Splunk SOAR (f.k.a. Phantom)

Bulk Resolution for Playbook Prompts?


Hi All,

Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?

Ran into a couple situations where many related events need a single prompt response.  We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.


Labels (2)
0 Karma



The only way I found to accomplish this is by running a heavily customized playbook.  I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.

Here's the short and sweet of it and I'll dig a little deeper after.  

Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API.  This will cancel only specified playbooks running in specified containers.


Here's the long and sour of it.  I've probably over-complicated it, but sadly that's my method of operation.  All rests are using the Phantom http app.

Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".

The output returns the containerIDs for all query matches.

Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs".  Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.

This outputs all playbooks that ran on a container.  Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n".  I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.

List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message.  Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor.  In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.

REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled. 


This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.



Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...