IBM Security QRadar SOAR

 View Only
  • 1.  Resilient SOAR Configuration Push

    Posted Mon October 25, 2021 03:57 PM
    Edited by benlinux Mon October 25, 2021 06:53 PM
    Hello Experts,


    I am setting up a timer event (non-interrupting) on a particular task Work1D for a period of 15 minutes, the timer event is to trigger another task Work1C after 15 minutes if the task Work1D is not completed, and this should occur twice.

    The Work1C is triggered only once despite it is meant to repeat twice after 15 mins, see the below workflow and the incident setup.



    Thank You
    ------------------------------
    benlinux
    ------------------------------


  • 2.  RE: Resilient SOAR Configuration Push

    Posted Tue October 26, 2021 11:52 AM
    I set up a similar type of workflow:



    This script just adds a note to the incident. It worked as expected and added two notes 15 minutes apart:


    My guess is that your workflow needs an end point after the task from the timer.

    That said, I'm not sure that flow really helps the use case you want. Adding a task twice is not going to cause it to show up twice for the analyst.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Resilient SOAR Configuration Push

    Posted Tue October 26, 2021 12:00 PM
    Hello Ben,

    Thanks a lot for your feedback. I am just testing the timer functionality on my lab environment.

    I will add the end tool to the task.

    Regards,

    ------------------------------
    benlinux
    ------------------------------



  • 4.  RE: Resilient SOAR Configuration Push

    Posted Wed October 27, 2021 05:40 AM
    Hello Ben,

    I have simulated it again on my lab environment using addNote operator, and it worked.

    Thank You.

    ------------------------------
    benlinux
    ------------------------------