IBM Security QRadar SOAR

Hi IBM community,

I have a question regarding the playbook, which are of the following:

• Usually if you build the current playbook solutions (as opposed to the rule/workflow method) where does it run, whether its on the old integrations server or the apphost
• Is there any configuration/settings page to see where does it run
• If the playbook is deployed on Apphost, can it also run on the integration server and vice versa

I am assuming by default, any playbook implementation will run on the Apphost as opposed to the integration server


------------------------------
Luqman Nur
Techlab
------------------------------

Hi Luqman, the playbook itself runs on the QRadar SOAR server itself  (just like the rules/workflows, in a similar way) I don't have the details of which components are used by the playbooks,  but it uses the resources of the SOAR Server

What you need to understand it's that the playbooks (the logic) it all on the SOAR Server and when the SOAR Server needs to communicate with something outsitde (application, SO, rest servers, etc) the SOAR Server  calls a particular "function" (that can be a synonymous of integrations/apps/functions) by sending an message to the function message destination. Basically on the workflow itself you "send a message to a function".

The function can live (run) within an integration server (Resilient circuits Server) or an Apphost (a kubernates environment that can run several independent resilient circuits servers). 

So depending how you configure the App itself it's  where it's going to run AppHost or Integration Server. This it's done during the setup phase of the App/function

I hope it's a little bit clear now 

------------------------------
Juan Paulo
IBM
Santiago
------------------------------

Original Message:
Sent: Sun January 29, 2023 10:02 PM
From: Luqman Nur
Subject: Playbook deployment location

Hi IBM community,

I have a question regarding the playbook, which are of the following:

• Usually if you build the current playbook solutions (as opposed to the rule/workflow method) where does it run, whether its on the old integrations server or the apphost
• Is there any configuration/settings page to see where does it run
• If the playbook is deployed on Apphost, can it also run on the integration server and vice versa

I am assuming by default, any playbook implementation will run on the Apphost as opposed to the integration server


------------------------------
Luqman Nur
Techlab
------------------------------

Hi @Juan Paulo,

I understand from your answer that playbook and functions live on separate environment where one is on the SOAR server and the other depends on the function version (Apphost or Integrations Server). However, I am tagging you because I seem to have problem with creating new discussion thread.

I have an old implementation of function that utilises rule and workflow. The rule is a menu item which accepts the user input on an artifact. The workflow use "rule.properties" which I understand is the input from the menu item.

​due to the inability to group multiple artifact for running a menu item action, I am creating the new playbook solution that automatically run when receive a new artifact type. Is there any way for the new playbook implementation to accept user input before it is executed (assuming that it is automatic playbook). Thanks for your time taken to answer the previous question. I hope you dont  mind me putting different question under one discussion thread.

Best regards,



------------------------------
Luqman Nur
Techlab
------------------------------

Original Message:
Sent: Mon January 30, 2023 10:18 PM
From: Juan Paulo
Subject: Playbook deployment location

Hi Luqman, the playbook itself runs on the QRadar SOAR server itself  (just like the rules/workflows, in a similar way) I don't have the details of which components are used by the playbooks,  but it uses the resources of the SOAR Server

What you need to understand it's that the playbooks (the logic) it all on the SOAR Server and when the SOAR Server needs to communicate with something outsitde (application, SO, rest servers, etc) the SOAR Server  calls a particular "function" (that can be a synonymous of integrations/apps/functions) by sending an message to the function message destination. Basically on the workflow itself you "send a message to a function".

The function can live (run) within an integration server (Resilient circuits Server) or an Apphost (a kubernates environment that can run several independent resilient circuits servers). 

So depending how you configure the App itself it's  where it's going to run AppHost or Integration Server. This it's done during the setup phase of the App/function

I hope it's a little bit clear now 

------------------------------
Juan Paulo
IBM
Santiago

Original Message:
Sent: Sun January 29, 2023 10:02 PM
From: Luqman Nur
Subject: Playbook deployment location

Hi IBM community,

I have a question regarding the playbook, which are of the following:

• Usually if you build the current playbook solutions (as opposed to the rule/workflow method) where does it run, whether its on the old integrations server or the apphost
• Is there any configuration/settings page to see where does it run
• If the playbook is deployed on Apphost, can it also run on the integration server and vice versa

I am assuming by default, any playbook implementation will run on the Apphost as opposed to the integration server


------------------------------
Luqman Nur
Techlab
------------------------------