Gmail API MCP Server

Overview Schema Related Servers Score Discussions

splunk-enterprise-security-api-reference
mcp_server

models.py•64.3 kB

# generated by fastapi-codegen: # filename: openapi.yaml # timestamp: 2025-07-16T14:21:16+00:00 from __future__ import annotations from enum import Enum from typing import Any, Dict, List, Optional from uuid import UUID from pydantic import BaseModel, ConfigDict, EmailStr, Field, RootModel class Field401ErrorResponse(RootModel[Any]): root: Any = Field(..., description='Unauthorized.') class Field403ErrorResponse(RootModel[Any]): root: Any = Field(..., description='Forbidden.') class Action(BaseModel): action: Optional[str] = Field( None, description='The action ID of the Splunk SOAR action.', examples=['1394'] ) app_id: Optional[float] = Field( None, description='The app ID of the Splunk SOAR action.', examples=[169] ) asset: Optional[float] = Field( None, description='The asset of the Splunk SOAR action.', examples=[1] ) create_time: Optional[float] = Field( None, description='The time the Splunk SOAR action was created.', examples=[1676495280.719768], ) description: Optional[str] = Field( None, description='The description of the action.', examples=['This action validates the configuration of an asset.'], ) id: Optional[UUID] = Field( None, description='The ID of the Splunk SOAR action.', examples=['876ab1de-d825-43c0-8b6c-e30c959d9044'], ) last_job_id: Optional[float] = Field( None, description='The last job ID of the Splunk SOAR action.', examples=[0] ) name: Optional[str] = Field( None, description='The name of the Splunk SOAR action.', examples=['geolocate ip - MaxMind'], ) parameters: Optional[List[Dict[str, Any]]] = Field( None, description='The parameters for the Splunk SOAR action. For example, {"ip":"1.1.1.1"}.', examples=[[{'ip': '1.1.1.1'}]], ) type: Optional[str] = Field( None, description='The type of the Splunk SOAR action. For example, for a Splunk SOAR app, such as Maxmind, the type could be “investigate”, “generic”, “test”, “correct”, or “contain”.', examples=['geolocate ip'], ) update_time: Optional[float] = Field( None, description='The time the Splunk SOAR action was updated.', examples=[1676495407.1743503], ) class AssetsGetResponse(BaseModel): field_delete: Optional[List[str]] = Field( None, alias='_delete', description='Parameter indicates whether this asset was deleted.', examples=[['false']], ) field_last_updated: Optional[float] = Field( None, alias='_last_updated', description='The last time the asset was updated.', examples=[1740477793.8923569], ) field_sources: Optional[List[str]] = Field( None, alias='_sources', description='The source of the asset.', examples=[['canon_wdio_assets']], ) asset: Optional[List[str]] = Field( None, description='The IP address, DNS name, MAC address, and the Windows NT host field of the asset.', examples=[['192.168.0.1', '00:1A:2B:3C:4D:5E']], ) asset_tag: Optional[List[str]] = Field( None, description='The tags of the asset.', examples=[['tag1', 'tag2']] ) bunit: Optional[List[str]] = Field( None, description='The business unit of the asset. Parameter used to filter by dashboards in Splunk Enterprise Security.', examples=[['business_unit_example']], ) category: Optional[List[str]] = Field( None, description='A pipe-delimited list of logical classifications for assets.', examples=[['category1', 'category2']], ) cim_entity_zone: Optional[List[str]] = Field( None, description='Required parameter when entity zones are turned on. Lowercase word to use as a default zone name. Used when you have multiple private IP spaces. This parameter auto-populates in the cim_entity_zone fields if you do not specify your own values when formatting an asset or identity list as a lookup.', examples=[['zone_example']], ) city: Optional[List[str]] = Field( None, description='The city in which the asset is located.', examples=[['San Francisco']], ) country: Optional[List[str]] = Field( None, description='The country in which the asset is located.', examples=[['USA']], ) dns: Optional[List[str]] = Field( None, description='The name of the domain name server of the asset.', examples=[['test.com']], ) id: Optional[str] = Field( None, description='The ID of the asset.', examples=['67bd956379ba456e810415c0'] ) ip: Optional[List[str]] = Field( None, description='The IP address of the asset.', examples=[['0.0.0.0']] ) is_expected: Optional[List[str]] = Field( None, description='Parameter that indicates whether events from this asset are expected. If set to true, the Expected Host Not Reporting detection performs an adaptive response action when this asset stops reporting events.', examples=[['true']], ) lat: Optional[List[str]] = Field( None, description='The latitude of the asset in decimal degrees, using +/- to indicate direction.', examples=[['37.7749']], ) long: Optional[List[str]] = Field( None, description='The longitude of the asset in decimal degrees, using +/- to indicate direction.', examples=[['-122.4194']], ) mac: Optional[List[str]] = Field( None, description='The MAC address of the asset.', examples=[['00:00:00:00:00:00']], ) nt_host: Optional[List[str]] = Field( None, description='The Windows NT host of the asset.', examples=[['test-host']] ) owner: Optional[List[str]] = Field( None, description='The user or department associated with the device.', examples=[['owner_example']], ) pci_domain: Optional[List[str]] = Field( None, description='The domain for the asset that is related to PCI.', examples=[['pci_domain_example']], ) priority: Optional[List[str]] = Field( None, description='The priority assigned to the device ti calculate the **Urgency** field for findings on the analyst queue. An "unknown" priority reduces the assigned **Urgency** by default.', examples=[['high']], ) requires_av: