IBM Security QRadar SOAR

 View Only
  • 1.  Playbook Execution ID

    Posted Wed October 18, 2023 10:29 AM

    Hello all,

    My team and I are trying to eventually be able to use the Playbook Execution API to get the status of a playbook after it runs (if it has errored or successful), and then do further automation based on that. We have found this endpoint which seems to be helpful:
    `rest/orgs/{orgId}/playbooks/execution/{execution_id}/activities` but I cannot figure out a way to get the execution id from within the playbook. 

    I know there is an endpoint `rest/orgs/{orgId}/playbooks/execution/query_paged` that does have execution ids in it, but rather than having to call this every time and see if a new execution id exists, it would be better if we could get the execution id from within the playbook, and make the api call based on that. 

    I have tried printing the entire playbook object from within the playbook, and this is all I got: `{'functions': {'results': {}}, 'subplaybooks': {'results': {}}, 'properties': {}, 'inputs': {}}`

    Is the execution ID hidden somewhere else within the playbook, or is there a different way to access it? I don't understand how we are supposed to use this API Endpoint without this information being more available - and if the only way to get it is by looking at the playbook screen itself, it isn't very helpful for automation. 

    Thanks in advance!

    Isaac Eichelberger

  • 2.  RE: Playbook Execution ID

    Posted Thu October 19, 2023 01:03 PM

    Hi Isaac -

    As far as I know, your suggested use of the /playbooks/execution/query_paged endpoint is the only way to achieve this. If you're trying to do this all through a Playbook, I would recommend hitting that endpoint using our REST API Function app. If you're writing a custom function, you could hit it pretty easily with the provided rest_client in the function.

    Let me know if I can help in any other ways!


    Bo Bleckel