IBM Security QRadar SOAR

Hi all,

We have a doubt on how to implement a long time execution workflow where once the action is triggered and workflow starts, we want to poll the ticket status in a third party system periodically.

SCENARIO: detecting when a ticket in a third party platform is closed periodically after the ticket is created.

NEED: run a periodic check (every 5 days) to see if the external ticket was closed.

We already have a function for interacting with the third party API to create tickets and fetch the status. Is the first function called when Workflow starts.

GOAL: once the ticket is created in the third party system, we would like to retrieve the status after 5 days and if it is closed, make changes in our Resilient ticket. If not closed, wait 5 more days and check again.

Can you provide an example on how to achieve that?

We've considered the approach of adding a manual task after first function finishes and a trigger attached to it but it would mean having, at least, 5 days running workflow and we are not sure it will not impact Resilient performance. Is secure to tho that? Do you know any tested alternatives?

Regards,
Dídac Cornet

------------------------------
Didac Cornet
------------------------------

Didac,

You could make this a manual action associated to a task that directs the person to run the action after the 5 days? This "Manual action" could trigger the same or similar workflow to what you are doing the automatic workflows. This task since it is a manual action (Example "Check ticket system") would only run on the triggered action and not be sitting constantly running or timing out in the system if you did this as a automatic workflow.

Also you could do this outside of Resilient by using the Resilient API and the API you have for the ticketing system. I have done this in the past where I get all the tickets that have a external ticketing system ID and then look it up in a script which then writes back through the API for Resilient with the information you need from the external ticketing system.

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
Oshkosh
------------------------------

Original Message:
Sent: Thu July 02, 2020 08:10 AM
From: Didac Cornet
Subject: Long Workflow execution

Hi all,

We have a doubt on how to implement a long time execution workflow where once the action is triggered and workflow starts, we want to poll the ticket status in a third party system periodically.

SCENARIO: detecting when a ticket in a third party platform is closed periodically after the ticket is created.

NEED: run a periodic check (every 5 days) to see if the external ticket was closed.

We already have a function for interacting with the third party API to create tickets and fetch the status. Is the first function called when Workflow starts.

GOAL: once the ticket is created in the third party system, we would like to retrieve the status after 5 days and if it is closed, make changes in our Resilient ticket. If not closed, wait 5 more days and check again.

Can you provide an example on how to achieve that?

We've considered the approach of adding a manual task after first function finishes and a trigger attached to it but it would mean having, at least, 5 days running workflow and we are not sure it will not impact Resilient performance. Is secure to tho that? Do you know any tested alternatives?

Regards,
Dídac Cornet

------------------------------
Didac Cornet
------------------------------

Hello
Instead of Long Workflow Execution, how about calling the rule related to the workflow you want to run from outside using "Scheduled for Resilient". It acts like cron.
The thread "Best way to poll status regularly" may help.

------------------------------
Yohji Amano
------------------------------

Original Message:
Sent: Thu July 02, 2020 08:10 AM
From: Didac Cornet
Subject: Long Workflow execution

Hi all,

We have a doubt on how to implement a long time execution workflow where once the action is triggered and workflow starts, we want to poll the ticket status in a third party system periodically.

SCENARIO: detecting when a ticket in a third party platform is closed periodically after the ticket is created.

NEED: run a periodic check (every 5 days) to see if the external ticket was closed.

We already have a function for interacting with the third party API to create tickets and fetch the status. Is the first function called when Workflow starts.

GOAL: once the ticket is created in the third party system, we would like to retrieve the status after 5 days and if it is closed, make changes in our Resilient ticket. If not closed, wait 5 more days and check again.

Can you provide an example on how to achieve that?

We've considered the approach of adding a manual task after first function finishes and a trigger attached to it but it would mean having, at least, 5 days running workflow and we are not sure it will not impact Resilient performance. Is secure to tho that? Do you know any tested alternatives?

Regards,
Dídac Cornet

------------------------------
Didac Cornet
------------------------------