IBM Security QRadar SOAR

 View Only
  • 1.  Automatic Rules doesn't Fire Issue

    Posted Mon July 13, 2020 05:44 AM
    Hi,
    I have rule as below:


    This rule doesn't fire on existing incidents. Is there any way for firing new rule to existing incidents?

    Thanks


    ------------------------------
    Jasmine
    ------------------------------


  • 2.  RE: Automatic Rules doesn't Fire Issue

    Posted Mon July 13, 2020 06:38 AM
    Is there any solution for this topic?

    ------------------------------
    Jasmine
    ------------------------------



  • 3.  RE: Automatic Rules doesn't Fire Issue

    Posted Tue July 14, 2020 03:53 AM
    Edited by Guido Janssens Tue July 14, 2020 03:53 AM
    Hi Jasmine, 
    As far as I know, rules are only triggered if something changes on the Object Type they are defined on. So this rule will fire on new incidents and on existing incidents where you change something on the Incident level. Rules are not evaluated against existing incidents until these are updated.
    I don't really have a shortcut to trigger this rule apart from changing something to the old incidents.

    ------------------------------
    Guido Janssens
    ------------------------------



  • 4.  RE: Automatic Rules doesn't Fire Issue

    Posted Tue July 14, 2020 04:27 AM

    Hi Jasmine,

    The easiest way to trigger an auto rule on the box is create a manual rule that adds a test note to the incident via a script:

    incident.addNote("This note trigger an auto rule")

    Manually running this on a batch of incidents as a manual rule, will trigger your automatic rule, if you create it at the note level (when a note is created). You can prevent it running on all incidents by creating specific conditions on thac auto rule that specifies which incidents you wish to run your automation on. In your case this would be the description field. I would suggest to test your auto rule conditions via manual rule test run on one incident, confirming that it matches your results before scaling to act on many incidents via the extended scheme. You can even specify a backward time scale to apply to, so that you don't act on historical incidents of no consequence.

    For new incidents, you can simply specify the condition: "When an incident is created", for the auto rule you created.

    Kind regards,



    ------------------------------
    Sean OGorman
    ------------------------------



  • 5.  RE: Automatic Rules doesn't Fire Issue

    Posted Tue July 14, 2020 01:23 PM
    Jasmine,

    As the others have identified, you're trying to update what appears to be older (possibly closed Incidents) , which are not currently worked on.

    We have two Rule Types in Resilient:

    Automatic: Conditionally triggered when there is a change to the respective Incident Object (Incident, Task, Attachment...)
    Menu Item: Is triggered when a User selects the Action that is conditionally shown

    Your best solution here would be to:

    1. Create a Menu Item Rule, the same conditions/activities) in your screenshot above (but make sure its a Menu Item Rule).
    2. From the Incidents screen, filter in, and select all of the Incidents you wish to update (500 max per page)
    3. From the Actions menu select the Action/Name of the Menu Item Rule you created in step 1
    4. Repeat if you have more than 500 incidents to update, on the next page
    5. Delete the Rule created in step 1

    The Rule (and its Activities) will run against only the Incidents which meet the Conditions set in the Menu Item Rule. You will get a prompt to let you know how many meet that criteria before it runs.

    If you go into an individual Incident, you will be able to see the Rule you created in step 1 if it meets the specified Conditions



    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------