Splunk SOAR (f.k.a. Phantom)

Bulk Resolution for Playbook Prompts?

PistolShrimp
Engager

Hi All,

Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?

Ran into a couple situations where many related events need a single prompt response.  We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.

Thanks!

Labels (2)
0 Karma

Maurice_Moss
Engager

Hello,

The only way I found to accomplish this is by running a heavily customized playbook.  I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.

Here's the short and sweet of it and I'll dig a little deeper after.  

Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API.  This will cancel only specified playbooks running in specified containers.

 

Here's the long and sour of it.  I've probably over-complicated it, but sadly that's my method of operation.  All rests are using the Phantom http app.

Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".

The output returns the containerIDs for all query matches.

Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs".  Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.

This outputs all playbooks that ran on a container.  Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n".  I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.

List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message.  Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor.  In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.

REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled. 

 

This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.

 

 

Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...