IBM Security QRadar SOAR

Hi,
In the playbook I am developing, there is at first some sequential tasks followed by a call to a function and then a condition point after which different tasks are added depending on the condition met.
For some reason, if the function fails, is it possible to restart the playbook?
In my use case, the playbook is started after the incident is created from QRadar offense escalation.  Is it possible to "resubmit" the offense?

------------------------------
Pierre Dufresne
------------------------------

Hello,

Unfortunately, there is no option to restart failed playbooks if it is an automatic playbook. 

--------------------
Ram Badvelu
--------------------

------------------------------
Ram Badvelu
------------------------------

Original Message:
Sent: Thu May 12, 2022 01:40 PM
From: Pierre Dufresne
Subject: Restarting a playbook "in the middle"

Hi,
In the playbook I am developing, there is at first some sequential tasks followed by a call to a function and then a condition point after which different tasks are added depending on the condition met.
For some reason, if the function fails, is it possible to restart the playbook?
In my use case, the playbook is started after the incident is created from QRadar offense escalation.  Is it possible to "resubmit" the offense?

------------------------------
Pierre Dufresne
------------------------------

OK, thanks Ram, your answer is pretty clear.

But what if I add an incident field called "Restart" and I change the condition on my automatic playbook from "When incident is created" to "Incident is cretaed or Restart field is changed"?
When I change the value of the new "Restart" field, the playbook will be executed again.
Will this duplicate the system tasks that the playbook is designed to create?
If a task is already marked complete by the previous execution, will it be skipped or will the playbook wait for it to be closed again?

------------------------------
Pierre Dufresne
------------------------------

Original Message:
Sent: Thu May 12, 2022 03:31 PM
From: Ram Badvelu
Subject: Restarting a playbook "in the middle"

Hello,

Unfortunately, there is no option to restart failed playbooks if it is an automatic playbook. 

--------------------
Ram Badvelu
--------------------

------------------------------
Ram Badvelu

Original Message:
Sent: Thu May 12, 2022 01:40 PM
From: Pierre Dufresne
Subject: Restarting a playbook "in the middle"

Hi,
In the playbook I am developing, there is at first some sequential tasks followed by a call to a function and then a condition point after which different tasks are added depending on the condition met.
For some reason, if the function fails, is it possible to restart the playbook?
In my use case, the playbook is started after the incident is created from QRadar offense escalation.  Is it possible to "resubmit" the offense?

------------------------------
Pierre Dufresne
------------------------------

That's correct. New instance of the playbook is created and executed if the condition is true upon updating the incident field.
It will not create duplicate system tasks again.
It will skip all completed tasks by the previous playbook execution.

------------------------------
Ram Badvelu
------------------------------

Original Message:
Sent: Tue May 17, 2022 10:54 AM
From: Pierre Dufresne
Subject: Restarting a playbook "in the middle"

OK, thanks Ram, your answer is pretty clear.

But what if I add an incident field called "Restart" and I change the condition on my automatic playbook from "When incident is created" to "Incident is cretaed or Restart field is changed"?
When I change the value of the new "Restart" field, the playbook will be executed again.
Will this duplicate the system tasks that the playbook is designed to create?
If a task is already marked complete by the previous execution, will it be skipped or will the playbook wait for it to be closed again?

------------------------------
Pierre Dufresne

Original Message:
Sent: Thu May 12, 2022 03:31 PM
From: Ram Badvelu
Subject: Restarting a playbook "in the middle"

Hello,

Unfortunately, there is no option to restart failed playbooks if it is an automatic playbook. 

--------------------
Ram Badvelu
--------------------

------------------------------
Ram Badvelu

Original Message:
Sent: Thu May 12, 2022 01:40 PM
From: Pierre Dufresne
Subject: Restarting a playbook "in the middle"

Hi,
In the playbook I am developing, there is at first some sequential tasks followed by a call to a function and then a condition point after which different tasks are added depending on the condition met.
For some reason, if the function fails, is it possible to restart the playbook?
In my use case, the playbook is started after the incident is created from QRadar offense escalation.  Is it possible to "resubmit" the offense?

------------------------------
Pierre Dufresne
------------------------------