Generic Polling playbook enables you to periodically poll the status of a process on a remote host.
When working with third-party products (such as detonation, scan, search, and other third-party products) you may need to wait for a process to finish on the remote host before continuing. In these cases, the playbook should stop and wait for the process to complete on the third-party product, and continue when it is done. Integrations or automations may not be able to do this due to hardware limitations.
Generally, polling is used in the following scenarios:
File detonation in a sandbox
URL detonation
Queries that take a long time to complete
To use polling, Cortex XSOAR comes out-of-the-box with the GenericPolling playbook, which periodically polls the status of a process being executed on a remote host, and when the host returns that the process execution is done, the playbook finishes execution. For more information about using this playbook, see Generic Polling.
The GenericPolling playbook is used as a sub-playbook to block the execution of the main playbook until the remote action is complete. There are a number of playbooks that use the GenericPolling playbook that come out-of-the-box or installed from a content pack, such as:
Contex Polling - Generic: Polls a context key to check if a specific value exists.
Field Polling - Generic: Polls a field to check if a specific value exists.
QRadarFullSearch: Runs a QRadar query and return its results to the context.
Scan Assets - Nexpose: Scans according to asset IP addresses or host names from Rapid7 Nexpose, and waits for the scan to finish by polling the scan status in pre-defined intervals.
Detonate File - JoeSecurity: Detonates one or more files using the Joe Security integration.
See this video for more information on how to use generic polling in Cortex XSOAR.
Danger
You need to use the GenericPolling playbook as a sub-playbook in a main playbook, such as Detonate File - JoeSecurity.
The main playbook should follow this structure:
Start Command: The task contains a command that fetches the initial state of the process and saves it to context. This command starts the process that should be polled. For example:
Detonation: Submits a sample for analysis (detonated as part of the analysis), using the
joe-analysis-submit-sample
command.Scan: Starts a scan for specified asset IP addresses and host names using the
nexpose-start-assets-scan
command.Search: Searches in QRadar using AQL using the
qradar-searches
command.Polling Command: The task contains the GenericPolling sub-playbook that polls for an answer. For example:
Detonation: After the file is submitted to Joe Security, the playbook polls for specific information for analysis, such as ID, status, comments, errors, SHA-256 hash details.
Scan: After the scan runs in Nexpose, using the playbook polls for scan information such as the scan type, the number of assets found, the scan ID, and other information.
Search: The playbook runs the
qradar-get-search
to poll for the search ID and status.
Results Task: Returns the results of the operation. The task contains the results that were polled, which are added to context. For example, after polling JoeSecurity, the results are added to context.
For information about the GenericPolling playbook inputs such as Ids, Interval, and dt, see Playbook inputs.
This generic polling example uses the Detonate File - JoeSecurity playbook from the Joe Security content pack.
The Detonate File - JoeSecurity playbook detonates one or more files using the Joe Security integration and returns relevant reports to the War Room and file reputations to the context data.
If you have not done so, go to Marketplace and download the Joe Security content pack.
Go to Playbooks and search for Detonate File - JoeSecurity.
Open the JoeSecurity Upload File task. This task uses the
joe-analysis-submit-sample
command, which starts a new analysis of a file in Joe Security. This is the Start command.Open the GenericPolling task. This is the Polling command.
Ids: Returns a list of
Joe.Analysis.ID
’s to poll.PollingCommandName: The
joe-analysis-info
command returns information for a specified analysis, such as status, MD5, SHA256, vendor.PollingCommandArgName: The
webid
argument name of the polling command.dt: The filter for polling. This is defined as
Joe.Analysis(val.Status!==’finished’).ID
.Joe.Analysis
: The object to return.(val.Status !==‘finished’).ID
Gets the object that has a status other than ‘finished’, and then gets its ID field. The polling is done only when the result isfinished
. When finished, thedt
filter returns an empty result, which triggers the playbook to stop running.You can change the
Status
to:starting
,running
, orfinished
.
Open the JoeSecurity Get Info task. The
joe-analysis-info
command returns details of the IDs that have finished polling. This is the Results task.Open the Set Context task. The context path to store the poll results is
Joe.Analysis
.
GenericPolling playbook limitations
The GenericPolling playbook has the following limitations.
Global context is not supported.
Global context outputs enable receiving information from multiple integrated products when executing playbooks and commands.
It does not run from the Playground.
It uses the ScheduleGenericPolling script, which must support a list argument.
Troubleshoot playbook polling
The following are common generic polling issues and the recommended ways to deal with them.
The playbook is “stuck” on
Waiting for polling to complete
.As generic polling schedules tasks are outside the context of the playbook (not visible in the playbook run), errors may appear only in the War Room. Go to the War Room for the incident and check for errors or warnings related to GenericPolling tasks.
The GenericPolling task completes but the status has still not "finished".
If the timeout is reached, the playbook successfully finishes even if there are items that did not complete. Try increasing the timeout value for the GenericPolling task.
The integration returns an ID not found error when running from the GenericPolling sub-playbook, but when running manually, it finishes successfully.
Some products cannot handle consecutive requests to query an action status right after the request to perform the action. After you initiate the action, try adding a Sleep task before calling the GenericPolling sub-playbook.