Splunk SOAR

How do i stop a running playbook when the case changed to closed?

kblaine
Explorer

I have an active playbook that runs on most event types, but some get auto-closed and I would like to know if there's a way to end the playbook run if it the case gets closed before it finishes the playbook run.

Labels (3)

SOARt_of_Lost
Path Finder

As of version 6 we're able to run playbooks when a container is closed. That's the easy part. Canceling running playbooks takes a few custom API calls.

 

    # Pulls the id for this playbook. It shouldn't be hardcoded because the ID changes with each version and may not increment as expected
    my_id_url = phantom.build_phantom_rest_url('playbook') + '?_filter_name="my_playbook_name"'
    my_id_resp_json = phantom.requests.get(my_id_url, verify=False).json()
    my_id = my_id_resp_json['data'][0]['id']
    
    # Runs a query to pull the audit data of the current container
    audit_url = phantom.build_phantom_rest_url('container', container_id, 'audit')
    audit_resp_json = phantom.requests.get(audit_url, verify=False).json()

    for i in audit_resp_json:
        # Looks for any playbook that has run in the container
         if i['AUDIT SOURCE'] == 'Playbook Run':

                # Runs a query to find details on each run
                runs_url = phantom.build_phantom_rest_url('playbook_run', i['AUDIT ID'])
                runs_resp_json = phantom.requests.get(runs_url, verify=False).json()
                

		# Finds any playbook that is currently running which isn't this one
                if runs_resp_json['status'] == 'running' and runs_resp_json['playbook'] != my_id:
                    
                    #Sends a POST to cancel any that match the above criteria
                    cancel_url = phantom.build_phantom_rest_url('playbook_run', runs_resp_json['id'])
                    cancel_post = phantom.requests.post(cancel_url, data='{"cancel":true}', verify=False)

                    # If successful, up the succes count
                    if cancel_post.status_code == 200:
					    # Success
                    else:
                        # Failure
    

 

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...