What is the generally accepted way to "join" two playbooks, where one runs at some point up to several days after the first on finishes

Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is the generally accepted way to "join" two playbooks, where one runs at some point up to several days after the first on finishes

L1 Bithead

I have two master playbooks, the first which runs a set of playbooks, which initiates some external jobs. These jobs can take a number of days to complete, but if run as a small subset, may only take an hour or two.


So, after this first playbook sequence finishes I'd like to be able to create some kind of "process" that will constantly poll for completion of the tasks and when they are completed, run a second playbook that will perform a number of tasks and sub-playbooks to conclusion.


This runs monthly, so once it completes nothing should happen until the process starts again the following month.


One solution I considered was to somehow programatically, at the end of the first playbook, create a job that runs on an hourly cron schedule, which checks for the completion state of the tasks and when found, triggers the second playbook and deletes the job.


Is this possible, or what are other suitable ways to run this scenario?


L3 Networker

Hi @bowesmana

For your situation, utilizing polling would be the best option. Polling allows you to continuously check for the command result and move on once the result is available. Our out-of-the-box (OOTB) polling playbooks and commands require the polling command to return some kind of status value.

Since we are dealing with playbook task status, we do not have an OOTB script/command for that.

You could create a custom polling function and access incident data via the API to find the work plan task status by task names.

You can access the incident work plan API with a GET request to https://<XSOAR url>/investigation/<Incident #>/workplan and look for the state key for specific tasks you are trying to verify.


Another option is look at the incident status as a whole instead of playbook task level. If the playbook is not complete, then the incident should not be in closed status. Once the first playbook is complete, you can run !setPlaybook to change the playbook. For the continuous checking, you could create a job within XSOAR and once it verifies that the playbook is closed, you can re-open the investigation with !reopenInvestigation and !setPlaybook to run a different playbook.


I will share the link for polling/scheduled commands that includes an example for the polling function



Feel free to reply for further clarification or questions.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!