IBM Security QRadar SOAR

 View Only

Playbook design: simulate the Timer properties

By BENOIT ROSTAGNI posted Wed November 17, 2021 01:11 PM

  

When developing new Playbooks you may wish to re-user the timer feature that was existing on the Workflow:

This feature does not exist (yet ?) on the New Playbook design, but can be easily simulated, with a more precise timing!

You need:
- The Utility Functions for SOAR application installed on your App Host

For each timer type, you need to create a Timer Playbook like this one:


The entry condition is your task name you wish to have the timer setup, or the task description where you mention the timer keyword, and of course, the task created
This goes to the Function "Utilities: Timer" set to your wait time before action (tested on 60s), with a function result name "timer" playbook.functions.results.timer
After, we have the Condition point with first true option.
The first condition is: task status is closed, going to an End Point
The second condition is the default Else who lead to the action plan, escalation script for example, here for the test was just writing in a note teh fact it was passed throw it.

import datetime
t = datetime.datetime.now()
text = "Timer went off at {} with the result: {}".format(t,playbook.functions.results.timer)
task.addNote(text)


and the result was from 2 minutes, to task notes:

0 comments
27 views

Permalink