	Enrich with identity context
lookup threat_intel_by_ip	Check IP against threat feeds
tstats	Fast datamodel statistics
sendalert update_notable_event	Update notable event status

Notable Event Status Values

Value	Status
0	Unassigned
1	New
2	In Progress
3	Pending
4	Resolved
5	Closed

Disposition Categories

Disposition	Criteria
True Positive	Confirmed malicious activity
Benign True Positive	Alert correct but activity authorized
False Positive	Benign behavior matched detection logic
Undetermined	Insufficient data to classify

References

• Splunk SDK for Python: https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/
• Splunk ES notable events: https://docs.splunk.com/Documentation/ES/latest/Admin/Managenotableevents
• SPL reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/