IBM Security QRadar SOAR

Hi everyone,

my question is about working with sequencing in general but i have this one specific use case.
I have a Datatable, consisting of a Column for Attachment Name and one for the Base64 String. When the Incident gets created, the Datatable gets populated immediately together with it. There could be several rows being created at the same time. Now i have a Playbook that fires for every row that gets created in this Datatable. This Playbook takes the twoe Columns from the row and uses fn_utilities Base64 to Attachment function.
So basically when there are 4 rows of Attachment Data the Playbook runs 4 times parallel. This has often run into errors. IBM Support told me that it is not allowed to have multiple instances of the same function run at the same time, so it fails.
How would i go to either have the Playbooks firing one after the other or have the whole table converted in one Playbook and still make sure that the Table is completely filled when the Playbook fires? Depending on the size of the Attachments the Table could be slow to be filled.

And i can't use the Attachment API with the source System (Company Ticket System) since it only supports sending via Base64.

Thank you all in advance for your help!

------------------------------
Benjamin Walden
------------------------------

I just came up with a solution myself.
I added a new Column to my Datatable with a numerical value, "timer". For every row that gets populated, the value for the field timer gets incremented by 10. Now i have a table like this:

| file1.txt  | adhlaksjdhalskdh                        | 10
| file2.pdf | ghjasdjhgweurhlsjdfbsnvcblskc  | 20

and so on. I then use this timer value in an actual timer inside the playbook that fires for every row. Now the Playbooks start at the same time, but the functions run one after another.

------------------------------
Benjamin Walden
------------------------------

Original Message:
Sent: Wed November 30, 2022 01:26 AM
From: Benjamin Walden
Subject: Sequencing start of Base64 to Attachment

Hi everyone,

my question is about working with sequencing in general but i have this one specific use case.
I have a Datatable, consisting of a Column for Attachment Name and one for the Base64 String. When the Incident gets created, the Datatable gets populated immediately together with it. There could be several rows being created at the same time. Now i have a Playbook that fires for every row that gets created in this Datatable. This Playbook takes the twoe Columns from the row and uses fn_utilities Base64 to Attachment function.
So basically when there are 4 rows of Attachment Data the Playbook runs 4 times parallel. This has often run into errors. IBM Support told me that it is not allowed to have multiple instances of the same function run at the same time, so it fails.
How would i go to either have the Playbooks firing one after the other or have the whole table converted in one Playbook and still make sure that the Table is completely filled when the Playbook fires? Depending on the size of the Attachments the Table could be slow to be filled.

And i can't use the Attachment API with the source System (Company Ticket System) since it only supports sending via Base64.

Thank you all in advance for your help!

------------------------------
Benjamin Walden
------------------------------