I’m looking to get SOAR playbook data across multiple tenants. Is there a way to get the data that populates the dashboards via API or access all of the data from one location?
Page 1 / 1
Hey
Did you explore the Native Dashboards capabilities? It has SOAR data as one of the sources.
I started exploring that yesterday. However, I haven’t been able to produce any results despite having playbooks running. I tried the query below over the last 120 days and got zero results. Its a modified version of this sample query provided in SecOps docs.
playbook.status="IN_PROGRESS" OR playbook.status="PENDING_FOR_USER" OR playbook.status="COMPLETED" OR playbook.status="NONE" OR playbook.status="PENDING_FOR_USER" OR playbook.status="PENDING_IN_QUEUE" OR playbook.status="STATE_UNSPECIFIED" OR playbook.status="TERMINATED"
outcome:
$count=count_distinct(playbook.name)
Your query works, and if I run it I return matches. Are you logged in as a Global Scope user? I do note from the release docs you have to be an admin to access this data table, so that was one thought - https://cloud.google.com/chronicle/docs/reports/native-dashboards#soar_data_sources
You can rule that out / in by testing if you can run any other query, e.g., does running a query against cases work?
```
$caseId = case.name
outcome:
$total = count(case.name)
```
Yes, I have administrator permissions. I am able to run the query you provided and get results.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.