How to run playbook on scheduled interval for all XSOAR Incidents?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to run playbook on scheduled interval for all XSOAR Incidents?

L0 Member

Hello team, I've use-case where I need to fetch related events for a particular incident periodically.

For that, I've prepared a playbook which will pull the events related to each XSOAR incident and link that data in Contex of a particular XSOAR incident. As this needs to be applied to all incidents of selected custom incident type and I want my playbook to run all the XSOAR incidents on some cron schedule. I've tried to run using time triggered jobs but it seems not working properly as it's triggering my playbook once instead of schedule. 

Is there anything additional we need to add in the playbook to trigger on corn job?

 

Is there any way to achieve this use case?

 

Cortex XSOAR

4 REPLIES 4

L3 Networker

Hi Shadfa, when creating a time triggered job there is a section at the very bottom for queue handling. By default, the job will not run again until the first incident is closed. There is an option in the queue handling section to allow the job to run concurrently so even if the first incident is not closed, a new one will be created that uses your playbook.

L0 Member

This will not resolve my case. As this will create a new incident and run playbook job there. Where I want to run same playbook on Same incident in scheduled manner.

L2 Linker

What you could potentially do is in the main playbook of the incident, use a scheduled command that queries the remote system periodically and update the incident if there are new entries from the remote. And upon incident close run a post processing script to close the scheduled command task using !taskComplete.
https://xsoar.pan.dev/docs/integrations/scheduled-commands

So the polling is handled in the playbook of the incident itself and the playbook does not complete until the incident is closed

L6 Presenter

Also maybe test to get the time as it will always be different, so a nice way to trigger each time the playbook.

 

https://xsoar.pan.dev/docs/reference/scripts/get-time

  • 2229 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!