IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Email notification for the Incident nearing SLO breach

  • 1.  Email notification for the Incident nearing SLO breach

    Posted Tue February 19, 2019 02:09 AM

    This is the requirement. Please let me know any  feasible solution that we can try it out.

    When the Incident is generated in Resilient , incident status will be "New" . Analyst will change the status to  "In Triage".

    Time difference between status "New" and   "In Triage" is calculated as TTA(Time to Triage).

     We need to send email notification to operation lead in case if analyst delayed to  change the status to "In Triage" (Notification for SLA nearing breach).

    I have tried with in production script ,but it will not execute continuously. Please Help.



    ------------------------------
    Sajin MB
    ------------------------------


  • 2.  RE: Email notification for the Incident nearing SLO breach

    Posted Tue February 26, 2019 12:11 PM
    @Sajin MB If I am to understand this correctly, ​you want an email notification to be automatically sent out to the operation lead when any incident has been in the "New" status too long before an analyst has switched it to the status "In Triage". Is this correct?

    If so, what is the SLA, or how much time needs to pass in the "New" status before the email is sent out?

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Original Message


  • 3.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed February 27, 2019 03:47 AM
    Just an idea;
    1 - Create a field and add value for "In Triage" - "New" . (in minutes as script documentation)
    2 - Put a cronjob and python script on action processor or resilient srv itself for every min or two depending on your need. Just query for only open incidents for your alert mins value and if passed that limit update a separate boolean field as "True/false".
    3 - Put a system notification or rule to send an email in time of update on this boolean field.(put a validation condition to initiate this rule/notification to start only if this field is empty beforehand.)
    this should work I think.

    ------------------------------
    Can Topay
    ------------------------------

    Original Message


  • 4.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed February 27, 2019 09:40 AM
    @Can Topay I think this should work as well.

    Quick question to @Sajin MB, are you currently licensed to use Resilient's Action Module? There may me alternitve solutions with added benefits if you are.

    If you do have the action module, do you have any integrations running?​​

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Original Message


  • 5.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed February 27, 2019 11:13 AM
    Hi
    Yes we have action module and we have some integrations running like we can serach from resiliient to splunk, we have integrated carbon black with resilient etc.. I just need to get an idea how and where we need to configure this script to check all open incidents. 

    Regards, 
    Sajin MB

    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 6.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed February 27, 2019 12:35 PM
      |   view attached
    @Sajin MB Awesome! Just to confirm, are your running resilient-circuits somewhere so you can install functions that are available from our app exchange (https://exchange.xforce.ibmcloud.com/hub/Resilient)?

    I'm working with another customer you developed a sleeper function that allows for more granular timers in workflows. (See attached screenshot)

    This would be a more real time solution as opposed to relying on a cronjob and querying. You could set up the rule to trigger:

    Object Type: Incident
    Conditions:
    Incident created and Status is equal to "New"
    Activities:
    Run "Ten Minute Alert Workflow"

    I would also recommend  potentially leveraging our Microsoft Exchange Functions (https://exchange.xforce.ibmcloud.com/hub/extension/26b8726f3320b1de10ad2c252930b0df).

    With this setup, you you could send an email directly from inside the workflow without having to rely on the Resilient Notifications feature.

    You may also find some other uses for these functions moving forward!






    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Original Message


  • 7.  RE: Email notification for the Incident nearing SLO breach

    Posted Fri March 08, 2019 05:54 AM
    @Andrew Wadsworth
    Thanka a lot for the help.
     we cant integrate exchange server with Resilient. so is there any other way to send email. Can you explain how did you make "sleeper" function. Can you please share that. Instead of sending email from workflow we can set the variable assign some value for variable and send mail from admin -> Notifications.
    But still we need "Sleeper" function. Please help.​

    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 8.  RE: Email notification for the Incident nearing SLO breach

    Posted Tue March 12, 2019 07:45 AM
    @Andrew Wadsworth we can't integrate resilient with our exchange server. can you provide the "sleeper" function so that we can set the filed value instead of  ​sending email then we can send the notification from admin -> notifications.

    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 9.  RE: Email notification for the Incident nearing SLO breach

    Posted Tue March 12, 2019 12:30 PM
      |   view attached
    Hello Sanjin,

    I have attached the Utility Sleeper function as described above.

    You can install this and customize Resilient as you would any other function. This will allow you to set a specified number of seconds to "sleep" in any given workflow.

    Please let me know if you have any questions.

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Attachment(s)

    gz
    utility_sleep-1.0.0.tar.gz   7 KB 1 version
    Original Message


  • 10.  RE: Email notification for the Incident nearing SLO breach

    Posted Tue March 19, 2019 10:20 AM
      |   view attached
    Hi @Andrew Wadsworth :
    Thanks a lot ​for your help. I have installed this package and it asks for time_in_seconds as input (eg : 60 seconds).
    Is there any other configuration we need to do it , since the workflow is not stopping even after 60 seconds.

    Please find screenshot of the workflow I have created ..after 60 seconds sleep workflow will invoke the script and then ends.



    Regards,
    Sajin MB

    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 11.  RE: Email notification for the Incident nearing SLO breach

    Posted Tue March 19, 2019 01:23 PM
    Hi @Sajin MB

    The workflow looks good to me. There shouldn't be any additional configuration needed.

    Just make sure you are inputting the proper amount of seconds. (Ex. 10 minutes = ​​600 seconds)
    Then the script that is invoke after checks the status and changes the hidden field that the Notification is based off of.

    Is it working as expected? or do you have additional questions?

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Original Message


  • 12.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed March 20, 2019 07:58 AM
    Hi @Andrew Wadsworth

    I tried with 10 minutes sleep time(600 seconds)​ and even after sleep time workflow is still running. How to trouble shoot this. we cant see any logs related to this workflow in app.log file to trouble shoot.
    Please Help.



    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 13.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed March 20, 2019 09:45 AM
    Hi Sajin,

    Does the script "TTA_Nearing" successfully execute after the sleep function? and does it give you the desired result?
    If so, are you saying the workflow is still running after the script executes?

    I just want to make sure I understand where the workflow is stuck.

    ------------------------------
    Andrew Wadsworth
    ------------------------------

    Original Message


  • 14.  RE: Email notification for the Incident nearing SLO breach

    Posted Wed March 20, 2019 09:58 AM
      |   view attached
    Hi @Andrew Wadsworth
    Thanks for the quick response.
    I have removed script from the workflow to understand where it stuck. Now the workflow contains only "sleep" function.
    Understood that problem is with this function and workflow keeps running when I check  Actions -> workflow status even after sleep duration. Attaching the screenshot of the workflow.

    Regards,
    Sajin MB 


    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


Related Content