- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- Bulk Resolution for Playbook Prompts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bulk Resolution for Playbook Prompts?
Hi All,
Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?
Ran into a couple situations where many related events need a single prompt response. We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The only way I found to accomplish this is by running a heavily customized playbook. I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.
Here's the short and sweet of it and I'll dig a little deeper after.
Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API. This will cancel only specified playbooks running in specified containers.
Here's the long and sour of it. I've probably over-complicated it, but sadly that's my method of operation. All rests are using the Phantom http app.
Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".
The output returns the containerIDs for all query matches.
Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs". Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.
This outputs all playbooks that ran on a container. Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n". I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.
List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message. Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor. In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.
REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled.
This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
