IBM Security QRadar SOAR

 View Only

Issues With `resilient-sdk extract` and Playbooks - Upgrading Playbooks

  • 1.  Issues With `resilient-sdk extract` and Playbooks - Upgrading Playbooks

    IBM Champion
    Posted Mon January 16, 2023 05:59 PM
    Edited by Liam Mahoney Mon January 16, 2023 06:11 PM
    All,

    In the past I used the `resilient-sdk extract ...` command to create export packages from our test instance of IBM SOAR that I then use to import into our production instance. It was great and made moving objects between our instances a breeze. However, this changed with playbooks being introduced.

    I am able to generate the export packages just fine, but when the export package contains a playbook I have run into a few issues when importing into our production instance:

    • Errors about sub-playbook that doesn't exist in production instance. I would think if the sub-playbook is referenced by the playbook in the export package that it would be included. Also, there doesn't seem to be a sub-playbook option in the resilient-sdk extract command, so including it in my export package isn't possible. Happens when a playbook is included in the export package that doesn't exist in prod (being pushed to prod for the first time). This happened to me for the first time today while trying to push but I failed to grab a screenshot of the exact error. This doesn't seem to happen every time.
    • Errors about conflicts with tags and/or playbook name already existing. Happens to me whenever a playbook is included in the export package that already exists in the production instance - not the first time importing the playbook into production. I've opened a support ticket about this issue and the past and ultimately didn't get anywhere other than them recommending the manual process of exporting/importing playbooks. Seems to happen every time I include a playbook in the export package that's already in production.

    So now I typically manually export the playbook from test and upload it into production. However, I still run into issues with tag conflicts / name conflicts:



    So I'm not sure how to properly update a playbook. Having to rename / delete the old version from production before importing the new version doesn't really seem like an upgrade process to me.

    My manual 'upgrade' process is currently:
    1. find the playbook in production instance, copy the API name
    2. make a clone of the playbook in test (via CLI command for now - I see there's an option in the GUI on the newest version) making sure that the name of the clone is different than the name copied in step 1
    3. export cloned playbook in test
    4. import cloned playbook into prod
    5. delete existing playbook in prod
    6. rename clone to match old playbooks display name
    7. enable clone playbook in prod
    8. delete clone playbook in test instance

    Add to this whole situation that the import / export process is painfully slow on our instances and my bi-weekly push from our test to production instance has easily become my least favorite thing about IBM SOAR.

    (.venv) [csdev@COR-CSDev00 transfer]$ time resilient-sdk clone -pb artifact_enrichment_ip_address
    ...
    ERROR: Did not receive the right amount of object names. Only expect 2 and 1 were given. Only specify the original action object name and a new object name

    real 3m31.534s

    3.5 minutes to tell me I entered a command wrong!

    (.venv) [csdev@COR-CSDev00 transfer]$ time resilient-sdk clone -pb artifact_enrichment_ip_address artifact_enrichment_ip_address_2
    ...
    Imported configuration changes successfully to SOAR
    'clone' command finished in 282.489675 seconds

    4 minutes and 43 seconds to successfully clone a playbook.


    And then another minute and 20 seconds to import the playbook in production, sometimes longer:



    At the moment I have 5 playbooks that were updated and need to be manually pushed. If we use 5 minutes per playbook as a generous estimate of how long it would take that's 25 minutes of just export/import time. Let alone loading times between screens, etc.

    Am I doing something wrong? Please tell me there is a better way. I would greatly appreciate if including playbooks in the resilient-sdk extract command could be worked out so I could revert to my old process.

    This has left a sour taste in my mouth and I can't help but feel playbooks aren't fully implemented into the product even though they've been out for a long time.

    We're currently on version 45.1.42.

    Let me know, I hope I'm doing something wrong.

    ------------------------------
    Liam Mahoney
    ------------------------------