07-02-2025 02:44 AM
Hi all,
in XSOAR 6.8 I created a custom incident type to automatically handle the closure of unclassified incidents. In 'Incidents Classification Editor' I set this type to 'Direct unclassified events to:'. The type is correctly associated with the unclassified incidents and also the playbook but the playbook is not automatically executed and the incident remains in Active state. Why? How can I solve it? The problem involves an overload of active workers and consequently the blocking of the management of all incidents.
07-02-2025 04:50 AM
Hello @CMarletta Livi ,
Firstly it is recommended to work with a more recent version of XSOAR, 6.8 is pretty legacy. In regards to your question;
On the Incident Type settings you can mark the "Run Playbook Automatically" checkbox and for all new incidents created the playbook will run automatically.
See the picture below for the checkbox. Ensure you have a playbook attached to this type and that the incidents are being opened as expected. If this setting is not checked the incidents are opened in a "pending" status (white/grey clickable incident ID on the Incidents Page). I didn't fully understand what you meant by "The problem involves an overload of active workers and consequently the blocking of the management of all incidents.". Perhaps you are creating too many incidents too quickly. There is an operational limit regarding this.
Let me know if this helps.
Many thanks,
MichaelSysec
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
