IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Wed April 12, 2023 08:11 AM

    Hi Community Members,

    I am porting over my existing workflow (using pre-process-script for function Call Rest API) into a playbook.

    I am currently facing issue with the below highlighted in red. 

    I can see that "Task" (Node #9) is being added to my case incident id. However, when it reaches the function for Call Rest API (Node #15), it does not seem to be running/executing.

    My function input is selected as Script which is the same as my pre-process script using workflows (it is tested to be working).

    My playbook status seems to be in "Running" infinitely (waited for 1.5 hours and still the same) and I suspect it somehow stuck at Node 15. 

    Anyone faced the same issue?

    Regards,
    Samson



    ------------------------------
    Samson G
    ------------------------------


  • 2.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Thu April 13, 2023 09:10 AM

    Hi Samson,

    I note there are 2 scripts in the playbook. It's possible that the scripts may be failing but are failing silently. Can you enclose the script code in a try/except block ?

    E.g.

    try: 
  # script code goes here
except Exception as ex:
  incident.addNote("An error occured while trying to run the script: " + str(ex))


    This way if there is an error in the script node then it will be added as a note to the incident - this may prove useful for debugging.
    We have recently observed that playbooks may appear to run indefinitely if script nodes fail silently - we are looking into this.
    In the meantime the above workaround should help I hope.

    Walter Higgins
    IBM QRadar SOAR



    ------------------------------
    WALTER HIGGINS
    ------------------------------

    Original Message


  • 3.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Mon April 17, 2023 04:31 AM
    Edited by Samson G Mon April 17, 2023 04:38 AM

    Hi Walter,

    I have removed all other possible tasks/script and added an end point right after Node 15.

    It seems that the playbook is still running indefinitely and stucked at Node 15. I have also checked that my API weren't accessed when using Playbooks. However, it works using Workflows (same exact pre-process script).

    I am using "Script" in Function inputs. I enclosed the try/except block but seems like nothing appeared in incident notes.

    Regards,
    Samson



    ------------------------------
    Samson G
    ------------------------------

    Original Message


  • 4.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Tue April 18, 2023 05:29 AM

    Hi Samson,

    If you have admin privileges and access to the SOAR server I recommend taking a look at the log file ( /usr/share/co3/log/client.log file ). The log file may be able to provide more information on the status of the running playbook (look for Error messages).



    ------------------------------
    WALTER HIGGINS
    ------------------------------

    Original Message


Related Content