IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Artifact Type Playbook Not Triggered

    Posted Thu December 12, 2024 09:22 AM

    Hi All,

     I am seeking assistance with a specific automation requirement within IBM SOAR. Currently, I would like to set up a mechanism to automatically execute a playbook created to block artifacts in Defender for Endpoint. The playbook's object type is "Artifact".  

    Manually executing the playbook on individual artifacts is working fine.  

    But I want this playbook to trigger automatically for all artifacts added in the incident, when a specific field with type multiselect in the incident is changed.

     

    Please let me know how we can achieve the automated execution of playbook with above stated condition.



    ------------------------------
    AHB-SOC Center
    ------------------------------


  • 2.  RE: Artifact Type Playbook Not Triggered

    Posted Fri December 13, 2024 04:13 AM

    When you create a new Playbook, you have to set initially how it will be triggered.

    Then you can set Artifacts conditions like in your screenshot..



    ------------------------------
    Lucian Sipos
    ------------------------------



  • 3.  RE: Artifact Type Playbook Not Triggered

    Posted Mon December 16, 2024 06:52 AM

    Hi Lucian,

    I have already set the trigger and attached the image of the trigger condition as well.

    I have set the object type as Artifact and for trigger condition you can check the below image.

    It seems that when we set the object of the playbook as Artifact, it is not able to check the value of the field "Email Approval" as this is a custom created incident field.


    ------------------------------
    Manzar Alam
    ------------------------------

    Original Message


  • 4.  RE: Artifact Type Playbook Not Triggered

    Posted Mon December 16, 2024 07:03 AM

    Can you show the section where you set the PB to activate automatically (the same in my screenshot)?

    Conditions are a section after this point...



    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 5.  RE: Artifact Type Playbook Not Triggered

    Posted Wed December 18, 2024 01:23 AM

    Hi Lucian,

    PFB the detailed screenshot.



    ------------------------------
    Manzar Alam
    ------------------------------

    Original Message


  • 6.  RE: Artifact Type Playbook Not Triggered

    Posted Tue December 24, 2024 10:14 AM

    Is the Playbook saved and enabled?



    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 7.  RE: Artifact Type Playbook Not Triggered

    Posted Tue December 24, 2024 01:11 PM

    You are using the incident type in the playbook condition. Select the object type as "Artifact," and then set the condition based on the artifact you want to check, such as IP addresses, URLs, hashes, etc



    ------------------------------
    Abu Mussa Elahi
    ------------------------------

    Original Message


  • 8.  RE: Artifact Type Playbook Not Triggered

    Posted Wed December 25, 2024 06:59 AM

    Hi Abu Mussa,

    I wanted to check if we have set the object type as "Artifact", can't we use the incident type condition?
    I do not want the playbook to run for all the incident but only for a particular type of incident.



    ------------------------------
    Manzar Alam
    ------------------------------

    Original Message


  • 9.  RE: Artifact Type Playbook Not Triggered

    Posted Thu December 26, 2024 10:10 AM

    I believe you can still have an Artifact-type playbook with an incident condition on incident-type.

    Regards,
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


Related Content