Splunk SOAR | Use

The Splunk SOAR app provides both contextual and API actions

Contextual actions

The EclecticIQ Intelligence Center (EIQ IC) app for Splunk SOAR allows you to:

• Create Entities in your EclecticIQ Intelligence Center (EIQ IC) based on intelligence in Splunk SOAR.

• Enrich EIQ IC Entities with Splunk SOAR intelligence.

• Search your EIQ IC intelligence from Splunk SOAR.

• Ingest Entities to use as events in playbooks.

API actions

EclecticIQ request GET action

This action makes a GET request to EclecticIQ Intelligence Center public api.

To use this action, set these parameters:

• uri: Enter the fully qualified URL to an EclecticIQ Intelligence Center public API endpoint, including query parameters and without URL-encoding.
  E.g.: https://eclecticiq-threat-intel-platform.local/api/v1/observables?limit=20&data=true

Output:

• HTTP status code of the response, and

• Parsed JSON body of the response

EclecticIQ request POST action

This action makes a POST request to EclecticIQ Intelligence Center public api.

To use this action, set these parameters:

• uri: Enter the fully qualified URL to an EclecticIQ Intelligence Center public API endpoint, including query parameters and without URL-encoding.
  E.g.: https://eclecticiq-threat-intel-platform.local/api/v1/entities

• body: JSON payload. For payload schema documentation, see https://developers.eclecticiq.com.

Output:

• HTTP status code of the response, and

• Parsed JSON body of the response

EclecticIQ request DELETE action

This action makes a DELETE request to EclecticIQ Intelligence Center public api.

To use this action, set these parameters:

• uri: Enter the fully qualified URL to an EclecticIQ Intelligence Center public API endpoint, including query parameters and without URL-encoding.
  E.g.: https://eclecticiq-threat-intel-platform.local/api/v1/incoming-feeds/10?delete_entities=false

Output:

• HTTP status code of the response, and

• Parsed JSON body of the response