Optional[List[str]] = Field( None, description='Parameter that indicates whether this asset must have anti-virus software installed.', examples=[['true']], ) should_timesync: Optional[List[str]] = Field( None, description='Parameter that indicates whether this asset must be monitored for time-sync events. If set to true, the Should Timesync Host Not Syncing detection performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours.', examples=[['true']], ) should_update: Optional[List[str]] = Field( None, description='Parameter indicates whether this asset must be monitored for system update events.', examples=[['true']], ) class ErrorResponse(BaseModel): code: str = Field(..., description='The HTTP error code.', examples=['MC_0100']) message: Optional[str] = Field( None, description='The error message.', examples=['Oops...something went wrong.'], ) request_id: str = Field( ..., description='The request ID of the API call.', examples=['74730fac-1d5c-4713-bef5-d30ed1c62188'], ) class ResponsePhase(BaseModel): id: Optional[UUID] = Field( None, description='The response phase ID if this was a file uploaded from a response task.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) name: Optional[str] = Field( None, description='The name of the response phase.', examples=['Response Phase - 1'], ) class ResponsePlan(BaseModel): id: Optional[UUID] = Field( None, description='The response plan ID if this was a file uploaded from a response task.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) name: Optional[str] = Field( None, description='The name of the response plan.', examples=['Response Plan - 1'], ) class ResponseTask(BaseModel): id: Optional[UUID] = Field( None, description='The response task ID if this was a file uploaded from a response task.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) name: Optional[str] = Field( None, description='The name of the response task.', examples=['Response Task - 1'], ) class ResponsePlanInfo(BaseModel): response_phase: Optional[ResponsePhase] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1'} ], ) response_plan: Optional[ResponsePlan] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1'} ], ) response_task: Optional[ResponseTask] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1'} ], ) class SourceType(Enum): Task = 'Task' Incident = 'Incident' Note = 'Note' class FileObject(BaseModel): field_key: Optional[str] = Field( None, alias='_key', description='The KVStore key for this file, same as ID.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab8'], ) field_user: Optional[str] = Field( None, alias='_user', description='User field generated by Splunk and added to the KV Store.', examples=['admin'], ) created_on: Optional[float] = Field( None, description='The time when this file was initially added.', examples=[1676494088.786956], ) file_key: Optional[str] = Field( None, description='The sha256 hash of the contents of this file.', examples=['22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46'], ) file_name: Optional[str] = Field( None, description='The name of the file.', examples=['splunk-logo-dark.svg'] ) id: Optional[UUID] = Field( None, description='The unique ID for this file.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab8'], ) incident_id: Optional[UUID] = Field( None, description='The investigation ID of the object that attached this file.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) incident_type: Optional[str] = Field( None, description='The investigation type of the investigation. Investigation types are used to categorize related investigations by use case or source.', examples=['threat investigation'], ) reference_list: Optional[List[str]] = Field( None, description='A list of object IDs (response note, task, etc.) that uploaded this file.', examples=[['1982c0a4-b710-4827-856d-0a9c4f77e70b']], ) response_plan_info: Optional[ResponsePlanInfo] = Field( None, examples=[ { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, } ], ) size: Optional[float] = Field( None, description='The size of the file in bytes.', examples=[5829] ) source: Optional[str] = Field( None, description='The ID of the object (response note, task, etc.) that added this file.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) source_type: Optional[SourceType] = Field( None, description='The type of object that added this file. Available options are Task, Incident, or Note.', examples=['Task'], ) source_user: Optional[str] = Field( None, description='The username of the user that added this file.', examples=['admin'], ) class NotableType(Enum): notable = 'notable' risk_event = 'risk_event' class RiskObjectType(Enum): system = 'system' user = 'user' other = 'other' class FindingsGetResponse(BaseModel): model_config = ConfigDict( extra='allow', ) field_time: str = Field( ..., alias='_time', description='The time when this finding was created.', examples=['2025-02-25T14:27:28.000+00:00'], ) detection_id: Optional[str] = Field( None, description='The ID of the detection used to populate the finding.', examples=['00000000-0000-0000-0000-000000000000'], ) disposition: Optional[str] = Field( None, description='The disposition of the finding.', examples=['disposition:6'] ) disposition_default: Optional[str] = Field( None, description='The flag to determine whether the disposition is the default disposition.', examples=['true'], ) disposition_description: Optional[str] = Field( None, description='The description for the disposition value.', examples=[ 'This disposition shows that there is a possibility for a false positive.' ], ) disposition_label: Optional[str] = Field( None, description='The descriptive value for the disposition that is displayed on the Splunk Enterprise Security UI.', examples=['True Positive - Suspicious Activity'], ) event_id: Optional[str] = Field( None, description='The unique ID for this finding.', examples=[ 'b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8' ], ) host: Optional[str] = Field( None, description='The host name of the stack from which this finding was created.', examples=['<stack_address>.splunkcloud.com'], ) notable_type: Optional[NotableType] = Field( None, description='The type of finding.', examples=['notable'] ) owner: Optional[str] = Field( None, description='The owner of the finding.', examples=['splunk_user'] ) risk_object: Optional[str] = Field( None, description='The risk object for which this finding was created.', examples=['bad_user@splunk.com'], ) risk_object_type: Optional[RiskObjectType] = Field( None, description='The type of risk object from which this finding was created.', examples=['user'], ) risk_score: Optional[str] = Field( None, description='The risk score assigned to this risk object.', examples=['10.0'], ) rule_description: Optional[str] = Field( None, description='The description for the rule that was used to find and create the finding.', examples=['Risk Threshold Exceeded for an object over a 24 hour period'], ) rule_title: Optional[str] = Field( None, description='The rule title for this event.', examples=[ '24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net' ], ) search_name: Optional[str] = Field( None, description='The search that was used to create this finding.', examples=['Risk - 24 Hour Risk Threshold Exceeded - Rule'], ) security_domain: Optional[str] = Field( None, description='The security domain for the finding.', examples=['threat'] ) severities: Optional[List[str]] = Field( None, description='A list of severity values for the finding.', examples=[['medium']], ) severity: Optional[str] = Field( None, description='The level of severity for the finding.', examples=['medium'] ) source: Optional[str] = Field( None, description='The detection that created this finding.', examples=['Risk - 24 Hour Risk Threshold'], ) sourcetype: Optional[str] = Field( None, description='The source type of the finding.', examples=['finding_sourcetype'], ) status: Optional[str] = Field( None, description='The status of the finding.', examples=['1'] ) status_default: Optional[str] = Field( None, description='The flag to determine whether this status is the default status set in the system configurations.', examples=['true'], ) status_description: Optional[str] = Field( None, description='The description for the status value.', examples=['Finding is recent and not reviewed.'], ) status_label: Optional[str] = Field( None, description='The descriptive label for the status value that is displayed on the Splunk Enterprise Security UI.', examples=['New'], ) urgency: Optional[str] = Field( None, description='The urgency value for the finding. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`.', examples=['informational'], ) class IdentityGetResponse(BaseModel): field_last_updated: Optional[float] = Field( None, alias='_last_updated', description='The last time the identity was updated.', examples=[1740591550.35317], ) field_sources: Optional[List[str]] = Field( None, alias='_sources', description='The source of the identity.', examples=[['demo_identities']], ) bunit: Optional[List[str]] = Field( None, description='The business unit of the asset.', examples=[['americas']] ) email: Optional[List[EmailStr]] = Field( None, description='The email address of an identity.', examples=[['nhenderosn@acmetech.com']], ) first: Optional[List[str]] = Field( None, description='The first name of an identity.', examples=[['nelson']] ) id: Optional[str] = Field( None, description='The ID of the identity.', examples=['67bf51bed9f4fd2e56006989'], ) identity: Optional[List[str]] = Field( None, description='A pipe-delimited list of username strings representing the identity.', examples=[['test@splunk.com']], ) identity_tag: Optional[List[str]] = Field( None, description='The tag of the identity.', examples=[['americas']] ) last: Optional[List[str]] = Field( None, description='The last name of an identity.', examples=[['henderosn']] ) phone: Optional[List[str]] = Field( None, description='A pipe delimited field for the telephone number of an identity.', examples=[['+1 (800)555-6434']], ) startDate: Optional[List[str]] = Field( None, description='The start or hire date of an identity.', examples=[['135953520']], ) work_city: Optional[List[str]] = Field( None, description='The primary work site city for an identity.', examples=[['Vancouver']], ) work_country: Optional[List[str]] = Field( None, description='The primary work site country for an identity.', examples=[['usa']], ) work_lat: Optional[List[str]] = Field( None, description='The latitude of the primary work site city in decimal degrees, using +/- to indicate direction.', examples=[['37.3382']], ) work_long: Optional[List[str]] = Field( None, description='The longitude of the primary work site city in decimal degrees using +/- to indicate direction.', examples=[['121.8863']], ) class InvestigationCreatePayload(BaseModel): description: Optional[str] = Field( None, description='The description of the investigation to be created.', examples=['My investigation description'], ) disposition: Optional[str] = Field( None, description='The disposition ID or disposition label of the investigation to be created.', examples=['Undetermined'], ) finding_ids: Optional[List[str]] = Field( None, description='The list of IDs (event_ids) for findings added to the investigation.', examples=[ [ 'A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9' ] ], ) finding_times: Optional[List[str]] = Field( None, description='The list of times for findings added to the investigation. Value can be in relative, ISO, or epoch time.', examples=[['1676497520', '1676497800']], ) investigation_type: Optional[str] = Field( None, description='The type of the investigation to be created.', examples=['default'], ) name: str = Field( ..., description='The name of the investigation to be created.', examples=['My investigation name'], ) owner: Optional[str] = Field( None, description='The owner of the investigation to be created.', examples=['admin'], ) sensitivity: Optional[str] = Field( None, description='The sensitivity of the investigation to be created. