IBM Security QRadar SOAR

 View Only
  • 1.  Restarting a playbook "in the middle"

    Posted 14 days ago
    Hi,
    In the playbook I am developing, there is at first some sequential tasks followed by a call to a function and then a condition point after which different tasks are added depending on the condition met.
    For some reason, if the function fails, is it possible to restart the playbook?
    In my use case, the playbook is started after the incident is created from QRadar offense escalation.  Is it possible to "resubmit" the offense?

    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: Restarting a playbook "in the middle"

    Posted 13 days ago
    Hello,

    Unfortunately, there is no option to restart failed playbooks if it is an automatic playbook. 

    --------------------
    Ram Badvelu
    --------------------

    ------------------------------
    Ram Badvelu
    ------------------------------



  • 3.  RE: Restarting a playbook "in the middle"

    Posted 9 days ago
    OK, thanks Ram, your answer is pretty clear.

    But what if I add an incident field called "Restart" and I change the condition on my automatic playbook from "When incident is created" to "Incident is cretaed or Restart field is changed"?
    When I change the value of the new "Restart" field, the playbook will be executed again.
    Will this duplicate the system tasks that the playbook is designed to create?
    If a task is already marked complete by the previous execution, will it be skipped or will the playbook wait for it to be closed again?

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 4.  RE: Restarting a playbook "in the middle"

    Posted 9 days ago
    Edited by Ram Badvelu 9 days ago
    That's correct. New instance of the playbook is created and executed if the condition is true upon updating the incident field.
    It will not create duplicate system tasks again.
    It will skip all completed tasks by the previous playbook execution.

    ------------------------------
    Ram Badvelu
    ------------------------------