IBM Security QRadar SOAR

Hi everyone,

I would like to execute a playbook for a set of incidents. The initial execution failed because of a playbook error, but now that it was corrected I need to run it again. I am able to query the relevant incidents using the IncidentREST endpoints and the relevant playbooks with the PlaybookExecutionREST endpoints. I couldn't however figure out how to execute them. Does anyone here know how to do it?

Currently I use /rest/orgs/{org_id}/incidents/query_paged  and  /rest/orgs/{org_id}/playbooks/execution/query_paged.

Best regards,

Hi -

There is not a way to trigger a Playbook directly via the API. This is because this is out of the normal use case for a playbook, which should be triggered manually by an analyst, or via automatic activation conditions on an incident.

This second use case, however, allows us to get around the fact that we can't directly trigger a Playbook by designing a playbook which is triggered automatically on a field change (or something similar). That field change can in turn be does via the API, which would then trigger the Playbook to kick off.

So I'm suggesting that you design you playbook to be automatic, and activated on some change in an incident. Then use the API to trigger that change, and you'll have triggered your playbook. If you want to do this without any visible change, create a custom field on all incidents that is used just for this exact purpose.

Hi everyone,

I would like to execute a playbook for a set of incidents. The initial execution failed because of a playbook error, but now that it was corrected I need to run it again. I am able to query the relevant incidents using the IncidentREST endpoints and the relevant playbooks with the PlaybookExecutionREST endpoints. I couldn't however figure out how to execute them. Does anyone here know how to do it?

Currently I use /rest/orgs/{org_id}/incidents/query_paged  and  /rest/orgs/{org_id}/playbooks/execution/query_paged.

Best regards,