feat: Add action.sendtophantom for splunk_saved_searches

client/models/saved_searches.go

@@ -118,6 +118,16 @@ type SavedSearchObject struct {
 	ActionJiraServiceDeskParamJiraPriority       string  `json:"action.jira_service_desk.param.jira_priority,omitempty" url:"action.jira_service_desk.param.jira_priority"`
 	ActionJiraServiceDeskParamJiraDescription    string  `json:"action.jira_service_desk.param.jira_description,omitempty" url:"action.jira_service_desk.param.jira_description"`
 	ActionJiraServiceDeskParamJiraCustomfields   string  `json:"action.jira_service_desk.param.jira_customfields,omitempty" url:"action.jira_service_desk.param.jira_customfields"`
+	ActionSendToPhantom                          string  `json:"action.sendtophantom,omitempty" url:"action.sendtophantom"`
+	ActionSendToPhantomParamPhantomServer        string  `json:"action.sendtophantom.param.phantom_server,omitempty" url:"action.sendtophantom.param.phantom_server"`
+	ActionSendToPhantomParamServerPlaybookName   string  `json:"action.sendtophantom.param.server_playbook_name,omitempty" url:"action.sendtophantom.param.server_playbook_name"`
+	ActionSendToPhantomParamSeverity             string  `json:"action.sendtophantom.param.severity,omitempty" url:"action.sendtophantom.param.severity"`
+	ActionSendToPhantomParamSensitivity          string  `json:"action.sendtophantom.param.sensitivity,omitempty" url:"action.sendtophantom.param.sensitivity"`
+	ActionSendToPhantomParamLabel                string  `json:"action.sendtophantom.param.label,omitempty" url:"action.sendtophantom.param.label"`
+	ActionSendToPhantomParamGrouping             string  `json:"action.sendtophantom.param.grouping,omitempty" url:"action.sendtophantom.param.grouping"`
+	ActionSendToPhantomParamRelayAccount         string  `json:"action.sendtophantom.param.relay_account,omitempty" url:"action.sendtophantom.param.relay_account"`
+	ActionSendToPhantomParamContainerName        string  `json:"action.sendtophantom.param.container_name,omitempty" url:"action.sendtophantom.param.container_name"`
+	ActionSendToPhantomParam_CamWorkers          string  `json:"action.sendtophantom.param._cam_workers,omitempty" url:"action.sendtophantom.param._cam_workers"`
 	ActionWebhookParamUrl                        string  `json:"action.webhook.param.url,omitempty" url:"action.webhook.param.url"`
 	AlertDigestMode                              bool    `json:"alert.digest_mode" url:"alert.digest_mode"`
 	AlertExpires                                 string  `json:"alert.expires,omitempty" url:"alert.expires,omitempty"`

splunk/resource_splunk_configs_conf_test.go

@@ -112,7 +112,6 @@ func TestAccCreateSplunkConfigsConfSpecialChars(t *testing.T) {
 	})
 }
 
-
 func testAccSplunkConfigsConfDestroyResources(s *terraform.State) error {
 	client, err := newTestClient()
 	if err != nil {

splunk/resource_splunk_saved_searches.go

@@ -695,6 +695,56 @@ func savedSearches() *schema.Resource {
 				Description:  "URL to send the HTTP POST request to. Must be accessible from the Splunk server.",
 				ValidateFunc: validation.StringMatch(regexp.MustCompile(`^https?://[^\s]+$`), "Webhook URL is invalid"),
 			},
+			"action_sendtophantom": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Enable the send to phantom action (https://docs.splunk.com/Documentation/SOARExport/4.3.13/UserGuide/Adaptiveresponseactions#Send_to_SOAR_request).",
+			},
+			"action_sendtophantom_param_phantom_server": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The phantom server.",
+			},
+			"action_sendtophantom_param_server_playbook_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "server_playbook_name",
+			},
+			"action_sendtophantom_param_severity": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Alert severity.",
+			},
+			"action_sendtophantom_param_sensitivity": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Alert sensitivity.",
+			},
+			"action_sendtophantom_param_label": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Alert label.",
+			},
+			"action_sendtophantom_param_grouping": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Alert grouping.",
+			},
+			"action_sendtophantom_param_relay_account": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "relay_account (the Alert Action Account).",
+			},
+			"action_sendtophantom_param_container_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "search_name (default) or source.",
+			},
+			"action_sendtophantom_param_cam_workers": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Adaptive response relay worker, use [\"local\"] if running locally.",
+			},
 			"alert_digest_mode": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -1495,6 +1545,36 @@ func savedSearchesRead(d *schema.ResourceData, meta interface{}) error {
 	if err = d.Set("action_jira_service_desk_param_jira_customfields", entry.Content.ActionJiraServiceDeskParamJiraCustomfields); err != nil {
 		return err
 	}
+	if err = d.Set("action_sendtophantom", entry.Content.ActionSendToPhantom); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_phantom_server", entry.Content.ActionSendToPhantomParamPhantomServer); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_server_playbook_name", entry.Content.ActionSendToPhantomParamServerPlaybookName); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_severity", entry.Content.ActionSendToPhantomParamSeverity); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_sensitivity", entry.Content.ActionSendToPhantomParamSensitivity); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_label", entry.Content.ActionSendToPhantomParamLabel); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_grouping", entry.Content.ActionSendToPhantomParamGrouping); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_relay_account", entry.Content.ActionSendToPhantomParamRelayAccount); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_container_name", entry.Content.ActionSendToPhantomParamContainerName); err != nil {
+		return err
+	}
+	if err = d.Set("action_sendtophantom_param_cam_workers", entry.Content.ActionSendToPhantomParam_CamWorkers); err != nil {
+		return err
+	}
 	if err = d.Set("action_webhook_param_url", entry.Content.ActionWebhookParamUrl); err != nil {
 		return err
 	}
@@ -1837,6 +1917,16 @@ func getSavedSearchesConfig(d *schema.ResourceData) (savedSearchesObj *models.Sa
 		ActionJiraServiceDeskParamJiraPriority:       d.Get("action_jira_service_desk_param_jira_priority").(string),
 		ActionJiraServiceDeskParamJiraDescription:    d.Get("action_jira_service_desk_param_jira_description").(string),
 		ActionJiraServiceDeskParamJiraCustomfields:   d.Get("action_jira_service_desk_param_jira_customfields").(string),
+		ActionSendToPhantom:                          d.Get("action_sendtophantom").(string),
+		ActionSendToPhantomParamPhantomServer:        d.Get("action_sendtophantom_param_phantom_server").(string),
+		ActionSendToPhantomParamServerPlaybookName:   d.Get("action_sendtophantom_param_server_playbook_name").(string),
+		ActionSendToPhantomParamSeverity:             d.Get("action_sendtophantom_param_severity").(string),
+		ActionSendToPhantomParamSensitivity:          d.Get("action_sendtophantom_param_sensitivity").(string),
+		ActionSendToPhantomParamLabel:                d.Get("action_sendtophantom_param_label").(string),
+		ActionSendToPhantomParamGrouping:             d.Get("action_sendtophantom_param_grouping").(string),
+		ActionSendToPhantomParamRelayAccount:         d.Get("action_sendtophantom_param_relay_account").(string),
+		ActionSendToPhantomParamContainerName:        d.Get("action_sendtophantom_param_container_name").(string),
+		ActionSendToPhantomParam_CamWorkers:          d.Get("action_sendtophantom_param_cam_workers").(string),
 		ActionWebhookParamUrl:                        d.Get("action_webhook_param_url").(string),
 		AlertComparator:                              d.Get("alert_comparator").(string),
 		AlertCondition:                               d.Get("alert_condition").(string),

