Sequential execution of playbooks in splunk soar

Erick995 · ‎09-05-2023

Good afternoon, I am receiving a number of events in splunk soar from splunk, I have a playbook that is executed for each event, however I am wondering if the execution of the playbook in each event is in sequence or if it executes simultaneously in each event.

I need that when receiving 3 events, the playbook is executed first in 1, then in 2 and finally in three, and from what I've seen soar executes the playbook in disorder for example 3, 1, 2.

I would appreciate if anyone has any information on this.

phanTom · ‎09-06-2023

@Erick995 SOAR will initiate the playbook automation in the order the event is received in the platform. The only thing that may affect this is severity-based prioritisation. E.G. If event 2 has a higher severity than the event 1, event 2 would be processed first.

I am confused why you would need it to work this way as I would expect all event information for a use case to be in 1 container and not spread across more than 1. Maybe you could get Splunk to aggregate and fire 1 event through?

Erick995 · ‎09-06-2023

@phanTom Thank you for your answer, it will be very useful. I was just asking why from the events that come to me it seems as if my playbook were running in more than one event at the same time, if it were running in 2 events or more at the same time it wouldn't work for me.I need it to execute one event at a time.

Sequential execution of playbooks in splunk soar

using SOAR ⁄ Phantom

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?