IBM Security QRadar SOAR

 View Only

  • 1.  Schedule a workflow

    Posted Thu December 09, 2021 01:38 AM
    Hello Guys,

    I have a question here regarding making a workflow running with a scheduled time.

    for example i want to run this workflow each hour, is this applicable?

    ------------------------------
    Omar Darweesh
    ------------------------------


  • 2.  RE: Schedule a workflow

    Posted Fri December 10, 2021 09:29 AM
    It isn't possible out of the box currently. Though this is on the roadmap.

    Take a look at the scheduler app:

    https://exchange.xforce.ibmcloud.com/hub/extension/4917b8a4bb53c46a7c63efa4e65238e4

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Schedule a workflow

    Posted Mon December 13, 2021 11:34 AM
    Edited by Leonardo Kenji Shikida Mon December 13, 2021 11:35 AM
    Hi Omar

    One thing you can do is

    1. create an incident type XYZ
    2. create a workflow ABC
    3. create a rule to trigger the workflow ABC when the incident of type XYZ is created
    4. schedule outside SOAR (e.g. using linux cron or some scheduler app) a REST call to the SOAR API to create a new incident of type XYZ 

    e.g. curl -basic -u <CREDENTIAL USERNAME>:<CREDENTIAL PASSWORD> -k -X POST https://resilient.localdomain/rest/orgs/201/incidents -H 'Content-Type: application/json' -d '{ "name":"Test", "discovered_date": 1633035861000, "incident_type_ids": [1011], "pii": { "data_compromised": false }}'

    Where 1011 is the incident type ID -- the number you'll get with https://resilient.localdomain/rest/orgs/201/incident_types
    ------------------------------

    []

    Leonardo Kenji Shikida
    ------------------------------

    Original Message