IBM QRadar SOAR

Hello,

I have been using a workflow with a timer on a specific task that executes a script on a weekly bases (repeatable forever while the task is open) to change a field value that triggers a notification to the incident owner reminding them that the task is still open. This was working until one of the recent Resilient version changes when someone noticed & reported that they were no longer getting their reminder . Here is some background: I have tested changing the field value manually in the incident and changing the value using an API and the notification is triggered/sent with both of these methods. However, if the field value is changed with the script (via the workflow) the the notification is not triggered. When the workflow/script is executed the incident 'Details History' shows that field value is changed (by the user 'System User') the notification is not triggered. Is there something specific with the user 'System User' that does not trigger notifications? Any suggestions on what may be happening?

------------------------------
Thanks
Paul
------------------------------

So your issue is that 'System User' changed fields no longer trigger notifications with condition of incident field "is changed" ... is this right?

If so, you'll want to report this via the IBM Support Cases Portal.

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Thu November 21, 2019 09:00 AM
From: PAUL FORMOSA
Subject: Workflow Timer

Hello,

I have been using a workflow with a timer on a specific task that executes a script on a weekly bases (repeatable forever while the task is open) to change a field value that triggers a notification to the incident owner reminding them that the task is still open. This was working until one of the recent Resilient version changes when someone noticed & reported that they were no longer getting their reminder . Here is some background: I have tested changing the field value manually in the incident and changing the value using an API and the notification is triggered/sent with both of these methods. However, if the field value is changed with the script (via the workflow) the the notification is not triggered. When the workflow/script is executed the incident 'Details History' shows that field value is changed (by the user 'System User') the notification is not triggered. Is there something specific with the user 'System User' that does not trigger notifications? Any suggestions on what may be happening?

------------------------------
Thanks
Paul
------------------------------

Thanks.

------------------------------
PAUL FORMOSA
------------------------------

Original Message:
Sent: Thu November 21, 2019 06:42 PM
From: Jared Fagel
Subject: Workflow Timer

So your issue is that 'System User' changed fields no longer trigger notifications with condition of incident field "is changed" ... is this right?

If so, you'll want to report this via the IBM Support Cases Portal.

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Thu November 21, 2019 09:00 AM
From: PAUL FORMOSA
Subject: Workflow Timer

Hello,

I have been using a workflow with a timer on a specific task that executes a script on a weekly bases (repeatable forever while the task is open) to change a field value that triggers a notification to the incident owner reminding them that the task is still open. This was working until one of the recent Resilient version changes when someone noticed & reported that they were no longer getting their reminder . Here is some background: I have tested changing the field value manually in the incident and changing the value using an API and the notification is triggered/sent with both of these methods. However, if the field value is changed with the script (via the workflow) the the notification is not triggered. When the workflow/script is executed the incident 'Details History' shows that field value is changed (by the user 'System User') the notification is not triggered. Is there something specific with the user 'System User' that does not trigger notifications? Any suggestions on what may be happening?

------------------------------
Thanks
Paul
------------------------------

Hello Paul

You may have change your integration server authentication from a "Technical User" (Type = User) to an API Key (Type = System User)
They do not have the same behavior.

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Thu November 21, 2019 09:00 AM
From: PAUL FORMOSA
Subject: Workflow Timer

Hello,

I have been using a workflow with a timer on a specific task that executes a script on a weekly bases (repeatable forever while the task is open) to change a field value that triggers a notification to the incident owner reminding them that the task is still open. This was working until one of the recent Resilient version changes when someone noticed & reported that they were no longer getting their reminder . Here is some background: I have tested changing the field value manually in the incident and changing the value using an API and the notification is triggered/sent with both of these methods. However, if the field value is changed with the script (via the workflow) the the notification is not triggered. When the workflow/script is executed the incident 'Details History' shows that field value is changed (by the user 'System User') the notification is not triggered. Is there something specific with the user 'System User' that does not trigger notifications? Any suggestions on what may be happening?

------------------------------
Thanks
Paul
------------------------------

They should have the same behavior in this regards.

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Sun November 24, 2019 05:14 PM
From: BENOIT ROSTAGNI
Subject: Workflow Timer

Hello Paul

You may have change your integration server authentication from a "Technical User" (Type = User) to an API Key (Type = System User)
They do not have the same behavior.

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Thu November 21, 2019 09:00 AM
From: PAUL FORMOSA
Subject: Workflow Timer

Hello,

I have been using a workflow with a timer on a specific task that executes a script on a weekly bases (repeatable forever while the task is open) to change a field value that triggers a notification to the incident owner reminding them that the task is still open. This was working until one of the recent Resilient version changes when someone noticed & reported that they were no longer getting their reminder . Here is some background: I have tested changing the field value manually in the incident and changing the value using an API and the notification is triggered/sent with both of these methods. However, if the field value is changed with the script (via the workflow) the the notification is not triggered. When the workflow/script is executed the incident 'Details History' shows that field value is changed (by the user 'System User') the notification is not triggered. Is there something specific with the user 'System User' that does not trigger notifications? Any suggestions on what may be happening?

------------------------------
Thanks
Paul
------------------------------