Splunk SOAR

Bulk Resolution for Playbook Prompts?

PistolShrimp
Engager

Hi All,

Is there a way to simultaneously/bulk respond to multiple notifications generated by prompt actions, or an admin override to dismiss prompts and allow a playbook to move on to a next step?

Ran into a couple situations where many related events need a single prompt response.  We can bulk edit the events to close them, but the associated playbook will continue to wait for the notification to proceed.

Thanks!

Labels (2)
0 Karma

Maurice_Moss
Engager

Hello,

The only way I found to accomplish this is by running a heavily customized playbook.  I would have hoped this would be in the Approval REST API or administrator interface to respond to all specific running prompts, but I couldn't find any method other than cancelling all playbooks or a customized playbook.

Here's the short and sweet of it and I'll dig a little deeper after.  

Filtered REST container call>REST container call for playbook_runs>list out running playbooks>REST playbook_run cancel API.  This will cancel only specified playbooks running in specified containers.

 

Here's the long and sour of it.  I've probably over-complicated it, but sadly that's my method of operation.  All rests are using the Phantom http app.

Filtered REST call - Perform a "Container Call" with a "Query for Data" such /rest/container/?_filter_name="Test Container Names".

The output returns the containerIDs for all query matches.

Playbook Runs REST call - On the "Query for Data" doc, there's a container pseudo field "playbook runs" for "playbook_runs".  Feed the containerIDs to this with "/rest/container/{0}/playbook_runs" in a format block.

This outputs all playbooks that ran on a container.  Note that this may need multiple page calls with "/rest/container/{0}/playbook_runs?page=n".  I performed this in the Global Block editing section with my own functions and leveraging callbacks to tie it in to the action blocks.

List Running Playbooks - Now that you have a list of all playbooks running from the previous step, I pulled the playbook ID, status, and message.  Using the defined functions in the global block, I gathered all these IDs, statuses, and messages into their own list and used a custom function playbook API call so I can hook back into the visual editor.  In the custom function, I whittle down the list of items to just what I want to cancel, then pass that out of the custom function.

REST playbook_run cancel API - Now with the list of playbook run IDs in hand, I can leverage the Run Playbook endpoint which allows a running playbook to be cancelled. 

 

This is my ugly way of "responding" to multiple hanging playbooks or unnecessary prompts without responding one by one or cancelling everything.

 

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...