IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Information regarding action order in Resilient?

  • 1.  Information regarding action order in Resilient?

    Posted Thu August 12, 2021 10:22 AM
    Hello, I didn't find any documentation for this, and I need the information, here is my problem:

    Vocal Notify Rule: We have an automatic rule that starts a workflow that sends an email to an address that calls one of our analyst if the incident has its priority field set to "P1". It's placed *last* in the order of the rules in resilient.

    Contextualization rules: We have other rules that start workflows who gather context and might deprioritize the incident. The order of those rules are smaller than the Vocal Notify rule (as in the order index is smaller).

    Thing is, when the priority is set to P1, both rules are triggered and both workflows are started and executed in parallel. You can obviously see here the problem: we want the vocal notify rule to trigger last, always, because automations that should run before it might lower the priority, and we do not want to send a vocal notify for a non-urgent incident.

    I hacked a very ugly patch that waits X seconds in the vocal notify workflow, and looks if the incident is still a P1. If so, it sends the email. This workaround has several flaws, the most obvious ones being that we have a race condition in our code and if the contextualization rules take too long, we still send a vocal notify. Also, delaying too much the vocal notify goes against the core idea, which is to alert an analyst as quickly as possible.

    So, I want to understand how the rule are triggered, more specifically regarding the order of said rule. My guess is that if the order of the rules are configurable, there must be a way for me to achieve what I want to do. Thanks :) 

    ------------------------------
    Émilio Gonzalez
    ------------------------------


  • 2.  RE: Information regarding action order in Resilient?

    Posted Fri August 13, 2021 09:56 AM
    The order of the rules is configured on the Rules page:


    Just drag them up and down.

    But I'm not really sure that addresses your use case if the Rules use workflows to determine case priority. Workflows that use Functions may not complete as a group. This is because Functions are asynchronously completed. 

    It may make sense to set a flag when the priority of the case is officially determined. And then run the other Rule when that flag is set to true.

    If the priority of a case is always determined by scripts it may be possible to implement the use case through the use of Rule priorities. 

    One thing to note is that Playbooks don't have the concept of priority so if you want to use the new features of Playbooks you'll probably have to use the "is priority set" flag anyway.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------