05-08-2025 03:20 AM
Hello everyone, I noticed that when a task in a playbook has an error or requires some sort of input, said task appears in the tab "Playbook Tasks" (attached an image for reference). I was wondering how XSOAR gets that specific information in that tab, I tried checking in the context data but haven't found anything that might relate to that tab information, does anyone know? Would appreciate the help!
Best regards,
Ricardo Mateus
05-08-2025 05:52 AM
Hey there,
not sure I fully understand, so let me try this
If a task (playbook) expects an input which is not given it turns into a "manual task" these tasks which are normally handled by an analyst. So, based on that the "incident tasks" is an overview of the current tasks waiting to be manually handled. Same goes for errors as the require manual intervention or task completion.
To make it more confusing, practical the "incidents task" will always show the current task handled by the playbook, but automated tasks are too fast to get noticed 🙂
05-08-2025 05:58 AM
So only the tasks that required some kind of manual intervention show up in that tab, but the information for them to appear in that tab must be stored somewhere right? I was wondering where that information might be stored or how XSOAR knows when a task is waiting for manual input/intervention
05-08-2025 09:02 AM
I don't now the exact answer but I use an integration called "Integrations & Incidents Health Check", it has playbooks that searches for error tasks in playbooks of incidents and executes the Test in every integration. I have a job that runs it everyday to check for errores. Take a look maybe it is what you are looking for.
Best regards
05-08-2025 11:50 PM
Well, that is the case somehow, but it is more in the runStatus of an incident, as it is set to error or waiting for example. There are also some fields related to tasks in error
The incident task will always be the "current task"
so basically if you keep the task viewer open (not really advised) you will see all tasks of the playbook popping up there, But most of them pop up, turn green and the next appears.
If they are red, the next one will not be executed (only true if you did not use on error or something) and manual tasks will turn orange and also stop the playbook, thats why you see it (longer) in the list
hope that made sense somehow
05-09-2025 12:29 AM
Yeah, I wanted to know this in order to do do the following -> whenever an incident has an error I want to run a job. My approach has been to associate an automation with runStatus, meaning it runs whenever runStatus changes value. The automation then checks if said status was an error and if it is, the automation runs the job. I wanted to see if there was a better approach to this
05-12-2025 12:02 AM
Hm, I guess it would be more intuitive to
for the doing (NOT SURE IF THAT MAKES SENSE)
If it happens too often it could make sense to just add an onError path
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