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`.', examples=['Red'], ) status: Optional[str] = Field( None, description='The status ID or status label of the investigation to be created.', examples=['New'], ) urgency: Optional[str] = Field( None, description='The urgency of the investigation to be created. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`.', examples=['informational'], ) class InvestigationCreateResponse(BaseModel): investigation_guid: UUID = Field( ..., description='The ID (GUID) of the investigation that was created.', examples=['00000000-0000-0000-0000-000000000000'], ) class Findings(BaseModel): field_inheritors: Optional[List[str]] = Field( None, description="The added finding IDs that will inherit this investigation's owner, status, urgency, sensitivity, and disposition values.", examples=[['11111111-1111-1111-1111-111111111111']], ) incident_ids: Optional[List[str]] = Field( None, description='The added finding IDs.', examples=[ [ '11111111-1111-1111-1111-111111111111', '11111111-1111-1111-1111-111111111112', ] ], ) class InvestigationUpdatePayload(BaseModel): description: Optional[str] = Field( None, description='The new description of the investigation to be created.', examples=['My investigation description'], ) investigation_type: Optional[str] = Field( None, description='The new investigation type of the investigation to be created.', examples=['default'], ) name: Optional[str] = Field( None, description='The new name of the investigation to be created.', examples=['My investigation name'], ) owner: Optional[str] = Field( None, description='The new owner of the investigation to be created.', examples=['admin'], ) sensitivity: Optional[str] = Field( None, description='The new sensitivity of the investigation to be created. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`.', examples=['Red'], ) status: Optional[str] = Field( None, description='The new status id or status label of the investigation to be created.', examples=['New'], ) urgency: Optional[str] = Field( None, description='The new urgency of the investigation to be created. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`.', examples=['informational'], ) class InvestigationUpdateResponse(BaseModel): investigation_guid: UUID = Field( ..., description='The ID (GUID) of the investigation that was created.', examples=['00000000-0000-0000-0000-000000000000'], ) class Author(BaseModel): username: Optional[str] = Field( None, description='The username of Splunk user who added the note.', examples=['splunk_user_name'], ) class ResponsePlanInfo1(BaseModel): response_phase: Optional[ResponsePhase] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1'} ], ) response_plan: Optional[ResponsePlan] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1'} ], ) response_task: Optional[ResponseTask] = Field( None, examples=[ {'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1'} ], ) class SourceType1(Enum): Task = 'Task' Incident = 'Incident' class Note(BaseModel): author: Author = Field( ..., description='The user who created the note.', examples=[{'username': 'admin'}], ) content: str = Field( ..., description='The content of the note.', examples=['Note for task Create Ticket'], ) create_time: Optional[float] = Field( None, description='The time when the note was created.', examples=[1676494561.553658], ) files: Optional[List[str]] = Field( None, description='The list of files added to the note.', examples=[['576cddf8-f9b5-48db-b41b-cc1ea2ad4da3']], ) id: UUID = Field( ..., description='The ID of the created note.', examples=['2f34ab66-929e-438d-b294-7ce5ea5415d4'], ) incident_id: Optional[str] = Field( None, description='The ID of the finding or investigation that contains this note.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) last_edited_by: Optional[str] = Field( None, description='The email address of the user who edited the note most recently.', examples=['bob@splunk.com'], ) response_plan_info: Optional[ResponsePlanInfo1] = Field( None, examples=[ { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, } ], ) source: Optional[str] = Field( None, description='The ID of the object that added this note.', examples=['c80a092f-9dca-484b-8733-9c3162ee4ab9'], ) source_type: Optional[SourceType1] = Field( None, description='The type of object that added this note. Available options are Task or Incident.', examples=['Task'], ) title: str = Field( ..., description='The title of the note.', examples=['Create ticket - Task Note - 1'], ) update_time: Optional[float] = Field( None, description='The time when the note was updated.', examples=[1676494561.553894], ) class Playbooks(BaseModel): create_time: Optional[float] = Field( None, description='The creation time of the SOAR playbook.', examples=[1676495280.719677], ) description: Optional[str] = Field( None, description='The description of the Splunk SOAR playbook.', examples=['This playbook geolocates an address.'], ) id: Optional[str] = Field( None, description='The ID of the Splunk SOAR playbook.', examples=['f18a9b47-9e34-435b-8f72-c13b82609ee6'], ) last_job_id: Optional[float] = Field( None, description='The last job ID of the Splunk SOAR playbook.', examples=[0] ) name: