IBM Security QRadar SOAR

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Pablo!

That is a great question. You have the right idea.

When using Timers, you want to stem the actions that are being governed by the Timer, from the Timer itself.

In your example above, once you complete the second Task Scheduled Whois command the Function Utilities: Shell Command is then run. As it is the next to be evaluated after the Task. The Timer is never used.

Try stringing the Function from the Task Timer (not the Task). See the example below:


For more information on Timers, the different types and best uses, see the Using Timer Events section of the Playbook Designer Guide here on the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSBRUQ_32.0.0/com.ibm.resilient.doc/playbook/resilient_playbook_configwrkflows_timers.htm

Give that a shot and let us know how it worked out!

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------

Original Message:
Sent: 03-04-2019 02:21 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------

I didnt realise that this was possible to join timers... :-)

POC Context:

The rule triggers the workflow based on the condition that Artifat = IP, as soon as I include a new IP a new task appears automatically, completing this task the first function is launched (seems to be working because this function includes to add a note).., I configured the timer to use "Elapse Time" to 15 minutes.

What I expected with that configuration is that after 15 minutes completing the frist task the second function will be launched and that workflow will end.


Am I right?. I am still a bit confused because the workflow ends but not second function is called.




------------------------------
PABLO ROBERTO GARCIA
------------------------------

Original Message:
Sent: 03-04-2019 09:39 AM
From: Brenden Glynn
Subject: Scheduled Tasks issue

Pablo!

That is a great question. You have the right idea.

When using Timers, you want to stem the actions that are being governed by the Timer, from the Timer itself.

In your example above, once you complete the second Task Scheduled Whois command the Function Utilities: Shell Command is then run. As it is the next to be evaluated after the Task. The Timer is never used.

Try stringing the Function from the Task Timer (not the Task). See the example below:


For more information on Timers, the different types and best uses, see the Using Timer Events section of the Playbook Designer Guide here on the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSBRUQ_32.0.0/com.ibm.resilient.doc/playbook/resilient_playbook_configwrkflows_timers.htm

Give that a shot and let us know how it worked out!

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: 03-04-2019 02:21 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Hello again and sorry for the delay. I didnt know that is possible to add timers in functions, based on that I have simplified the workflow, the requirement is:

Carry out a manual action (tasks) and automatically 2 months later to carry out another function.


the result is confuse: As soon as I completed the "Whois DNS Name" tasks this runs the "Utilities Shell Command" and DOESNT WAIT the configure time range in the TIMER  and run "Utilities Shell Command".. I see that in Notes because both functions are configured to include specific note. 

Any idea what's wrong?


------------------------------
PABLO ROBERTO GARCIA
------------------------------

Original Message:
Sent: 03-06-2019 07:36 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

I didnt realise that this was possible to join timers... :-)

POC Context:

The rule triggers the workflow based on the condition that Artifat = IP, as soon as I include a new IP a new task appears automatically, completing this task the first function is launched (seems to be working because this function includes to add a note).., I configured the timer to use "Elapse Time" to 15 minutes.

What I expected with that configuration is that after 15 minutes completing the frist task the second function will be launched and that workflow will end.


Am I right?. I am still a bit confused because the workflow ends but not second function is called.




------------------------------
PABLO ROBERTO GARCIA

Original Message:
Sent: 03-04-2019 09:39 AM
From: Brenden Glynn
Subject: Scheduled Tasks issue

Pablo!

That is a great question. You have the right idea.

When using Timers, you want to stem the actions that are being governed by the Timer, from the Timer itself.

In your example above, once you complete the second Task Scheduled Whois command the Function Utilities: Shell Command is then run. As it is the next to be evaluated after the Task. The Timer is never used.

Try stringing the Function from the Task Timer (not the Task). See the example below:


For more information on Timers, the different types and best uses, see the Using Timer Events section of the Playbook Designer Guide here on the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSBRUQ_32.0.0/com.ibm.resilient.doc/playbook/resilient_playbook_configwrkflows_timers.htm

Give that a shot and let us know how it worked out!

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: 03-04-2019 02:21 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Pablo,

Timers are triggered when they do not receive a response within the period of time that is set. So for example, if there is a 15 minute Timer on a manual Task, the timer will trigger (and run what stems from it) if that Task is not closed within 15 minutes.

For functions, if the Function does not receive an acknowledgement/data within the time specified, the Timer on it will then trigger whatever stems off of it (script, another function, etc.).

In your example above, the Timer is not run because the Function it is on does in fact run. The Workflow then progresses, and the next function is run immediately. There is no interrupt.

If you would like have the second Function run 2 months later, use the example in my first post.

1. Where the manual Task "Scheduled Whois Command" is added after the first Task is Closed/it's Function is run.
2. You would leave that manual Task open for at least the amount of time that the Timer that is on it is set for (2 months).
3. Once the Timer on that Task is breached (2+ months), it will then run the Function that stems from the Timer.
4. You can then close that Task.

