Splunk SOAR

How do i stop a running playbook when the case changed to closed?

kblaine
Explorer

I have an active playbook that runs on most event types, but some get auto-closed and I would like to know if there's a way to end the playbook run if it the case gets closed before it finishes the playbook run.

Labels (3)

SOARt_of_Lost
Path Finder

As of version 6 we're able to run playbooks when a container is closed. That's the easy part. Canceling running playbooks takes a few custom API calls.

 

    # Pulls the id for this playbook. It shouldn't be hardcoded because the ID changes with each version and may not increment as expected
    my_id_url = phantom.build_phantom_rest_url('playbook') + '?_filter_name="my_playbook_name"'
    my_id_resp_json = phantom.requests.get(my_id_url, verify=False).json()
    my_id = my_id_resp_json['data'][0]['id']
    
    # Runs a query to pull the audit data of the current container
    audit_url = phantom.build_phantom_rest_url('container', container_id, 'audit')
    audit_resp_json = phantom.requests.get(audit_url, verify=False).json()

    for i in audit_resp_json:
        # Looks for any playbook that has run in the container
         if i['AUDIT SOURCE'] == 'Playbook Run':

                # Runs a query to find details on each run
                runs_url = phantom.build_phantom_rest_url('playbook_run', i['AUDIT ID'])
                runs_resp_json = phantom.requests.get(runs_url, verify=False).json()
                

		# Finds any playbook that is currently running which isn't this one
                if runs_resp_json['status'] == 'running' and runs_resp_json['playbook'] != my_id:
                    
                    #Sends a POST to cancel any that match the above criteria
                    cancel_url = phantom.build_phantom_rest_url('playbook_run', runs_resp_json['id'])
                    cancel_post = phantom.requests.post(cancel_url, data='{"cancel":true}', verify=False)

                    # If successful, up the succes count
                    if cancel_post.status_code == 200:
					    # Success
                    else:
                        # Failure
    

 

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...