Optional[str] = Field( None, description='The name of the Splunk SOAR playbook.', examples=['suspicious_email_domain_enrichment'], ) playbook_id: Optional[str] = Field( None, description='The playbook ID of the Splunk SOAR playbook.', examples=['community/suspicious_email_domain_enrichment'], ) update_time: Optional[float] = Field( None, description='The update time of the SOAR playbook.', examples=[1676495407.17426], ) class RateLimitExceededResponse(BaseModel): code: Any = Field( ..., description='The custom error code for the rate limit errors.', examples=['MC_0017'], ) message: str = Field( ..., description='The error message.', examples=[ 'User has exceeded the rate limits for this API: get_identity_by_id with limit 100' ], ) request_id: str = Field( ..., description='The request ID of the API call.', examples=['74730fac-1d5c-4713-bef5-d30ed1c62188'], ) class Status(Enum): Started = 'Started' Ended = 'Ended' Reopened = 'Reopened' Pending = 'Pending' class RiskScoreRetrieveResponseItem(BaseModel): entity: str = Field( ..., description='The entity value of the risk score.', examples=['1.1.1.1'] ) entity_type: str = Field( ..., description='The entity type of the entity with this risk score.', examples=['system'], ) risk_score: str = Field( ..., description='The risk score for the entity value.', examples=['500'] ) class RiskScoreRetrieveResponse(RootModel[List[RiskScoreRetrieveResponseItem]]): root: List[RiskScoreRetrieveResponseItem] = Field( ..., description='The response body for retrieving the risk scores for a risk entity.', examples=[ [ {'entity': '1.1.1.1', 'entity_type': 'system', 'risk_score': '100'}, { 'entity': '1.1.1.1', 'entity_type': 'host_artifacts', 'risk_score': '200', }, ] ], ) class EntityType(Enum): user = 'user' system = 'system' hash_values = 'hash_values' host_artifacts = 'host_artifacts' tools = 'tools' others = 'others' class RiskScoreUpdatePayload(BaseModel): entity_type: Optional[EntityType] = Field( None, description='The type of the risk entity.', examples=['user'] ) risk_modifier: Optional[float] = Field( None, description='The risk score delta to be added to the risk entity.', examples=[100], ) class RiskScoreUpdateResponse(BaseModel): message: Optional[str] = Field( None, description='The message of the response.', examples=[ 'The risk score of the 2.2.2.2 with type being user has been updated to 90.' ], ) class Searches(BaseModel): create_time: Optional[float] = Field( None, description='The create time of the saved search.', examples=[1676495280.719843], ) description: Optional[str] = Field( None, description='The description of the saved search.', examples=['Use Splunk searches to list the stats for app accessing'], ) id: Optional[UUID] = Field( None, description='The ID of the search.', examples=['f03af0f8-2e9d-463f-a50b-790dbdd44d5d'], ) name: Optional[str] = Field( None, description='The name of the saved search.', examples=['Access - Access Over Time By App'], ) spl: Optional[str] = Field( None, description='The SPL query for the saved search.', examples=[ '%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app' ], ) update_time: Optional[float] = Field( None, description='The update time of the saved search.', examples=[1676496024.7015831], ) class TaskSuggestions(BaseModel): actions: Optional[List[Action]] = Field( None, description='The list of Splunk SOAR (SOAR) actions added to this response task.', examples=[ [ { 'action': '1394', 'app_id': 169, 'asset': 1, 'create_time': 1676495280.719768, 'description': 'This action validates the configuration of an asset.', 'id': '876ab1de-d825-43c0-8b6c-e30c959d9044', 'last_job_id': 0, 'name': 'geolocate ip - MaxMind', 'parameters': [{'ip': '1.1.1.1'}], 'type': 'geolocate ip', 'update_time': 1676495407.1743503, } ] ], ) playbooks: Optional[List[Playbooks]] = Field( None, description='The list of SOAR playbooks added to this response task.', examples=[ [ { 'create_time': 1676495280.719677, 'description': 'This playbook geolocates an address.', 'id': 'f18a9b47-9e34-435b-8f72-c13b82609ee6', 'last_job_id': 0, 'name': 'suspicious_email_domain_enrichment', 'playbook_id': 'community/suspicious_email_domain_enrichment', 'update_time': 1676495407.17426, } ] ], ) searches: Optional[List[Searches]] = Field( None, description='The list of saved searches added to this response task.', examples=[ [ { 'create_time': 1676495280.719843, 'description': 'Use Splunk searches to list the stats for app accessing', 'id': 'f03af0f8-2e9d-463f-a50b-790dbdd44d5d', 'name': 'Access - Access Over Time By App', 'spl': '%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app', 'update_time': 1676496024.7015831, } ] ], ) class PublicV2FindingsGetResponse(BaseModel): items: Optional[List[FindingsGetResponse]] = Field( None, examples=[ [ { '_time': '2025-02-25T14:27:28.000+00:00', 'detection_id': '00000000-0000-0000-0000-000000000000', 'disposition': 'disposition:6', 'disposition_default': 'true', 'disposition_description': 'This disposition shows that there is a possibility for a false positive.', 'disposition_label': 'True Positive - Suspicious Activity', 'event_id': 'b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8', 'host': 'test.splunkcloud.com', 'notable_type': 'notable', 'owner': 'splunk_user', 'risk_object': 'bad_user@splunk.com', 'risk_object_type': 'user', 'risk_score': '100', 'rule_description': 'Risk Threshold Exceeded for an object over a 24 hour period', 'rule_title': '24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net', 'search_name': 'Risk - 24 Hour Risk Threshold Exceeded - Rule', 'security_domain': 'threat', 'severity': 'medium', 'source': 'Risk - 24 Hour Risk Threshold', 'sourcetype': 'finding_sourcetype', 'status': '1', 'status_default': 'true', 'status_description': 'Finding is recent