IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Is it possible to trigger playbooks automatically when the incident phase (incident.phase_id) changes in IBM SOAR?

  • 1.  Is it possible to trigger playbooks automatically when the incident phase (incident.phase_id) changes in IBM SOAR?

    Posted 6 days ago
    Edited by Rodrigo Hormazabal Rebolledo 6 days ago

    Hi community,

    I'm currently facing an issue with playbook orchestration that I'd like to discuss with you.

    I have two automated incident playbooks:

    • One focused on artifact enrichment,

    • And another for IoC containment (blocking, isolation, etc.).

    At the moment, both playbooks are configured to trigger automatically, but they run simultaneously upon incident creation. This creates a conflict because the containment playbook cannot determine whether an artifact has a bad reputation or not-at runtime, the enrichment process hasn't yet added any "hits" to the artifact.

    To address this, I'm considering separating the processes based on phases defined in the Incident Handling & Response (IH&R) framework.
    My idea is to:

    • Perform data collection and artifact enrichment during the Detect/Analyze phase (equivalent to Triage in IBM SOAR),

    • And move on to containment actions only when the incident enters the Respond phase.

    This approach of separating responsibilities according to IH&R phases is quite ideal for me, as it gives much more clarity and control over what should happen at each stage of the incident lifecycle. It even allows me to determine the most appropriate moment to send out the notification, typically during the Post-Incident phase.

    However, I've noticed that automatic playbook triggers do not support conditions based on the incident.phase_id field. Only task-based triggers seem to support phase conditions (via task.phase_id), which doesn't apply in this case

    Incident Type (PB)

    Task Type (PB)

    Is there any way to automatically trigger a playbook when the incident.phase_id field changes to a specific value, such as "Respond"?
    Alternatively, is there a recommended strategy for controlling playbook execution across IR phases?

    Any suggestions or workarounds would be greatly appreciated.

    Thanks in advance,
    Rodrigo Hormazabal
    SOAR Engineer



    ------------------------------
    Rodrigo Hormazabal Rebolledo
    ------------------------------



  • 2.  RE: Is it possible to trigger playbooks automatically when the incident phase (incident.phase_id) changes in IBM SOAR?

    Posted 5 days ago
    Edited by Jared Fagel 5 days ago

    I'm not aware of a way to do this off the top of my head. This was submitted twice in the Idea portal, however both were closed as "Not under consideration" due to alternative solutions for the submitter's requests. You could certainly try to submit it as an idea again, I do think it would be useful, we've had the same desire and just worked around it.

     

    I wanted to toss a couple other ideas out there...

    1. Have the Artifact Enrichment playbook kick off the IoC Containment playbook.

    2. Have the IoC Containment playbook loop and wait for the Artifact Enrichment playbook to complete. You could do this by setting a field value when Artifact Enrichment completes, and then have IoC Containment loop and wait for that value.

    3. Execute the IoC Containment using an 'Artifact Description is changed to' rule condition, and then key off something that the IoC Containment playbook sets that otherwise would not exist.

     

    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------

    Original Message


Related Content