topic Re: How do i stop a running playbook when the case changed to closed? in Splunk SOAR https://community.splunk.com/t5/Splunk-SOAR/How-do-i-stop-a-running-playbook-when-the-case-changed-to-closed/m-p/661273#M1290 <P>As of version 6 we're able to run playbooks when a container is closed. That's the easy part. Canceling running playbooks takes a few custom API calls.</P><P>&nbsp;</P><LI-CODE lang="python"> # Pulls the id for this playbook. It shouldn't be hardcoded because the ID changes with each version and may not increment as expected my_id_url = phantom.build_phantom_rest_url('playbook') + '?_filter_name="my_playbook_name"' my_id_resp_json = phantom.requests.get(my_id_url, verify=False).json() my_id = my_id_resp_json['data'][0]['id'] # Runs a query to pull the audit data of the current container audit_url = phantom.build_phantom_rest_url('container', container_id, 'audit') audit_resp_json = phantom.requests.get(audit_url, verify=False).json() for i in audit_resp_json: # Looks for any playbook that has run in the container if i['AUDIT SOURCE'] == 'Playbook Run': # Runs a query to find details on each run runs_url = phantom.build_phantom_rest_url('playbook_run', i['AUDIT ID']) runs_resp_json = phantom.requests.get(runs_url, verify=False).json() # Finds any playbook that is currently running which isn't this one if runs_resp_json['status'] == 'running' and runs_resp_json['playbook'] != my_id: #Sends a POST to cancel any that match the above criteria cancel_url = phantom.build_phantom_rest_url('playbook_run', runs_resp_json['id']) cancel_post = phantom.requests.post(cancel_url, data='{"cancel":true}', verify=False) # If successful, up the succes count if cancel_post.status_code == 200: # Success else: # Failure </LI-CODE><P>&nbsp;</P> Wed, 18 Oct 2023 21:59:00 GMT SOARt_of_Lost 2023-10-18T21:59:00Z How do i stop a running playbook when the case changed to closed? https://community.splunk.com/t5/Splunk-SOAR/How-do-i-stop-a-running-playbook-when-the-case-changed-to-closed/m-p/645546#M1195 <P>I have an active playbook that runs on most event types, but some get auto-closed and I would like to know if there's a way to end the playbook run if it the case gets closed before it finishes the playbook run.</P> Fri, 02 Jun 2023 12:25:21 GMT https://community.splunk.com/t5/Splunk-SOAR/How-do-i-stop-a-running-playbook-when-the-case-changed-to-closed/m-p/645546#M1195 kblaine 2023-06-02T12:25:21Z Re: How do i stop a running playbook when the case changed to closed? https://community.splunk.com/t5/Splunk-SOAR/How-do-i-stop-a-running-playbook-when-the-case-changed-to-closed/m-p/661273#M1290 <P>As of version 6 we're able to run playbooks when a container is closed. That's the easy part. Canceling running playbooks takes a few custom API calls.</P><P>&nbsp;</P><LI-CODE lang="python"> # Pulls the id for this playbook. It shouldn't be hardcoded because the ID changes with each version and may not increment as expected my_id_url = phantom.build_phantom_rest_url('playbook') + '?_filter_name="my_playbook_name"' my_id_resp_json = phantom.requests.get(my_id_url, verify=False).json() my_id = my_id_resp_json['data'][0]['id'] # Runs a query to pull the audit data of the current container audit_url = phantom.build_phantom_rest_url('container', container_id, 'audit') audit_resp_json = phantom.requests.get(audit_url, verify=False).json() for i in audit_resp_json: # Looks for any playbook that has run in the container if i['AUDIT SOURCE'] == 'Playbook Run': # Runs a query to find details on each run runs_url = phantom.build_phantom_rest_url('playbook_run', i['AUDIT ID']) runs_resp_json = phantom.requests.get(runs_url, verify=False).json() # Finds any playbook that is currently running which isn't this one if runs_resp_json['status'] == 'running' and runs_resp_json['playbook'] != my_id: #Sends a POST to cancel any that match the above criteria cancel_url = phantom.build_phantom_rest_url('playbook_run', runs_resp_json['id']) cancel_post = phantom.requests.post(cancel_url, data='{"cancel":true}', verify=False) # If successful, up the succes count if cancel_post.status_code == 200: # Success else: # Failure </LI-CODE><P>&nbsp;</P> Wed, 18 Oct 2023 21:59:00 GMT https://community.splunk.com/t5/Splunk-SOAR/How-do-i-stop-a-running-playbook-when-the-case-changed-to-closed/m-p/661273#M1290 SOARt_of_Lost 2023-10-18T21:59:00Z