I'm looking to build a watcher to run via a scheduled alert type to look for any cases where the playbook status is failed. Surprisingly, the search API doesn't return the playbook status, and the GetCaseCardsByRequest doesn't seem to allow you to filter on playbook status. Any thoughts or pointers would be appreciated!
Solved
Playbook failure watcher
+3- Bronze 1
Best answer by Simon_King_79
Thanks both. I haven't been able to get the cloud logging up and running yet, but ideally I want to do this inside SOAR so I can raise a message in a chat when there's a failure. More than 3 failures isn't granular enough - I need alerts after a single one so I think I'm going to have to try the /GetCaseCardsByRequest and look for the workFlowStatus in the response. Cheers!
Just to talk to myself (so future people can find this) I've done what I outlined above - call the /GetCaseCardsByRequest endpoint, filter on anything that's got a workflowStatus of 3 and chat it to our team. This runs on an hourly schedule.
+10There are built-in jobs you can leverage that will monitor actions in playbooks and notify of failures (playbooks failing are due to actions failing). Details here: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/siemplify#jobs
You can leverage this or use it as a reference to build your own.
-mike
+12Hi Simon,
Querying a case (e.g. /api/external/v1/dynamic-cases/GetCaseDetails/44276?format=camel) has the value Result.alertCards.[].workFlowStatus, I think this is what you're looking for? I can't find the enum definition, but 6 is pending action, 3 is error, 2 is good, 0 is no playbook status, etc
Alternatively:
Cloud Logging - If you are able/happy to use this GCP service (which is the direction the product is going in) this has logging for python and playbook activity
/api/external/v1/cases-queue/GetCaseCardsByRequest is the case queue filter the UI uses, whilst it doesn't have an inbound query filter the status, it is in the output (note, this reflects that 1 Alert inside this case has an error, so you might have to iterate on the query). Look at the Array output result.CaseCarsd[].workFlowStatus.
+3- Bronze 1
Thanks both. I haven't been able to get the cloud logging up and running yet, but ideally I want to do this inside SOAR so I can raise a message in a chat when there's a failure. More than 3 failures isn't granular enough - I need alerts after a single one so I think I'm going to have to try the /GetCaseCardsByRequest and look for the workFlowStatus in the response. Cheers!
+3- Bronze 1
- Answer
Thanks both. I haven't been able to get the cloud logging up and running yet, but ideally I want to do this inside SOAR so I can raise a message in a chat when there's a failure. More than 3 failures isn't granular enough - I need alerts after a single one so I think I'm going to have to try the /GetCaseCardsByRequest and look for the workFlowStatus in the response. Cheers!
Just to talk to myself (so future people can find this) I've done what I outlined above - call the /GetCaseCardsByRequest endpoint, filter on anything that's got a workflowStatus of 3 and chat it to our team. This runs on an hourly schedule.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.