IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Cancel Playbook

    Posted Thu April 04, 2024 01:31 PM

    Is there a way to cancel a playbook through the REST API?  I have a list of incidents that need a playbook canceled.



    ------------------------------
    Thanks,
    Paul Formosa
    ------------------------------


  • 2.  RE: Cancel Playbook

    Posted Fri April 05, 2024 01:36 PM

    Hi Paul -

    There are endpoints to cancel playbooks. Check out PlaybookExecutionREST (or specifically the /orgs/{org_id}/playbooks/execution/cancel endpoint) in the REST API reference on your SOAR instance. I don't have any experience using those endpoints, but seems to achieve what you want.



    ------------------------------
    Bo Bleckel
    ------------------------------

    Original Message


  • 3.  RE: Cancel Playbook

    Posted Wed April 10, 2024 01:30 AM

    FYI

    The following is my case. The API seems to work all instances to a playbook.

    curl -sik -X POST -u <API-Key>:<API-Secret> -H "Content-Type: application/json" https://<soar-host>/rest/orgs/<org-id>/playbooks/execution/cancel -d @pb-cancel.json

    where pb-cancel.json is as follows:

    { "playbook_handle": {
        "name": "<playbook-api-name>"
  },
  "reason": "<cancel-reason>"
}

    response is like this.

    {"number_cancelled":2}


    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 4.  RE: Cancel Playbook

    Posted Wed April 10, 2024 08:43 AM

    Thanks everyone for the replies.

    I was able to solve this with the following lines of code in a loop; passing the incident number as a variable (INCIDENTNUM):

    inc = client.post("/playbooks/execution/query_paged?include_activity_error_msg=false", {"sorts":[{"field_name":"status","type":"asc"},{"field_name":"start_time","type":"asc"}],"filters":[{"conditions":[{"method":"equals","field_name":"incident_id","value":int(INCIDENTNUM)},{"method":"equals","field_name":"playbook_type","value":"default"}]}],"start":0,"length":10})
    payloadid = inc["data"][0]["id"]
    client.put("/playbooks/execution/{}/status".format(payloadid), {"status":"canceled","reason":"remove it"})

    This will pull the playbook id from the specific incident and then use it with the payload to remove the playbook.



    ------------------------------
    Thanks,
    Paul Formosa
    ------------------------------

    Original Message


Related Content