Splunk SOAR (f.k.a. Phantom)

Bulk Resolution for Playbook Prompts?


Hi All,

Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?

Ran into a couple situations where many related events need a single prompt response.  We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.


Labels (2)
0 Karma



The only way I found to accomplish this is by running a heavily customized playbook.  I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.

Here's the short and sweet of it and I'll dig a little deeper after.  

Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API.  This will cancel only specified playbooks running in specified containers.


Here's the long and sour of it.  I've probably over-complicated it, but sadly that's my method of operation.  All rests are using the Phantom http app.

Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".

The output returns the containerIDs for all query matches.

Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs".  Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.

This outputs all playbooks that ran on a container.  Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n".  I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.

List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message.  Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor.  In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.

REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled. 


This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.



Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...