and not reviewed.', 'status_label': 'New', 'urgency': 'informational', } ] ], ) limit: Optional[float] = Field(None, examples=[0]) offset: Optional[float] = Field(None, examples=[0]) total: Optional[float] = Field(None, examples=[0]) class ResponseTaskModel(BaseModel): create_time: Optional[float] = Field( None, description='The time when the task was created.', examples=[1689110850.869705], ) description: Optional[str] = Field( None, description='The description of the task.', examples=[ 'Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.' ], ) end_time: Optional[float] = Field( None, description='The time at when the task was ended.', examples=[1676493727.238301], ) files: Optional[List[FileObject]] = Field( None, examples=[ [ { '_key': 'c80a092f-9dca-484b-8733-9c3162ee4ab8', '_user': 'admin', 'created_on': 1676494088.786956, 'file_key': '22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46', 'file_name': 'splunk-logo-dark.svg', 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab8', 'incident_id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'incident_type': 'threat investigation', 'reference_list': ['1982c0a4-b710-4827-856d-0a9c4f77e70b'], 'response_plan_info': { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, }, 'size': 5829, 'source': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'source_type': 'Task', 'source_user': 'admin', } ] ], ) id: UUID = Field( ..., description='The ID of the response task.', examples=['4edb5c77-0ac3-4d49-842b-19b0eff4d8fd'], ) is_note_required: Optional[bool] = Field( None, description='Determines whether a note is required to be created in order to complete or end the task.', examples=[False], ) name: str = Field( ..., description='The name of the task.', examples=['Create ticket'] ) notes: Optional[List[Note]] = Field( None, examples=[ [ { 'author': {'username': 'admin'}, 'content': 'Note for task Create Ticket', 'create_time': 1676494561.553658, 'files': ['576cddf8-f9b5-48db-b41b-cc1ea2ad4da3'], 'id': '2f34ab66-929e-438d-b294-7ce5ea5415d4', 'incident_id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'last_edited_by': 'bob@splunk.com', 'response_plan_info': { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, }, 'source': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'source_type': 'Task', 'title': 'Create ticket - Task Note - 1', 'update_time': 1676494561.553894, } ] ], ) order: float = Field( ..., description='The order of the task in respect to all tasks in the phase.', examples=[1], ) owner: Optional[str] = Field( None, description='The owner of the task.', examples=['admin'] ) start_time: Optional[float] = Field( None, description='The time at when the task was started.', examples=[1676493726.238174], ) status: Optional[Status] = Field( None, description='The status of the task. Available options are Pending, Started, Ended, or Reopened.', examples=['Started'], ) suggestions: Optional[TaskSuggestions] = None tag: Optional[str] = Field( None, description='The ID of the task that maps a response plan task to its original template.', examples=['d81ff75d-d9fe-4618-9752-e2840e5aa147'], ) total_time_taken: Optional[float] = Field( None, description='The time taken to complete a task in seconds.', examples=[2] ) update_time: Optional[float] = Field( None, description='The time when the task was last updated.', examples=[1689110850.869705], ) class ResponsePhase2(BaseModel): create_time: Optional[float] = Field( None, description='The time when this response phase was created, as an epoch timestamp.', examples=[1676492834.50028], ) id: Optional[str] = Field( None, description='The ID of the response phase.', examples=['e4317f74-2ca2-4812-9805-07c7e9aeaa40'], ) name: Optional[str] = Field( None, description='The name of the response phase.', examples=['Ingestion'] ) order: Optional[float] = Field( None, description='The order of the response phase.', examples=[1] ) tasks: Optional[List[ResponseTaskModel]] = Field( None, description='The list of tasks in the response template.', examples=[ [ { 'create_time': 1689110850.869705, 'description': 'Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.', 'end_time': 1676493727.238301, 'files': [ { '_key': 'c80a092f-9dca-484b-8733-9c3162ee4ab8', '_user': 'admin', 'created_on': 1676494088.786956, 'file_key': '22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46', 'file_name': 'splunk-logo-dark.svg', 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab8', 'incident_id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'incident_type': 'threat investigation', 'reference_list': ['1982c0a4-b710-4827-856d-0a9c4f77e70b'], 'response_plan_info': { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, }, 'size': 5829, 'source': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'source_type': 'Task', 'source_user': 'admin', } ], 'id': '4edb5c77-0ac3-4d49-842b-19b0eff4d8fd', 'is_note_required': False, 'name': 'Create ticket', 'notes': [ { 'author': {'username': 'admin'}, 'content': 'Note for task Create Ticket', 'create_time': 1676494561.553658, 'files': ['576cddf8-f9b5-48db-b41b-cc1ea2ad4da3'], 'id': '2f34ab66-929e-438d-b294-7ce5ea5415d4', 'incident_id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'last_edited_by': 'bob@splunk.com', 'response_plan_info': { 'response_phase': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Phase - 1', }, 'response_plan': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Plan - 1', }, 'response_task': { 'id': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'name': 'Response Task - 1', }, }, 'source': 'c80a092f-9dca-484b-8733-9c3162ee4ab9', 'source_type': 'Task', 'title': 'Create ticket - Task Note - 1', 'update_time': 1676494561.553894, } ], 'order': 1, 'owner': 'admin', 'start_time': 1676493726.238174, 'status': 