SOAR Dashboards Data

 I started exploring that yesterday. However, I haven’t been able to produce any results despite having playbooks running. I tried the query below over the last 120 days and got zero results. Its a modified version of this sample query provided in SecOps docs.

playbook.status="IN_PROGRESS" OR playbook.status="PENDING_FOR_USER" OR playbook.status="COMPLETED" OR playbook.status="NONE" OR playbook.status="PENDING_FOR_USER" OR playbook.status="PENDING_IN_QUEUE" OR playbook.status="STATE_UNSPECIFIED" OR playbook.status="TERMINATED"
outcome:
   $count=count_distinct(playbook.name)

Your query works, and if I run it I return matches.  Are you logged in as a Global Scope user?  I do note from the release docs you have to be an admin to access this data table, so that was one thought - https://cloud.google.com/chronicle/docs/reports/native-dashboards#soar_data_sources

You can rule that out / in by testing if you can run any other query, e.g., does running a query against cases work?

```
$caseId = case.name
outcome:   
    $total = count(case.name)
```

Yes, I have administrator permissions. I am able to run the query you provided and get results.

This is the simplest query I can think of to test access to the ‘playbook’ data object

playbook.name!=""
match:
  playbook.status

playbook.name!=""
match:
  playbook.status

Thanks ​@SoarAndy. I tried that query and still get no results. I validated I still get results for a cases query. Not sure where the disconnect is. 

This might warrant a support ticket against your instance name

Thanks

Andy

I ran the query above in a different environment and it worked. Seems to be an issue with the original environment.