IBM QRadar SOAR

Hi there, 

We are wondering if based on the incident type we can change the close incident layout? 

Also we have tasks set to mandatory, however a ticket can be closed without them being ticketed, is there a way to not let someone close a ticket until a task has been completed? 

Thanks, 
Adina

------------------------------
Adina Bodkins
------------------------------

I agree. This functionality does not currently exist.

This idea was submitted here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-610
It was merged with this idea here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-67

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Wed December 18, 2019 09:34 AM
From: Adina Bodkins
Subject: Closing Ticket Questions

Hi there, 

We are wondering if based on the incident type we can change the close incident layout? 

Also we have tasks set to mandatory, however a ticket can be closed without them being ticketed, is there a way to not let someone close a ticket until a task has been completed? 

Thanks, 
Adina

------------------------------
Adina Bodkins
------------------------------

As has been pointed out this capability isn't natively in the product today. However it may be possible to achieve your goal regarding mandatory tasks in the following way:

* Create a hidden incident field: num_mandatory_tasks_open: number. Don't put this on a layout which makes it effectively "hidden".
* Create a task rule: When a mandatory task is opened, increment the field by one (this can be done using a script).
* Create a task rule: When a mandatory task is closed, decrement the field by one.
* Create a rule: When an incident is closed, throw an error if the field is greater than zero( this can be done using a script with helper.fail()).

Here is an example task script that decrements the count:

if incident.properties.num_mandatory_tasks_open is None:
   incident.properties.num_mandatory_tasks_open = 0

val = int(incident.properties.num_mandatory_tasks_open)
   incident.properties.num_mandatory_tasks_open = str(val + 1)


I think this strategy could work.

Ben



------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Wed December 18, 2019 09:34 AM
From: Adina Bodkins
Subject: Closing Ticket Questions

Hi there, 

We are wondering if based on the incident type we can change the close incident layout? 

Also we have tasks set to mandatory, however a ticket can be closed without them being ticketed, is there a way to not let someone close a ticket until a task has been completed? 

Thanks, 
Adina

------------------------------
Adina Bodkins
------------------------------

@Adina Bodkins take a look at my recent post for an answer to your second question, Mod Con: Enforce Completion of Mandatory Tasks before Incident Closure

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------

Original Message:
Sent: Wed December 18, 2019 09:34 AM
From: Adina Bodkins
Subject: Closing Ticket Questions

Hi there, 

We are wondering if based on the incident type we can change the close incident layout? 

Also we have tasks set to mandatory, however a ticket can be closed without them being ticketed, is there a way to not let someone close a ticket until a task has been completed? 

Thanks, 
Adina

------------------------------
Adina Bodkins
------------------------------

Thanks @Jared Fagel for the link for the idea, definitely upvoted that. Been a major ask from my team mebers for that functionality. ​
​
Thank you @Ben Lurie and @Brenden Glynn for those suggestions! Your post @Brenden Glynn was very imformative in understanding how tasks work.

To add a layer of complexity now. If we have specific fields associated with tasks and the we care that those fields are filled in/not default in order for a task to be considered complete, can we either: via a script mark a task as complete when those fields are changed or monitor whether these fields have been changed and then fail if they haven't been. 

Example: 
Task: What is the status of the malware execution? 
Field Associated with it: malware_execution; no default value 
An analyst can also change the malware_execution field on a different layout.
If they change it via another layout then they wouldn't necessarily come and close the task but essentially the task has been completed. 
Can I follow the above suggestions and mark tasks as completed based on the changes of those values? 

Thanks!

------------------------------
Adina Bodkins
------------------------------

Original Message:
Sent: Thu December 19, 2019 02:42 PM
From: Brenden Glynn
Subject: Closing Ticket Questions

@Adina Bodkins take a look at my recent post for an answer to your second question, Mod Con: Enforce Completion of Mandatory Tasks before Incident Closure

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: Wed December 18, 2019 09:34 AM
From: Adina Bodkins
Subject: Closing Ticket Questions

Hi there, 

We are wondering if based on the incident type we can change the close incident layout? 

Also we have tasks set to mandatory, however a ticket can be closed without them being ticketed, is there a way to not let someone close a ticket until a task has been completed? 

Thanks, 
Adina

------------------------------
Adina Bodkins
------------------------------