'Started', 'suggestions': { 'actions': [ { 'action': '1394', 'app_id': 169, 'asset': 1, 'create_time': 1676495280.719768, 'description': 'This action validates the configuration of an asset.', 'id': '876ab1de-d825-43c0-8b6c-e30c959d9044', 'last_job_id': 0, 'name': 'geolocate ip - MaxMind', 'parameters': [{'ip': '1.1.1.1'}], 'type': 'geolocate ip', 'update_time': 1676495407.1743503, } ], 'playbooks': [ { 'create_time': 1676495280.719677, 'description': 'This playbook geolocates an address.', 'id': 'f18a9b47-9e34-435b-8f72-c13b82609ee6', 'last_job_id': 0, 'name': 'suspicious_email_domain_enrichment', 'playbook_id': 'community/suspicious_email_domain_enrichment', 'update_time': 1676495407.17426, } ], 'searches': [ { 'create_time': 1676495280.719843, 'description': 'Use Splunk searches to list the stats for app accessing', 'id': 'f03af0f8-2e9d-463f-a50b-790dbdd44d5d', 'name': 'Access - Access Over Time By App', 'spl': '%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app', 'update_time': 1676496024.7015831, } ], }, 'tag': 'd81ff75d-d9fe-4618-9752-e2840e5aa147', 'total_time_taken': 2, 'update_time': 1689110850.869705, } ] ], ) update_time: Optional[float] = Field( None, description='The time when this response phase was updated, as an epoch timestamp.', examples=[1676492834.500499], ) class ResponsePlanModel(BaseModel): create_time: Optional[float] = Field( None, description='The time the response plan was created.', examples=[1676492834.50028], ) creator: Optional[str] = Field( None, description='The person who created this plan.', examples=['Splunk'] ) description: Optional[str] = Field( None, description='The description of the response plan.', examples=[ 'There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods.' ], ) id: Optional[UUID] = Field( None, description='The unique ID for the response plan.', examples=['5c674507-50c2-4a94-b458-fdcb5eec333d'], ) is_default: Optional[bool] = Field( None, description='Whether or not the response plan is the default plan.', examples=[True], ) name: Optional[str] = Field( None, description='The name of the response plan.', examples=['Suspicious Email'], ) phases: Optional[List[ResponsePhase2]] = Field( None, examples=[[{'name': 'Phase 1'}]] ) source_template_id: Optional[UUID] = Field( None, description='The ID of the source template for this response plan.', examples=['142ba3eb-1fd9-4cb3-a040-e139aac107ff'], ) template_status: Optional[str] = Field( None, description='The status of the response plan. For example, “In Progress”.', examples=['published'], ) update_time: Optional[float] = Field( None, description='The time the response plan was last updated.', examples=[1676492834.500499], ) updated_by: Optional[str] = Field( None, description='The person who updated the plan.', examples=['Splunk'] ) version: Optional[float] = Field( None, description='The version of the response plan.', examples=[1] ) class InvestigationGetResponse(BaseModel): attachments: List[str] = Field( ..., description='Array of file IDs that are added directly to the investigation.', examples=[['c7f677fc-8767-4b48-a29d-c28c3f979752']], ) consolidated_findings: Dict[str, Any] = Field( ..., description='The consolidated list of fields for the findings and all the findings that are added to this investigation. These appear on the **Overview** tab.', examples=[{'app': 'splunk', 'dest': '8.235.139.88', 'src': '10.39.210.66'}], ) count_findings: float = Field( ..., description='The number of findings or intermediate findings that are associated with this investigation or finding-based-detection (FBD) group.', examples=[2], ) create_time: float = Field( ..., description='The time when the investigation was created.', examples=[1676497520], ) current_response_plan_phase: Optional[Dict[str, Any]] = Field( None, description='The data surrounding the current phase of the response plan.', examples=[ { 'phase_id': 'e4317f74-2ca2-4812-9805-07c7e9aeaa40', 'response_plan_id': '5c674507-50c2-4a94-b458-fdcb5eec333d', } ], ) custom_fields: Dict[str, Any] = Field( ..., description='Custom fields in the investigation.', examples=[{'custom_field_1': 'value1', 'custom_field_2': 'value2'}], ) description: str = Field( ..., description='The description of the investigation.', examples=['Sample investigation for Mission Control'], ) dest: List[str] = Field( ..., description='The list of values for the `destination` field.', examples=[['192.168.1.1', '192.168.1.2']], ) disposition: str = Field( ..., description='The disposition ID of the investigation.', examples=['disposition:1'], ) disposition_name: str = Field( ..., description='The disposition name of the investigation.', examples=['Undetermined'], ) dvc: List[str] = Field( ..., description='The list of values for the `device` field.', examples=[['device1', 'device2']], ) excluded_finding_ids: List[str] = Field( ..., description='List of findings or intermediate findings in the finding groups that are removed from the investigation.', examples=[['finding1', 'finding2']], ) finding: Dict[str, Any] = Field( ..., description='The raw data in a finding.', examples=[ { 'info_max_time': '+Infinity', 'info_min_time': '0.000', 'search_name': 'Manual Notable Event - Rule', } ], ) finding_id: Optional[str] = Field( None, description='The ID of the originating Splunk Enterprise Security finding.', examples=[ 'A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9' ], ) findings: Findings = Field( ..., description='The findings IDs that are added to the investigation.', examples=[ { 'field_inheritors': ['11111111-1111-1111-1111-111111111111'], 'incident_ids': [ '11111111-1111-1111-1111-111111111111', '11111111-1111-1111-1111-111111111112', ], } ], ) incident_origin: str = Field( ..., description='Identifies where the investigation came