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------

Original Message:
Sent: 03-11-2019 07:20 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello again and sorry for the delay. I didnt know that is possible to add timers in functions, based on that I have simplified the workflow, the requirement is:

Carry out a manual action (tasks) and automatically 2 months later to carry out another function.


the result is confuse: As soon as I completed the "Whois DNS Name" tasks this runs the "Utilities Shell Command" and DOESNT WAIT the configure time range in the TIMER  and run "Utilities Shell Command".. I see that in Notes because both functions are configured to include specific note. 

Any idea what's wrong?


------------------------------
PABLO ROBERTO GARCIA

Original Message:
Sent: 03-06-2019 07:36 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

I didnt realise that this was possible to join timers... :-)

POC Context:

The rule triggers the workflow based on the condition that Artifat = IP, as soon as I include a new IP a new task appears automatically, completing this task the first function is launched (seems to be working because this function includes to add a note).., I configured the timer to use "Elapse Time" to 15 minutes.

What I expected with that configuration is that after 15 minutes completing the frist task the second function will be launched and that workflow will end.


Am I right?. I am still a bit confused because the workflow ends but not second function is called.




------------------------------
PABLO ROBERTO GARCIA

Original Message:
Sent: 03-04-2019 09:39 AM
From: Brenden Glynn
Subject: Scheduled Tasks issue

Pablo!

That is a great question. You have the right idea.

When using Timers, you want to stem the actions that are being governed by the Timer, from the Timer itself.

In your example above, once you complete the second Task Scheduled Whois command the Function Utilities: Shell Command is then run. As it is the next to be evaluated after the Task. The Timer is never used.

Try stringing the Function from the Task Timer (not the Task). See the example below:


For more information on Timers, the different types and best uses, see the Using Timer Events section of the Playbook Designer Guide here on the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSBRUQ_32.0.0/com.ibm.resilient.doc/playbook/resilient_playbook_configwrkflows_timers.htm

Give that a shot and let us know how it worked out!

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: 03-04-2019 02:21 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Thanks, more clear know.

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Original Message:
Sent: 03-18-2019 12:06 PM
From: Brenden Glynn
Subject: Scheduled Tasks issue

Pablo,

Timers are triggered when they do not receive a response within the period of time that is set. So for example, if there is a 15 minute Timer on a manual Task, the timer will trigger (and run what stems from it) if that Task is not closed within 15 minutes.

For functions, if the Function does not receive an acknowledgement/data within the time specified, the Timer on it will then trigger whatever stems off of it (script, another function, etc.).

In your example above, the Timer is not run because the Function it is on does in fact run. The Workflow then progresses, and the next function is run immediately. There is no interrupt.

If you would like have the second Function run 2 months later, use the example in my first post.

1. Where the manual Task "Scheduled Whois Command" is added after the first Task is Closed/it's Function is run.
2. You would leave that manual Task open for at least the amount of time that the Timer that is on it is set for (2 months).
3. Once the Timer on that Task is breached (2+ months), it will then run the Function that stems from the Timer.
4. You can then close that Task.

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: 03-11-2019 07:20 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello again and sorry for the delay. I didnt know that is possible to add timers in functions, based on that I have simplified the workflow, the requirement is:

Carry out a manual action (tasks) and automatically 2 months later to carry out another function.


the result is confuse: As soon as I completed the "Whois DNS Name" tasks this runs the "Utilities Shell Command" and DOESNT WAIT the configure time range in the TIMER  and run "Utilities Shell Command".. I see that in Notes because both functions are configured to include specific note. 

Any idea what's wrong?


------------------------------
PABLO ROBERTO GARCIA

Original Message:
Sent: 03-06-2019 07:36 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

I didnt realise that this was possible to join timers... :-)

POC Context:

The rule triggers the workflow based on the condition that Artifat = IP, as soon as I include a new IP a new task appears automatically, completing this task the first function is launched (seems to be working because this function includes to add a note).., I configured the timer to use "Elapse Time" to 15 minutes.

What I expected with that configuration is that after 15 minutes completing the frist task the second function will be launched and that workflow will end.


Am I right?. I am still a bit confused because the workflow ends but not second function is called.




------------------------------
PABLO ROBERTO GARCIA

Original Message:
Sent: 03-04-2019 09:39 AM
From: Brenden Glynn
Subject: Scheduled Tasks issue

Pablo!

That is a great question. You have the right idea.

When using Timers, you want to stem the actions that are being governed by the Timer, from the Timer itself.

In your example above, once you complete the second Task Scheduled Whois command the Function Utilities: Shell Command is then run. As it is the next to be evaluated after the Task. The Timer is never used.

Try stringing the Function from the Task Timer (not the Task). See the example below:


For more information on Timers, the different types and best uses, see the Using Timer Events section of the Playbook Designer Guide here on the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSBRUQ_32.0.0/com.ibm.resilient.doc/playbook/resilient_playbook_configwrkflows_timers.htm

Give that a shot and let us know how it worked out!

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: 03-04-2019 02:21 AM
From: PABLO ROBERTO GARCIA
Subject: Scheduled Tasks issue

Hello all, I am playing with Scheduled tasks and I am a bit confuse. I need to run a function to carry out an actions (based on workflow) and after 15 minutes run another functions to undo the action before done. I put the timer in the second tasks without luck. Any idea about there is my fault?





Any help or idea?

Regards,

------------------------------
PABLO ROBERTO GARCIA
------------------------------