Containers
Fetches containers from Splunk SOAR for security operations and incident tracking.
Sync Type: Incremental Synchronisation
Requirements
Before configuring this input, you need:
-
A Splunk SOAR Instance — An active Splunk SOAR deployment with network access from Monad.
-
Create an Auth Token — To generate a Splunk SOAR authentication token:
- Log in to your Splunk SOAR instance
- Navigate to Administration → User Management → Users
- Click on your user account
- Select the Token tab
- Click Create New Token
- Copy the generated token and securely store it
Details
Monad retrieves containers from Splunk SOAR incrementally using two separate queries to capture containers changed for different reasons. On the first run, all containers are fetched. On subsequent runs, only containers with updates since the last sync are retrieved.
Data Retrieval Flow
Monad makes two separate calls to /rest/container on each run:
-
Container Update Tracking — Calls
GET /rest/containerwith:sort=update_timeandorder=asc(ascending order by update time)page=0andpage_size=200(200 records per page)_filter_update_time__gtfilter on subsequent runs (RFC3339Nano formatted timestamp)- Processes all containers in the
dataarray and tracks the maximumupdate_timeseen - Paginates using the
pageparameter andnum_pagesfrom the response - Checkpoints the maximum
update_timeasLastContainerUpdateTime
-
Artifact Update Tracking — Calls
GET /rest/containerwith:sort=artifact_update_timeandorder=asc(ascending order by artifact update time)page=0andpage_size=200(200 records per page)_filter_artifact_update_time__gtfilter on subsequent runs (RFC3339Nano formatted timestamp)- Processes all containers in the
dataarray and tracks the maximumartifact_update_timeseen - Paginates using the
pageparameter andnum_pagesfrom the response - Checkpoints the maximum
artifact_update_timeasLastArtifactUpdateTime
-
Union and Deduplication — Results from both calls are unioned by container ID. If a container appears in both result sets, only one record is emitted, preferring whichever has the newer timestamp.
-
State Management — After processing all pages from both calls, both checkpoint values (
LastContainerUpdateTimeandLastArtifactUpdateTime) are saved to state. On the next run, these are used as the respective filter cursors to skip containers not modified since the last sync.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Base URL | string | Yes | Base URL of the Splunk SOAR instance (e.g., https://soar.example.com). Must start with http:// or https://. |
| Cron | string | Yes | Standard cron expression for scheduling when this input runs. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Auth Token | string | Yes | Splunk SOAR authentication token. Sent as the ph-auth-token request header. |
Rate Limits
| Scope | Limit | Window | Notes |
|---|---|---|---|
| API Requests | 10 | Per second | Conservative limit; Splunk SOAR does not publicly document exact REST API rate limits |
Source: Conservative estimate based on typical enterprise API rate limiting practices.
Related Articles
Sample Record
{
"artifact_count": 6,
"artifact_update_time": "2026-04-29T10:14:11.989529Z",
"close_time": null,
"container_type": "default",
"create_time": "2026-04-29T10:14:11.11989529Z",
"description": "Automated security event requiring investigation.",
"due_time": null,
"end_time": "2026-04-29T10:14:11.11989529Z",
"hash": "cb9fb833-2c88-4ca7-801a-fc99271ec59a",
"id": 3204,
"in_case": true,
"label": "network",
"name": "Suspicious Login",
"owner": 41,
"owner_name": "admin",
"sensitivity": "amber",
"severity": "high",
"source_data_identifier": "8606",
"start_time": "2026-04-29T10:14:11.11989529Z",
"status": "open",
"tags": [],
"tenant": 0,
"update_time": "2026-04-29T10:14:11.11989529Z",
"version": 1
}