IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Query regarding Conditional point in playbook

  • 1.  Query regarding Conditional point in playbook

    Posted Thu December 15, 2022 03:23 AM
    Hi All, 

    We are working on building a playbook where we will be enriching artifacts "Username" and check if it is present in 3rd party tools or not. 

    We are trying to build a condition if Username is found in 4 or more 3rd party tools than if branch will be executed otherwise else branch will be executed. 

    How we can allign our playbook and put these conditions accordingly in condition point? If a script is required for this than please share a sample script.

    ------------------------------
    Shubham Agarwal
    ------------------------------


  • 2.  RE: Query regarding Conditional point in playbook

    Posted Thu December 15, 2022 10:33 AM

    Sample condition script:

    # Variable `playbook.functions.results.tools_found_user` would be a list returned from a function that would contain the tools that found the username
    num_tools_found_user = len(playbook.functions.results.tools_found_user)
    if num_tools_found_user > 3:
      result = True
    else:
      result = False​


    A function would return a list of tools that the username was found in. If you are running many function that each look for the username in a specific tool then you could have the results of those functions go to the script. The script would then take all the results and see how many of the tools the username was found in.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 3.  RE: Query regarding Conditional point in playbook

    Posted Fri December 16, 2022 01:07 AM
    Hi Richard, 

    Thanks for your reply. I am working on building this script. 

    If the result is found in 2 or less than 2 sources than we will add a task where we will ask Analyst to select if or else branch.  

    How can we implement where on the basis of Analyst response respective branch in the playbook will automatically triggered ? 

    Thanks...

    ------------------------------
    Shubham Agarwal
    ------------------------------