from. For example, whether the investigation came from Splunk Enterprise Security, a risk-based alerting finding, or a Splunk Enterprise Security finding.', examples=['ES Finding Event'], ) investigation_guid: str = Field( ..., description='The ID (GUID) of the investigation that was retrieved.', examples=['00000000-0000-0000-0000-000000000000'], ) investigation_id: str = Field( ..., description='The short ID of the investigation for display.', examples=['ES-00001'], ) investigation_type: str = Field( ..., description='The type of the investigation. Investigation types are used to categorize related investigations by use case or source.', examples=['threat investigation'], ) investigations: Optional[List[str]] = Field( None, description='The investigation IDs to which the investigation is added.', examples=[['investigation1', 'investigation2']], ) mc_create_time: float = Field( ..., description='The time when the finding or investigation was created or imported into Splunk Enterprise Security.', examples=[1676497763.861311], ) name: str = Field( ..., description='The name of the investigation.', examples=['Sample Threat Activity Detection'], ) notes: Optional[List[str]] = Field( None, description='Array of note IDs that are added directly to the finding or investigation.', examples=[['c7f677fc-8767-4b41-a29d-c28c3f979752']], ) orig_host: List[str] = Field( ..., description='List of values for the `host` field.', examples=[['host1', 'host2']], ) owner: Optional[str] = Field( None, description='The person assigned to the investigation.', examples=['admin'], ) response_plans: List[ResponsePlanModel] = Field( ..., description='The array of response plans added to the investigation.', examples=[ [ { 'id': '5c674507-50c2-4a94-b458-fdcb5eec333d', 'name': 'Response Plan - 1', } ] ], ) risk_event_count: float = Field( ..., description='The number of risk events that are associated with this investigation.', examples=[5], ) risk_object: List[str] = Field( ..., description='The list of entities for a finding, a finding group, or an investigation.', examples=[['entity1', 'entity2']], ) risk_score: Optional[float] = Field( None, description='The number that represents the maximum risk score for all the findings added to the investigation.', examples=[20], ) sensitivity: str = Field( ..., description='The sensitivity of the investigation. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`.', examples=['Red'], ) source: Optional[str] = Field( None, description='The detection that generated the investigation.', examples=['Threat - Mission Control - Rule'], ) src: List[str] = Field( ..., description='The list of values for the `source` field.', examples=[['10.0.0.1', '10.0.0.2']], ) src_user: List[str] = Field( ..., description='The list of values for the `source user` field.', examples=[['user1', 'user2']], ) status: str = Field( ..., description='The status ID of the investigation.', examples=['1'] ) status_name: str = Field( ..., description='The status name of the investigation.', examples=['New'] ) update_time: float = Field( ..., description='The time when the investigation was last updated.', examples=[1676497800.160927], ) urgency: str = Field( ..., description='The urgency of the investigation. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`.', examples=['informational'], ) user: List[str] = Field( ..., description='The list of values for the `user` field.', examples=[['user1', 'user2']], ) class PublicV2InvestigationsGetResponse(RootModel[List[InvestigationGetResponse]]): root: List[InvestigationGetResponse] = Field( ..., examples=[ [ { 'attachments': ['c7f677fc-8767-4b48-a29d-c28c3f979752'], 'consolidated_findings': { 'app': 'splunk', 'dest': '8.235.139.88', 'src': '10.39.210.66', }, 'count_findings': 2, 'create_time': 1676497520, 'current_response_plan_phase': { 'phase_id': 'e4317f74-2ca2-4812-9805-07c7e9aeaa40', 'response_plan_id': '5c674507-50c2-4a94-b458-fdcb5eec333d', }, 'custom_fields': { 'custom_field_1': 'value1', 'custom_field_2': 'value2', }, 'description': 'Sample investigation for Mission Control', 'dest': ['192.168.1.1', '192.168.1.2'], 'disposition': 'disposition:1', 'disposition_name': 'Undetermined', 'dvc': ['device1', 'device2'], 'excluded_finding_ids': ['finding1', 'finding2'], 'finding': { 'info_max_time': '+Infinity', 'info_min_time': '0.000', 'search_name': 'Manual Notable Event - Rule', }, 'finding_id': 'A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9', 'findings': { 'field_inheritors': ['11111111-1111-1111-1111-111111111111'], 'incident_ids': [ '11111111-1111-1111-1111-111111111111', '11111111-1111-1111-1111-111111111112', ], }, 'incident_origin': 'ES Notable Event', 'investigation_guid': '00000000-0000-0000-0000-000000000000', 'investigation_id': 'ES-00001', 'investigation_type': 'threat investigation', 'mc_create_time': 1676497763.861311, 'name': 'New Investigation', 'orig_host': ['host1', 'host2'], 'owner': 'admin', 'parent_incidents': [], 'response_plans': [], 'risk_event_count': 5, 'risk_object': ['entity1', 'entity2'], 'risk_score': 20, 'sensitivity': 'Red', 'source': 'Threat - Mission Control - Rule', 'src': ['10.0.0.1', '10.0.0.2'], 'src_user': ['user1', 'user2'], 'status': '1', 'status_name': 'New', 'update_time': 1676497800.160927, 'urgency': 'informational', 'user': ['user1', 'user2'], } ] ], )

Latest Blog Posts

OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on .
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on .
When Your Year of Work Gets Copied Overnight: What Actually Matters?
By punkpeye on .
startups

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rigzindorje/splunk-enterprise-security-api-reference'

If you have feedback or need assistance with the MCP directory API, please join our Discord server