IBM QRadar SOAR

 View Only

 Playbook Endpoint Design & Diagram Confusion

Roi Mazar's profile image
Roi Mazar posted Wed December 31, 2025 01:46 AM

Hi everyone,

I have a question about preferred playbook architecture. I'm currently designing a playbook and considering two approaches:

Using a single shared End point after a condition point.

Using two separate End points for each branch of the condition.

Both designs work logically and produce the correct results. I'd like to know which architecture is generally preferred in terms of best practices for clarity and maintainability.

Additionally, I've noticed that when I use the single End point approach, the playbook diagram sometimes visually suggests that both branches (the “Hit Condition” and the “Else”) were activated, even though only one actually executed. I’ve attached screenshots to illustrate what I mean.

Can anyone explain why this visualization happens or if there's a way to avoid that confusion?

Thanks for your insights!

Attachments  View in library
two_endpoint.png 19 KB
one_endpoint.png 29 KB
Diagram.png 36 KB
Dermot Judge's profile image
Dermot Judge posted Mon January 05, 2026 01:14 PM

>> Both designs work logically and produce the correct results. I'd like to know which architecture is generally preferred in terms of best practices for clarity and maintainability.

As far as I am aware, both are acceptable. If you have two endpoints, you could label them differently which may help in some circumstances.

>> I've noticed that when I use the single End point approach, the playbook diagram sometimes visually suggests that both branches (the “Hit Condition” and the “Else”) were activated, even though only one actually executed.

That is a bug which I have opened for the development team to address. Thank you for reporting it.

Dermot Judge's profile image
Dermot Judge posted Mon January 05, 2026 01:59 PM

Concerning the bug ...

  • I have reproduced it with both one and two endpoints so that does not appear to be relevant to the bug.
  • The issue appears to occur only when the followed path has nodes (scripts, functions, subplaybooks tasks) and the not-followed path has no nodes

A temporary workaround (until the issue is fixed) may be to add a "do nothing" script on paths with no nodes.

Related Content