Splunk SOAR

Playbook run on bulk events

ThomasC
New Member

Hi all,

I have a large number of events that have been ingested into SOAR from a Service Now queue.

A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR.

I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met.

I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time.

If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful.

Thank you for reading.

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@ThomasC you are going to need a combination of REST and the playbook API. 

  1. Use REST to get all container_ids for a label
    1. /rest/container?_filter_label="<label>"&page_size=0
    2. https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/SessionAPI 
  2. Then create a loop where you use the phantom.playbook() API to call the playbook against each container id. 
    1. https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/PlaybookAPI#playbook 

The above can be done in a single custom function / Code Block. 

Also if you need these to run without you having to do historical backfill like this, you just need to set your playbook to Active and it will run automatically when an even with the relevant label drops into the queue from SNOW. 

-- Happy SOARing! --

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...