FortiSOAR API: How to Run, Track, and Terminate Playbooks
- Mar 10, 2026
In modern Security Operations Centers (SOC), automation is only as good as your ability to control it. While the FortiSOAR UI is powerful, interacting with the platform via API allows for deeper integration with external ticketing systems, custom dashboards, and CI/CD pipelines.
This guide explores the Run_Terminate_Playbooks Postman collection, a specialized toolkit designed to help security engineers automate the discovery, execution, and termination of playbooks.
Check out the Postman Collection here.
Step-by-Step Workflow
Step # | Request Name | Purpose |
1 | Login | Authenticates credentials ({{admin}}/{{pass}}) and saves the bearer token to the token variable. |
2 | List Recent Workflows | Retrieves the 10 most recently executed top-level workflows. |
3 | List All Collections | Fetches all workflow collections and displays them in a table using a Postman Visualizer script. |
4 | Get details of a Collection | Fetches specific details for a collection UUID and saves the name and UUID for filtering. |
5 | List Playbooks in a Collection | Lists all playbooks within the specific collection selected in the previous step. |
6 | Run a Playbook | Executes a playbook via its UUID (manually set it in the URL of the request) and captures a task_id for tracking. |
7 | Status of a Playbook | Uses the task_id to poll for the execution status and extracts the unique wflogid. |
8 | Get details of a workflow | Retrieves the full execution details of a specific workflow instance. |
8.1 | Terminate a Playbook | Revokes or stops a running playbook using the stored wflogid. |
8.2 | Verify Playbook status | Retrieved the execution details again to verify playbook status. |
10 | Logout | Ends the session and clears the active session token. |
Implementation
- Several requests contain Test Scripts that automatically parse JSON responses to update collection variables. For example, request #7 uses a regex match (/\d+/) to extract the wflogid – numeric ID – needed for playbook termination.
- To use this collection, you must configure the following variables in your Postman environment:
- host: The IP address or hostname of your FortiSOAR instance.
- admin: The username (e.g., csadmin).
- pass: The account password.
- Visualizer: Requests 3, 4, and 5 include HTML/CSS templates to render API data into readable tables directly within the Postman UI.