splunk/resource_splunk_saved_searches_test.go

@@ -284,6 +284,34 @@ resource "splunk_saved_searches" "test" {
   }
 `
 
+const newSavedSearchesSendToPhantom = `
+resource "splunk_saved_searches" "test" {
+	name = "Test Phantom Alert"
+	actions = "sendtophantom"
+	action_sendtophantom = "1"
+	action_sendtophantom_param_phantom_server = "test_phantom_server"
+	action_sendtophantom_param_server_playbook_name = "test_playbook"
+	action_sendtophantom_param_severity = "high"
+	action_sendtophantom_param_sensitivity = "amber"
+	action_sendtophantom_param_label = "test"
+	action_sendtophantom_param_grouping = "1"
+	action_sendtophantom_param_relay_account = "test_relay_account"
+	action_sendtophantom_param_container_name = "default"
+	action_sendtophantom_param_cam_workers = "[\"local\"]"
+	alert_comparator    = "greater than"
+	alert_digest_mode   = true
+	alert_expires       = "30d"
+	alert_threshold     = "0"
+	alert_type          = "number of events"
+	cron_schedule       = "*/1 * * * *"
+	disabled            = false
+	is_scheduled        = true
+	is_visible          = true
+	realtime_schedule   = true
+	search              = "index=main level=error"
+}
+`
+
 func TestAccSplunkSavedSearches(t *testing.T) {
 	resourceName := "splunk_saved_searches.test"
 	resource.Test(t, resource.TestCase{
@@ -423,6 +451,34 @@ func TestAccSplunkSavedSearches(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "search", "index=main level=error"),
 				),
 			},
+			{
+				Config: newSavedSearchesSendToPhantom,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "Test Phantom Alert"),
+					resource.TestCheckResourceAttr(resourceName, "actions", "sendtophantom"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom", "1"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_phantom_server", "test_phantom_server"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_server_playbook_name", "test_playbook"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_severity", "high"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_sensitivity", "amber"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_label", "test"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_grouping", "1"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_relay_account", "test_relay_account"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_container_name", "default"),
+					resource.TestCheckResourceAttr(resourceName, "action_sendtophantom_param_cam_workers", "[\"local\"]"),
+					resource.TestCheckResourceAttr(resourceName, "alert_comparator", "greater than"),
+					resource.TestCheckResourceAttr(resourceName, "alert_digest_mode", "true"),
+					resource.TestCheckResourceAttr(resourceName, "alert_expires", "30d"),
+					resource.TestCheckResourceAttr(resourceName, "alert_threshold", "0"),
+					resource.TestCheckResourceAttr(resourceName, "alert_type", "number of events"),
+					resource.TestCheckResourceAttr(resourceName, "cron_schedule", "*/1 * * * *"),
+					resource.TestCheckResourceAttr(resourceName, "disabled", "false"),
+					resource.TestCheckResourceAttr(resourceName, "is_scheduled", "true"),
+					resource.TestCheckResourceAttr(resourceName, "is_visible", "true"),
+					resource.TestCheckResourceAttr(resourceName, "realtime_schedule", "true"),
+					resource.TestCheckResourceAttr(resourceName, "search", "index=main level=error"),
+				),
+			},
 			{
 				Config: newSavedSearchesSlack,
 				Check: resource.ComposeTestCheckFunc(