Splunk SOAR

Bulk Resolution for Playbook Prompts?

PistolShrimp
Engager

Hi All,

Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?

Ran into a couple situations where many related events need a single prompt response.  We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.

Thanks!

Labels (2)
0 Karma

Maurice_Moss
Engager

Hello,

The only way I found to accomplish this is by running a heavily customized playbook.  I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.

Here's the short and sweet of it and I'll dig a little deeper after.  

Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API.  This will cancel only specified playbooks running in specified containers.

 

Here's the long and sour of it.  I've probably over-complicated it, but sadly that's my method of operation.  All rests are using the Phantom http app.

Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".

The output returns the containerIDs for all query matches.

Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs".  Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.

This outputs all playbooks that ran on a container.  Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n".  I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.

List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message.  Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor.  In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.

REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled. 

 

This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.

 

 

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...