IBM Security QRadar SOAR

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

If you can post a screenshot of the activation conditions it may shed light on what the issue could be.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon April 25, 2022 06:04 AM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Hi.

Screenshot requested.


------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Original Message:
Sent: Tue April 26, 2022 09:06 AM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

If you can post a screenshot of the activation conditions it may shed light on what the issue could be.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon April 25, 2022 06:04 AM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

This looks good. When you create an artifact that matches these conditions, the playbook is not started? If not, make sure that the playbook is "enabled". There is a toggle at the top of the playbook.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Tue April 26, 2022 12:07 PM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

Screenshot requested.


------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Tue April 26, 2022 09:06 AM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

If you can post a screenshot of the activation conditions it may shed light on what the issue could be.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon April 25, 2022 06:04 AM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

That's correct, the playbook isn't started and the playbook is enabled.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Original Message:
Sent: Tue April 26, 2022 12:36 PM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

This looks good. When you create an artifact that matches these conditions, the playbook is not started? If not, make sure that the playbook is "enabled". There is a toggle at the top of the playbook.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Tue April 26, 2022 12:07 PM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

Screenshot requested.


------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Tue April 26, 2022 09:06 AM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

If you can post a screenshot of the activation conditions it may shed light on what the issue could be.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon April 25, 2022 06:04 AM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Is there a way to see 'debug' or trace logs for playbooks when an incident gets created?

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------

Original Message:
Sent: Fri April 29, 2022 12:22 PM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

That's correct, the playbook isn't started and the playbook is enabled.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Tue April 26, 2022 12:36 PM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

This looks good. When you create an artifact that matches these conditions, the playbook is not started? If not, make sure that the playbook is "enabled". There is a toggle at the top of the playbook.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Tue April 26, 2022 12:07 PM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

Screenshot requested.


------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC

Original Message:
Sent: Tue April 26, 2022 09:06 AM
From: Ben Lurie
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

If you can post a screenshot of the activation conditions it may shed light on what the issue could be.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon April 25, 2022 06:04 AM
From: Pumynt Chooboonraj
Subject: Automatically trigger artifact playbook on Incident creation with Artifact

Hi.

I've taken a working artifact manually activated playbook and am trying to make it fire automatically when a certain type of incident with an IP Artifact is created in QRadar.
However, making the playbook type Artifact and automatic didn't seem to help.
Is there a way to see why it failed to match, or did I create a totally wrong type of automatic playbook?

Thank you.

------------------------------
Pumynt Chooboonraj
Solution Architect
Sphere Grouppe Pty Ltd
Melbourne VIC
------------------------------