Playbook run on bulk events

ThomasC · ‎11-02-2023

Hi all,

I have a large number of events that have been ingested into SOAR from a Service Now queue.

A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR.

I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met.

I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time.

If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful.

Thank you for reading.

phanTom · ‎11-03-2023

@ThomasC you are going to need a combination of REST and the playbook API.

Use REST to get all container_ids for a label
1. /rest/container?_filter_label="<label>"&page_size=0
2. https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/SessionAPI
Then create a loop where you use the phantom.playbook() API to call the playbook against each container id.
1. https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/PlaybookAPI#playbook

The above can be done in a single custom function / Code Block.

Also if you need these to run without you having to do historical backfill like this, you just need to set your playbook to Active and it will run automatically when an even with the relevant label drops into the queue from SNOW.

-- Happy SOARing! --

Playbook run on bulk events

using SOAR ⁄ Phantom

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application