IBM Security QRadar SOAR

I have almost 1,400 incidents with workflows that are in suspended state, mostly do to what I suspect is the artifact is as SOAR describes "Artifact  <Object Deleted>".
Thing is, the only way I know to terminate these suspended workflows is to go into each incident and manually close them which obviously going to take a long time.
Is there an automated way to do this?

Thanks in advance.

------------------------------
Tim Gray
------------------------------

Hello Tim,

I think, suspended workflows do not affect the system because there is a description in workflow section like below.

A Suspended workflow can occur when the incident closes before the workflow completes. Reopening an incident resumes the workflow. You can permanently terminate a workflow if it is suspended and you do not plan to reopen the incident.

But if you already want to terminate them all periodically, you could write a script which uses SOAR rest functions and could be scheduled in cron. You need to use below rest endpoints.

To get workflow instances

To terminate workflow instances


------------------------------
Burak Karaduman
------------------------------

Original Message:
Sent: Tue September 21, 2021 03:01 PM
From: Tim Gray
Subject: How to clean up suspended workflows?

I have almost 1,400 incidents with workflows that are in suspended state, mostly do to what I suspect is the artifact is as SOAR describes "Artifact  <Object Deleted>".
Thing is, the only way I know to terminate these suspended workflows is to go into each incident and manually close them which obviously going to take a long time.
Is there an automated way to do this?

Thanks in advance.

------------------------------
Tim Gray
------------------------------

To clean up suspended workflows, identify inactive or stalled processes within your system. Access the workflow management platform and review suspended tasks. Prioritize resolving issues causing suspension, such as errors or dependencies. Utilize built-in tools to terminate or restart suspended workflows. Document the resolution process for future reference. Regularly audit workflows to prevent future suspensions and maintain optimal system efficiency.

Brightleafcleaning

------------------------------
Jure Teo
------------------------------

Original Message:
Sent: Thu October 21, 2021 12:59 AM
From: Burak Karaduman
Subject: How to clean up suspended workflows?

Hello Tim,

I think, suspended workflows do not affect the system because there is a description in workflow section like below.

A Suspended workflow can occur when the incident closes before the workflow completes. Reopening an incident resumes the workflow. You can permanently terminate a workflow if it is suspended and you do not plan to reopen the incident.

But if you already want to terminate them all periodically, you could write a script which uses SOAR rest functions and could be scheduled in cron. You need to use below rest endpoints.

To get workflow instances

To terminate workflow instances


------------------------------
Burak Karaduman

Original Message:
Sent: Tue September 21, 2021 03:01 PM
From: Tim Gray
Subject: How to clean up suspended workflows?

I have almost 1,400 incidents with workflows that are in suspended state, mostly do to what I suspect is the artifact is as SOAR describes "Artifact  <Object Deleted>".
Thing is, the only way I know to terminate these suspended workflows is to go into each incident and manually close them which obviously going to take a long time.
Is there an automated way to do this?

Thanks in advance.

------------------------------
Tim Gray
------------------------------