IBM Security QRadar SOAR

 View Only
  • 1.  Generate Incident Report from Playbook

    Posted Tue August 09, 2022 03:08 AM
    Hello Everyone,

    is it possible to generate an incident report like explained here via playbook? We need to provide a report for every incident to our customers. Preferably as pdf file.

    Thanks for your help

    ------------------------------
    Benjamin Walden
    ------------------------------


  • 2.  RE: Generate Incident Report from Playbook

    Posted Thu August 11, 2022 02:55 AM

    Hi Benjamin,

    To my knowledge this isn't currently possible, so short answer, no.

    Reason being is that for generating the report, the web-application is using the browsers rendering capabilities to do the layout and saving as a PDF.

    We have been using two "work-arounds" for generating reports.

    1. Using the data-feeder app to ingest BI data into another platform like Splunk, and from here leverage some dashboard automation to create the reports.

    2. Leveraging a headless browser to visit the incidents and generate a PDF report (this can be wrapped as an integration, but again, requires custom code, isn't pretty nor super stable)



    ------------------------------
    Kevin Kragh
    ------------------------------



  • 3.  RE: Generate Incident Report from Playbook

    Posted Thu August 11, 2022 03:14 AM
    Hi Kevin,

    thanks for your answer!
    Both work-arounds are not really usable in my environment. But knowing why it isn't possible helps alot in understanding SOAR more. Thanks.

    It would be great if this feature could be implemented in the future, if possible.

    I decided to build the reports out of API calls now. It's not as pretty as the generated Reports but it works.

    ------------------------------
    Benjamin Walden
    ------------------------------



  • 4.  RE: Generate Incident Report from Playbook

    Posted Thu August 11, 2022 03:49 AM

    No problem! Just know that I'm not IBM, just had my fair share of time with IBM SOAR.

    I also have a feature request for having such feature.

    You can go down that path, I decided it would be to clunky and as you say, likely not pretty but more stable and somewhat operational.



    ------------------------------
    Kevin Kragh
    ------------------------------