IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  In-rule actions on Set Field triggered only once?

    Posted Tue July 14, 2020 04:41 AM
    Edited by Guido Janssens Tue July 14, 2020 08:49 AM
    We have a rule that triggers on following conditions:
    ANY of ("Impact is changed", "Urgency is Changed", "Incident is created")

    The only activity of this rule is to run a script "Set Classification" that calculates a classification based upon the values in Urgency and Impact
    This rule runs for all incidents and runs correctly.

    We have another rule that triggers on a specific CASE TYPE (the only condition)
    The ordered activities are 
    - adding a number of tasks
    - setting a number of field values ....
    - setting Field value for Urgency to a value
    - setting Field value for Impact to a value

    However, when the CASE TYPE is such that this rule is triggered, the first rule does not trigger again, although the values for Urgency and Impact are changed by the second one. 
    if I add the action "run script Set Classification" to the ordered activities, it calculates well.

    Does anyone has a clue why the first rule would not trigger again after the second one has updated fields Urgency and Impact ??

    ------------------------------
    Guido Janssens
    ------------------------------


  • 2.  RE: In-rule actions on Set Field triggered only once?

    Posted Wed July 15, 2020 08:12 AM
    Guido,

    What is the order of those two Rules?

    Ensure that the Rule that evaluates the Impact and or Urgency of an Incident is ordered after the Rule/Script that potentially changes Impact/Urgency.

    Rules are run from top to bottom. So they must be strategically ordered it they influence each other.

    If reordering the Rule doesn't help, please post screenshots of the Rules.


    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------

    Original Message


  • 3.  RE: In-rule actions on Set Field triggered only once?

    Posted Thu July 16, 2020 06:29 AM

    Brenden,

    Indeed, the order is such that the "Set Classification" rule is before the CASE TYPE rule.

    Now, we have reasons not to change the order of this specific rule, but we solved it in another way:
    As the "Set Classification" rule just has one action, triggering a script, we have included the triggering of the script as the last action in the rule that tiggers on CASE TYPE and sets the valuers for Impact & Urgency.

    (see also my answer to Ben)

    Things work well this way.

    Thanks



    ------------------------------
    Guido Janssens
    ------------------------------

    Original Message


  • 4.  RE: In-rule actions on Set Field triggered only once?

    Posted Wed July 15, 2020 09:11 AM
    A rule whose conditions evaluate to "true" is only ever run once. This is by design to prevent infinite loops and unexpected behavior. As Brendan mentioned below if you need rules to run in a certain order, that is what the Rule ordering is for.

    Ben


    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 5.  RE: In-rule actions on Set Field triggered only once?

    Posted Thu July 16, 2020 06:34 AM
    Edited by Guido Janssens Thu July 16, 2020 07:44 AM
    Hi Ben,

    Basically, we figured that what is in the Playbook Designer Guide (Configure Rules, p 23)  means that that rule would be triggered again anyway upon change of the value of one of the fields in the conditions :
    A rule is evaluated when there is a change to an instance of an object, which is of the type specified in therule's object type. When a rule is evaluated, its conditions are checked, and if satisfied, the rule is invoked.
    Rules are re-evaluated and can be invoked again when a rule creates a new object or changes the state ofan object. To guard against infinite loops, the Resilient platform limits the rule creation of new objects to 500 while processing rules.

    But as I understand it now, a rule that evaluates to "TRUE" is only evaluated once during a single "loop"  triggered by an object change.
    Thanks for this clarification, it was not what we expected.
    Does this mean that a rule that evaluated to "FALSE" and is ordered before a second one that changes fields so the conditions of the first one would evaluate to "TRUE" will be re-evaluated ?
    Or would it need a new object or change in the state of an existing object anyway?
    - and what is meant by change in state (created, deleted, row inserted, row deleted, .... OK) but what is "changed" ?

    Both the "single" evaluation and the aspect of the ordering of rules was not that clear from the documentation we used.
    ---------------------
    EDIT: I did find the text relating to order of rules ;) 

    Order. Automatic rules have numbers, which denotes the order in which the rules run when a condition invokes multiple rules. The ordering can be important especially when different rules affect the same fields, or changes made by one rule impact another rule. You can change the order by dragging the rules. Menu Item rules do not have numbers since they run only when a user invokes them.
    -------------------------


    We did solve our problem though (see my answer to Brenden)

    Thnaks

    ------------------------------
    Guido Janssens
    ------------------------------

    Original Message


Related Content