IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Changing a playbook activation type from manual to automatic

    Posted Thu March 24, 2022 01:53 PM
    Hi All,
    Being able to manually launch a playbook is a new feature in SOAR and it is particularly useful when developping new playbooks.

    But is there a way to just flip the activation type from manual to automatic.  The UI does'nt seem to allow that.
    I also tried to export the playbook and then import it, hoping I would have the opportunity to change the activation type but that did'nt wotk either.

    Will I have to recreate the whole playbook in order to just change the activation type?

    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: Changing a playbook activation type from manual to automatic

    Posted Fri March 25, 2022 09:53 AM
    Unfortunately this isn't possible at the moment. The goal would be to provide a duplicate capability which would create a new playbook in draft state where the details could be changed. I'd suggest putting a suggestion in the Aha ideas portal.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Changing a playbook activation type from manual to automatic

    Posted Tue May 24, 2022 06:29 AM
    Edited by Shane Curtin Tue May 24, 2022 06:30 AM
    Hi Pierre,

    With our Python Libraries now released at v45, we now have a solution for this - you can make use of the resilient-sdk!

    Check out our change log for the resilient-sdk at: ibm.biz/soar-python-docs

    Specifically, you can make use of our clone command and clone the Playbook into a Draft state, allowing you to change the Activation Type: https://ibmresilient.github.io/resilient-python-api/pages/resilient-sdk/resilient-sdk.html#clone

    For example, you would run:
    $ resilient-sdk clone --playbook <playbook_to_be_cloned> <new_playbook_name> --draft-playbook​

    Hope this helps!

    ------------------------------
    Shane Curtin
    Apps Engineer - IBM Security SOAR
    ------------------------------



  • 4.  RE: Changing a playbook activation type from manual to automatic

    Posted Tue May 24, 2022 09:13 AM
    Hi Shane,
    Thanks for the update.
    Unfortunately, we use a cloud platform so we don't have the console available to run resilient commands.
    I guess we could open a ticket if we really need it!

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 5.  RE: Changing a playbook activation type from manual to automatic

    Posted Tue May 24, 2022 10:04 AM
    Edited by Shane Curtin Tue May 24, 2022 10:06 AM
    Hi Pierre,

    So you can run the resilient-sdk on any machine that is external to SOAR - we do not run it directly on it

    It is an Open Source Python Library hosted on PyPi: https://pypi.org/project/resilient-sdk/ and is simply installed with pip : https://ibmresilient.github.io/resilient-python-api/pages/resilient-sdk/resilient-sdk.html#installation

    And once installed you can configure it to connect to any SOAR instance

    For ease you could create a simple .config file as specified in the docs and then run:

    $ resilient-sdk clone --playbook <playbook_to_be_cloned> <new_playbook_name> --draft-playbook​ -c <path_to_my_custom.config>​


    ------------------------------
    Shane Curtin
    Apps Engineer - IBM Security SOAR
    ------------------------------



  • 6.  RE: Changing a playbook activation type from manual to automatic

    Posted Tue May 24, 2022 01:29 PM
    Hi Shane,
    This is very, very, very interesting.
    Can I push my luck by asking you if it could be installed on a server acting as an App Host?
    If yes, you would really make my day!

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 7.  RE: Changing a playbook activation type from manual to automatic

    Posted Wed May 25, 2022 10:44 AM
    Hi Pierre,

    Depends on the version of Python on it:
    $ python --version​

    Ideally we want a version >= 3.6

    And we kinda do not recommend installing directly on the App Host as some dependencies are required and we are increasing the "attack surface area" of the App Host unnecessarily

    Python is easily installed on your laptop, whether its Windows, Linux or macOS: https://www.python.org/downloads/ - get a 3.9 version if possible. We recommend installing a virtual Python environment with pyenv also (if possible): https://github.com/pyenv/pyenv - tho not necessary and then update the base packages and install the resilient-sdk with pip:

    $ pip install -U pip setuptools
    
    $ pip install resilient-sdk
    
    $ resilient-sdk -h
    $ resilient-sdk -h
    usage: 
        $ resilient-sdk <subcommand> ...
        $ resilient-sdk -v <subcommand> ...
        $ resilient-sdk codegen -p <name_of_package> -m 'fn_custom_md' -c '/usr/custom_app.config'
        $ resilient-sdk -h
        
    
    Python SDK for developing IBM SOAR Apps that provides various subcommands to help with development
    
    optional arguments:
      -h, --help     show this help message and exit
      -v, --verbose  Set the log level to DEBUG
    
    subcommands:
      one of these subcommands must be provided
    
      
        validate     Tests the content of all files associated with the app, including code, before packaging it
        codegen      Generates boilerplate code used to begin developing an app.
        clone        Duplicate an existing Action related object (Function, Rule, Script, Message Destination, Workflow) or Playbook with a new
                     api or display name
        docgen       Generates boilerplate documentation for an app.
        extract      Extracts data needed to publish a .res file.
        package      Package your Python Package into a SOAR app format.
    
    For support, please visit ibm.biz/soarcommunity


    ------------------------------
    Shane Curtin
    Apps Engineer - IBM Security SOAR
    ------------------------------