Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

------------------------------
mohamad islam hamadieh
------------------------------

For future references this was actually achievable : 

you need to create some counters (as an incident fields ) and return the part you want to loop through to the condition point , then break out of it to an end point if the counter has reached zero , below is the playbook , reply to this if you needed any help.

------------------------------
mohamad islam hamadieh

Original Message:
Sent: Thu July 18, 2024 07:19 AM
From: mohamad islam hamadieh
Subject: repeat a function X time in a playbook

Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

------------------------------
mohamad islam hamadieh
------------------------------

For future references this was actually achievable : 

you need to create some counters (as an incident fields ) and return the part you want to loop through to the condition point , then break out of it to an end point if the counter has reached zero , below is the playbook , reply to this if you needed any help.

------------------------------
mohamad islam hamadieh

Original Message:
Sent: Thu July 18, 2024 07:19 AM
From: mohamad islam hamadieh
Subject: repeat a function X time in a playbook

Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

------------------------------
mohamad islam hamadieh
------------------------------

Hello Mohamad,

Based on your solution, is the below doable?

Dears,

I am new to IBm SOAR and i am trying to implement a new playbook using mainly "QRadar SIEM: QRadar Search" functions.

Below is a summary of the palybook:

First node is initiated based on artifact:
QRadar SIEM: QRadar Search
Output name: node1_search

node1_search results are as below:

{'events': [{'username': 'user1', 'sourceIP': '1.1.1.1', 'starttime': '1747479611111'}],...etc}
{'events': [{'username': 'user2', 'sourceIP': '2.2.2.2', 'starttime': '1747479622222'}],...etc}
{'events': [{'username': 'user3', 'sourceIP': '3.3.3.3', 'starttime': '1747479633333'}],...etc}

Second node is based on the previous results (events).

QRadar SIEM: QRadar Search
Output name: node2_search

I need to add a new "QRadar SIEM: QRadar Search" that should iterate over the previous results and perform the below searched on Qradar:

select destinationip from events where sourceip = '1.1.1.1' and starttime = '1747479611111' last 1 hour
select destinationip from events where sourceip = '2.2.2.2' and starttime = '1747479622222' last 1 hour
select destinationip from events where sourceip = '3.3.3.3' and starttime = '1747479633333' last 1 hour

Kinldy advise if this iteration is doable and how it can be done?

If you need additional info please let me know.

For future references this was actually achievable : 

you need to create some counters (as an incident fields ) and return the part you want to loop through to the condition point , then break out of it to an end point if the counter has reached zero , below is the playbook , reply to this if you needed any help.

------------------------------
mohamad islam hamadieh

Original Message:
Sent: Thu July 18, 2024 07:19 AM
From: mohamad islam hamadieh
Subject: repeat a function X time in a playbook

Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

------------------------------
mohamad islam hamadieh
------------------------------

The scripts used in the playbook are as follows:

 

---

<< local script: set  initial loop >>

# set initial state

initial_state = {"total_loop":3, "current_loop":0}

playbook.addProperty("pb_state", initial_state)

---

<< local script: Some tasks (here add note to incident) >>

# get the current pb_state and add it to incident note

current_loop = playbook.properties["pb_state"]["current_loop"]

total_loop = playbook.properties["pb_state"]["total_loop"]

incident.addNote(f"{current_loop=} / {total_loop=}")

---

<< local script: increment current loop >>

# get the current pb_state

total_loop = playbook.properties["pb_state"]["total_loop"]

current_loop = playbook.properties["pb_state"]["current_loop"]

# increment current loop and put it pb_state again

current_loop += 1

pb_state = {"total_loop":total_loop, "current_loop":current_loop}

playbook.addProperty("pb_state", pb_state)

---

<< local script: reached >> one of conditions in condition point:"total loop(First true)"

# if current_loop reaches (or exceeds) the total_loop, return True.

current_loop = playbook.properties["pb_state"]["current_loop"]

total_loop = playbook.properties["pb_state"]["total_loop"]

if current_loop < total_loop:

  result = False

else:

  result = True

Here is the output to run the above playbook.

Hello Mohamad,

Based on your solution, is the below doable?

Dears,

I am new to IBm SOAR and i am trying to implement a new playbook using mainly "QRadar SIEM: QRadar Search" functions.

Below is a summary of the palybook:

First node is initiated based on artifact:
QRadar SIEM: QRadar Search
Output name: node1_search

node1_search results are as below:

{'events': [{'username': 'user1', 'sourceIP': '1.1.1.1', 'starttime': '1747479611111'}],...etc}
{'events': [{'username': 'user2', 'sourceIP': '2.2.2.2', 'starttime': '1747479622222'}],...etc}
{'events': [{'username': 'user3', 'sourceIP': '3.3.3.3', 'starttime': '1747479633333'}],...etc}

Second node is based on the previous results (events).

QRadar SIEM: QRadar Search
Output name: node2_search

I need to add a new "QRadar SIEM: QRadar Search" that should iterate over the previous results and perform the below searched on Qradar:

select destinationip from events where sourceip = '1.1.1.1' and starttime = '1747479611111' last 1 hour
select destinationip from events where sourceip = '2.2.2.2' and starttime = '1747479622222' last 1 hour
select destinationip from events where sourceip = '3.3.3.3' and starttime = '1747479633333' last 1 hour

Kinldy advise if this iteration is doable and how it can be done?

If you need additional info please let me know.

For future references this was actually achievable : 

you need to create some counters (as an incident fields ) and return the part you want to loop through to the condition point , then break out of it to an end point if the counter has reached zero , below is the playbook , reply to this if you needed any help.

------------------------------
mohamad islam hamadieh

Original Message:
Sent: Thu July 18, 2024 07:19 AM
From: mohamad islam hamadieh
Subject: repeat a function X time in a playbook

Dear Community, 

I was wondering if there is a way to repeat a function (or any part of a playbook) for X amount of time.

X can be based on anything like a filed or a variable I set in a script.

If you are wondering what I will use this for, my goal is to create X amount of Incidents using the create an incident function from Incident utilities. unfortunately I can't know X value before running the playbook.

Thanks.

------------------------------
mohamad islam hamadieh
------------------------------