IBM QRadar SOAR

I see now V41 introduce Playbook for designing incident response.
However, I did not find much information regarding comparison between playbook and traditional Rule/WorkFlow/Functions
Is there a whitepaer somewhere or a webex that gives some overview on:
- What is the major improvement?
-Best practice to migrate exsiting configuration to playbook
- Comparison between playbook and old way of design.


------------------------------
Qing Lan
------------------------------

I'm not sure if there is a whitepaper.

A Playbook is effectively a Rule+Workflow.
A Playbook doesn't have the same Add Task/Remove Task capabilities that a Rule has. For example, tasks added by a rule are removed when the Rule conditions no longer apply. Playbooks don't have that.
Playbooks don't yet have all the features that Workflows have: manually activation, timers, condition flows, advanced conditions for Playbook activiation. These things are actively being worked on.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Tue June 08, 2021 04:27 AM
From: Qing Lan
Subject: Resource for the new Playbook feature

I see now V41 introduce Playbook for designing incident response.
However, I did not find much information regarding comparison between playbook and traditional Rule/WorkFlow/Functions
Is there a whitepaer somewhere or a webex that gives some overview on:
- What is the major improvement?
-Best practice to migrate exsiting configuration to playbook
- Comparison between playbook and old way of design.


------------------------------
Qing Lan
------------------------------

Ben,

Do you know if the team is working on enabling playbooks to have the same add task / remove task capabilities that rules have? 

That's one thing that's stopping us from using playbook designer right now. We've found it's pretty common for an analyst to answer a field, close the task, do more work, come back to that task and change the answer to the field. It would be great if playbook conditions would be re-evaluated when a task before the condition is reopened, essentially stepping back in the playbook.

------------------------------
Liam Mahoney
------------------------------

Original Message:
Sent: Mon June 14, 2021 09:25 AM
From: Ben Lurie
Subject: Resource for the new Playbook feature

I'm not sure if there is a whitepaper.

A Playbook is effectively a Rule+Workflow.
A Playbook doesn't have the same Add Task/Remove Task capabilities that a Rule has. For example, tasks added by a rule are removed when the Rule conditions no longer apply. Playbooks don't have that.
Playbooks don't yet have all the features that Workflows have: manually activation, timers, condition flows, advanced conditions for Playbook activiation. These things are actively being worked on.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Tue June 08, 2021 04:27 AM
From: Qing Lan
Subject: Resource for the new Playbook feature

I see now V41 introduce Playbook for designing incident response.
However, I did not find much information regarding comparison between playbook and traditional Rule/WorkFlow/Functions
Is there a whitepaer somewhere or a webex that gives some overview on:
- What is the major improvement?
-Best practice to migrate exsiting configuration to playbook
- Comparison between playbook and old way of design.


------------------------------
Qing Lan
------------------------------

Yes, this is on the roadmap and being designed. The idea is to have "auto cancellation" capability for a Playbook as an option. If enabled, when the activation conditions don't apply any longer (or custom auto cancellation conditions) then the playbook is cancelled. Optionally, when the playbook is auto-cancelled the system can remove any uncompleted tasks or all tasks added by the playbook. This is effectively what Rules do.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Fri October 29, 2021 10:12 AM
From: Liam Mahoney
Subject: Resource for the new Playbook feature

Ben,

Do you know if the team is working on enabling playbooks to have the same add task / remove task capabilities that rules have? 

That's one thing that's stopping us from using playbook designer right now. We've found it's pretty common for an analyst to answer a field, close the task, do more work, come back to that task and change the answer to the field. It would be great if playbook conditions would be re-evaluated when a task before the condition is reopened, essentially stepping back in the playbook.

------------------------------
Liam Mahoney

Original Message:
Sent: Mon June 14, 2021 09:25 AM
From: Ben Lurie
Subject: Resource for the new Playbook feature

I'm not sure if there is a whitepaper.

A Playbook is effectively a Rule+Workflow.
A Playbook doesn't have the same Add Task/Remove Task capabilities that a Rule has. For example, tasks added by a rule are removed when the Rule conditions no longer apply. Playbooks don't have that.
Playbooks don't yet have all the features that Workflows have: manually activation, timers, condition flows, advanced conditions for Playbook activiation. These things are actively being worked on.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Tue June 08, 2021 04:27 AM
From: Qing Lan
Subject: Resource for the new Playbook feature

I see now V41 introduce Playbook for designing incident response.
However, I did not find much information regarding comparison between playbook and traditional Rule/WorkFlow/Functions
Is there a whitepaer somewhere or a webex that gives some overview on:
- What is the major improvement?
-Best practice to migrate exsiting configuration to playbook
- Comparison between playbook and old way of design.


------------------------------
Qing Lan
------------------------------