IBM Security QRadar SOAR

Hi,

Since it is not possible to execute the same App on two AppHost at the same time, we are considering duplicating the App that would be needed in two AppHosts installed on two separate networks.

To do this, we would use the code located at github[.]com/ibmresilient/resilient-community-apps, duplicate it, rename it and repackage it.  Of course, in SOAR, we would create a new function name and a new destination.

We are aware that if the App would be upgraded, our new App would not be.

Has anybody ever done this?  Can it be considered a viable solution?

Hi Pierre,

We are aware of this need to deploy the same App to multiple App Hosts, for both load balancing purposes and to integrate with different datasources. There is an active discussion within IBM to support this in future releases.

Until we can offer this, your approach is the correct, but will several caveats. The most important is the use of UUIDs to uniquely define apps, functions, function input fields, etc.  Renaming an app or function alone without also changing the associated UUID will fail to load or worse, overwrite the existing function.

An alternative is to use the 'resilient-sdk clone' capability. It will take functions, workflows, rules, playbooks, etc. and give you the ability to duplicate them (with new UUIDs). This is the syntax for duplicating a function:

resilient-sdk clone -f <old_function_name> <new_function_name>

If you have many functions, this can be a tedious activity. You'll still need to assign a new message destination to each cloned function. But at least you have an easier way to start the duplication process.

Hope this helps.