IBM QRadar SOAR

 View Only

 IBM QRadar SOAR playbook still going after quite some time

Matteo Tagliabue's profile image
Matteo Tagliabue posted Mon April 14, 2025 06:28 AM

Hello everyone,
I am currently trying to test the IBM QRadar SOAR so that I can start automating some of the SIEM's tasks. I've deployed SOAR v51.0.5.1.25.

I am kind of new to IBM QRadar SOAR and was testing the playbook's capabilities, but when I try the playbook with a simulation, it stays running forever, with no errors or anything else.
The playbook looks like the following:

(I was trying to follow the Big Blue Help video on QRadar SOAR playbooks, and then I shortened the playbook to try where it was getting stuck)

Any idea how to fix this problem?


Kind Regards,
Tagliabue Matteo

Lucian Sipos's profile image
Lucian Sipos posted Tue April 15, 2025 08:06 AM

That seems like a task pending to be closed/completed. Can you mark it as complete? You should see the playbook end.

Juan Paulo's profile image
Juan Paulo posted Tue April 15, 2025 12:15 PM

Hi Matteo, from what I see your playbook only has one "manual task", if I remember correctly the manual task needs to be check as completed by a person to be considered done.

In other words the playbook it's waiting for someone to see the task, read the instructions and execute what needs to be executed manually and then check saying "I've done it", then the playbook will continue their process.

If you want to automatically close tasks then you'll need to use something like Custom Tasks and this app:

https://ibmresilient.github.io/resilient-community-apps/fn_task_utils/README.html

Best regards

Yohji Amano's profile image
Yohji Amano posted Tue April 15, 2025 07:57 PM

Hello Matteto.

I guess that it's your first step to the SOAR playbook. You can try the following:

  1. Open the incident you're running the playbook with
  2. Locate tasks tab. (Then you'll see the task "Initial Triage" and it has a circle with unchecked, I guess)
  3. Check the circle. (The word "Initial Triage" goes to strike-through.)
  4. Check your running playbook again. 

Related Content