IBM Security QRadar SOAR

I have issues with playbook process, i can't close playbook because i don't no when playbook automation with object assign artifact away run. I can't follow when all playbooks automation in an incident have done yet. Because i want close when all playbook automation with object assign artifact have done.

Hi Dũng,

This is possible via a couple of integrations. The app and function: fn_playbook_utils.pb_get_playbook_data will provide status on all playbooks run for an incident. From the list returned, it should be possible to confirm that all are in the 'completed' or 'error' state.

The fn_scheduler app can be used to periodically run a playbook to get this data and then close the incident when all are complete. Be sure to filter out the current scheduler playbook as that playbook will always be in the 'running' state.

I hope this helps. 

Regards,

------------------------------
Mark Scherfling

Original Message:
Sent: Fri June 14, 2024 05:31 AM
From: Dũng Đặng
Subject: Waiting for automation playbook

I have issues with playbook process, i can't close playbook because i don't no when playbook automation with object assign artifact away run. I can't follow when all playbooks automation in an incident have done yet. Because i want close when all playbook automation with object assign artifact have done.

------------------------------
Dũng Đặng
------------------------------

Hello Mark Scherfling,

Thank you for your quick answer !

Is there any other way that I can integrate in the playbook corresponding to the incident without needing the fn_scheduler app? My purpose is to monitor the playbook automation assigned to artifacts in the incident. After those playbook automations have finished running, I will close incident.

Regards

------------------------------
Dũng Đặng

Original Message:
Sent: Mon June 17, 2024 02:09 PM
From: Mark Scherfling
Subject: Waiting for automation playbook

Hi Dũng,

This is possible via a couple of integrations. The app and function: fn_playbook_utils.pb_get_playbook_data will provide status on all playbooks run for an incident. From the list returned, it should be possible to confirm that all are in the 'completed' or 'error' state.

The fn_scheduler app can be used to periodically run a playbook to get this data and then close the incident when all are complete. Be sure to filter out the current scheduler playbook as that playbook will always be in the 'running' state.

I hope this helps. 

Regards,

------------------------------
Mark Scherfling

Original Message:
Sent: Fri June 14, 2024 05:31 AM
From: Dũng Đặng
Subject: Waiting for automation playbook

I have issues with playbook process, i can't close playbook because i don't no when playbook automation with object assign artifact away run. I can't follow when all playbooks automation in an incident have done yet. Because i want close when all playbook automation with object assign artifact have done.

------------------------------
Dũng Đặng
------------------------------

Hi Dũng,

I'm not aware of another way to automate this at the moment. You can modify your playbook for artifact enrichment to check all other playbooks for completion. If none are active, you can close the incident. There is a race condition here. If a playbook hasn't yet triggered for a different artifact, the playbook could close the incident pre-maturely. 

Sorry for not having another solution.

Regards,

Mark

Hello Mark Scherfling,

Thank you for your quick answer !

Is there any other way that I can integrate in the playbook corresponding to the incident without needing the fn_scheduler app? My purpose is to monitor the playbook automation assigned to artifacts in the incident. After those playbook automations have finished running, I will close incident.

Regards

------------------------------
Dũng Đặng

Original Message:
Sent: Mon June 17, 2024 02:09 PM
From: Mark Scherfling
Subject: Waiting for automation playbook

Hi Dũng,

This is possible via a couple of integrations. The app and function: fn_playbook_utils.pb_get_playbook_data will provide status on all playbooks run for an incident. From the list returned, it should be possible to confirm that all are in the 'completed' or 'error' state.

The fn_scheduler app can be used to periodically run a playbook to get this data and then close the incident when all are complete. Be sure to filter out the current scheduler playbook as that playbook will always be in the 'running' state.

I hope this helps. 

Regards,

------------------------------
Mark Scherfling

Original Message:
Sent: Fri June 14, 2024 05:31 AM
From: Dũng Đặng
Subject: Waiting for automation playbook

I have issues with playbook process, i can't close playbook because i don't no when playbook automation with object assign artifact away run. I can't follow when all playbooks automation in an incident have done yet. Because i want close when all playbook automation with object assign artifact have done.

------------------------------
Dũng Đặng
------------------------------