IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to setup an "approval" task in a playbook?

    Posted Wed October 20, 2021 02:40 PM
    I am wirting a playbook in which there would be a task called "Approve the action".
    How can I ask the user to approve or refuse and pass the answer to a decision point where different path would be taken?

    thanks

    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: How to setup an "approval" task in a playbook?

    Posted Thu October 21, 2021 04:47 AM

    You Create task with Boolean Field ( YES - NO or unknown )




    in you playbook use Exclusive and set your condition as below







    ------------------------------
    M R
    ------------------------------

    Original Message


  • 3.  RE: How to setup an "approval" task in a playbook?

    Posted Thu October 21, 2021 08:37 AM

    Hi,

    Thanks for your answer.  I did not expect it could be that easy!  I tried it and it worked.

     

    Is this new field associated with the incident or with the task?

     

    If I needed more than one type of approval, let say for action1, action2, ...,  should I create more than one field or reuse the same one?

     

    And it does not really matter but the example you sent me was with a workflow, not a playbook.  Sometimes, not all the functionalities are available in playbooks.

     

     

     

    Pierre Dufresne
    Conseiller en sécurité
    Direction du Centre opérationnel de cyberdéfense
    Infrastructures technologiques Québec

    1500, rue Cyrille-Duquet, 1er étage, Québec (Québec) G1N 4T6
    Tél. : 418 644-1500, poste2146  
    Pierre.Dufresne-ext@itq.gouv.qc.ca
    Quebec.ca/gouv/infrastructures-technologiques

    Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie.




    Original Message


  • 4.  RE: How to setup an "approval" task in a playbook?

    Posted Wed October 27, 2021 09:51 AM
    Hi,
    After some experimentation, I found that this is not a viable solution because a field is added to every incident even though it is required only for a specific task and since the field has to be mandatory, a window appears at the creation of the incident asking for a value when it should appear only for the specific task.

    thanks

    ------------------------------
    Pierre Dufresne
    ------------------------------

    Original Message


  • 5.  RE: How to setup an "approval" task in a playbook?

    Posted Thu November 04, 2021 05:12 AM
      |   view attached

    I have created this playbook to set block here all closing task action until the "validation" by a manager is done.
    The blocking action could be moved to a an authorized_action_actionname select (Yes/No/Unknown) field that is checked before running the action, and reset to Unknown after the action.

    Please do not use this in production as is, verify, update, amend it on a test/ dev environment

    Validation Step by Manager
    Purpose of this package:
    • Add a mandatory validation step by a Manager. 
    • While the manager did not validate the step, the Task closure is locked. 
    Automatic Activation
    • Create task with contain keyword  "Validation Step" 
    • For an automatic deactivation, add a note with contain keyword "Validation Step: Validated" and the task incident closure will be possible again  
    Manual activation
    • Use the "Validation Step" action button to create a Validation Step task 
    • A manager user will be assigned to the task, the task will be set as private, and will be place in the current phase
    • The manager needs to update the task field Validation Step to Yes to allow further work on the playbook.
    • If a user tries to close another task, the system will prevent the action until the manager validate fields or note in the Validation Step task. 
    Note: Need a user valid name/email to be added as a validation step - please check/update Script "Validation Step: Add Management as Member" to personalize on your content environment. By default, you will act has the manager
    Extract res file command
    resilient-sdk extract --script "Validation Step: Add Management as Member" "Validation Step: Blocking Helper message" "Validation Step: Note Tracking" --workflow "validation_step_add_manager_task" --rule "Validation Step: Set task properties to Confidential" "Validation Step: Block others validations" "Validation Step: Add a Management control" "Validation Step: Note Validation" "Validation Step: Note Tracking" --field "validation_step" --task "validation_step_by_manager" -n config_ValidStep.res --zip
    todo: 
    • use the group Soc Manager from #7 if exist 
    • Validation step is not = No for manual rule <<== ???


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)

    zip
    config_ValidStep.res-export-20201106082111.zip   3 KB 1 version
    Original Message