IBM Security QRadar SOAR

Hi everyone! I want SOAR to automatically notify me via email about tasks with due dates expired by 15 minutes. I know how to use outbound email app and already wrote workflow function that sends task details via email after checking its due_date with current date. I've already tried following things:

1. Tried to make this by automatic rule with conditions like "due_date -> past by". But timeframes are too long for my case
2. Tried to make this by sheduler app. But scheduler job does not triggers main function's rule

------------------------------
Magzhan Leskhan
------------------------------

It's be a bit messy, but you could run a workflow on every created task you want this to occur on (no conditions), and then have a custom function in that workflow that loops indefinitely checking the task status (and incident status), then return when that 15 minutes is up. On the return you'd have the email action run with the desired notification. I'm unsure how the system would perform as tasks (ant therefore actions) stack up.

This wouldn't be achievable via a script/preprocessor, because scripts have timeouts that prevent indefinite loops from being allowed.

------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.
------------------------------

Original Message:
Sent: Thu October 07, 2021 02:41 AM
From: Magzhan Leskhan
Subject: Automatic notification case

Hi everyone! I want SOAR to automatically notify me via email about tasks with due dates expired by 15 minutes. I know how to use outbound email app and already wrote workflow function that sends task details via email after checking its due_date with current date. I've already tried following things:

1. Tried to make this by automatic rule with conditions like "due_date -> past by". But timeframes are too long for my case
2. Tried to make this by sheduler app. But scheduler job does not triggers main function's rule

------------------------------
Magzhan Leskhan
------------------------------

Thank you for reply! Yes, I have already tried to make workflow that loops indefinitely. It seems like SOAR automatically wipes out any loop operations from script. Could you elaborate on making custom function loop?
Also, I decided to use 'delta' istead of 'interval' in scheduler and created automatic rule 'A' for tasks that triggers workflow 'A-w' with following script:

import time

td = time.time()*1000
delt = (int(task.due_date)-int(td)+900000)/1000
inputs.scheduler_type = 'delta'
inputs.scheduler_type_value = '{}s'.format(delt)
inputs.scheduler_rule_name = 'B'
inputs.scheduler_label_prefix = 'B'
inputs.incident_id = incident.id
inputs.object_id = task.id​

The idea is to calculate delta in seconds and create a schedule that triggers rule 'B' witch triggers workflow that sends email notification. But the problem is that workflow 'A-w' is not triggering the rule 'B'. It is showing as 'waiting' in 'state of action' tab and it never 'done' even when expected time is up. Any suggestions on that?

------------------------------
Magzhan Leskhan
------------------------------

Original Message:
Sent: Tue October 12, 2021 05:52 PM
From: Jared Fagel
Subject: Automatic notification case

It's be a bit messy, but you could run a workflow on every created task you want this to occur on (no conditions), and then have a custom function in that workflow that loops indefinitely checking the task status (and incident status), then return when that 15 minutes is up. On the return you'd have the email action run with the desired notification. I'm unsure how the system would perform as tasks (ant therefore actions) stack up.

This wouldn't be achievable via a script/preprocessor, because scripts have timeouts that prevent indefinite loops from being allowed.

------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.

Original Message:
Sent: Thu October 07, 2021 02:41 AM
From: Magzhan Leskhan
Subject: Automatic notification case

Hi everyone! I want SOAR to automatically notify me via email about tasks with due dates expired by 15 minutes. I know how to use outbound email app and already wrote workflow function that sends task details via email after checking its due_date with current date. I've already tried following things:

1. Tried to make this by automatic rule with conditions like "due_date -> past by". But timeframes are too long for my case
2. Tried to make this by sheduler app. But scheduler job does not triggers main function's rule

------------------------------
Magzhan Leskhan
------------------------------

I have solved this case! Here is the instructions if you are interested:

1. I have created automatic rule for tasks that triggers a workflow "A" when task has a value in "due_date" field
2. Workflow "A" starts with function "Utilities: Timer" which calculates time needed to sleep in seconds and takes this time as input
3. "Utilities: Timer" function then triggers a "Outbound email" function which checks if task expired by 15 minutes and sends or doesn't sends accordingly 

Here is structure of workflow:

Here is timer script:


------------------------------
Magzhan Leskhan
------------------------------

Original Message:
Sent: Thu October 07, 2021 02:41 AM
From: Magzhan Leskhan
Subject: Automatic notification case

Hi everyone! I want SOAR to automatically notify me via email about tasks with due dates expired by 15 minutes. I know how to use outbound email app and already wrote workflow function that sends task details via email after checking its due_date with current date. I've already tried following things:

1. Tried to make this by automatic rule with conditions like "due_date -> past by". But timeframes are too long for my case
2. Tried to make this by sheduler app. But scheduler job does not triggers main function's rule

------------------------------
Magzhan Leskhan
------------------------------