IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  incident merger functionality

    Posted Fri June 28, 2019 08:39 AM
    Hi everybody,

    trying to solve how to best handle Incidents that all relate to the same thing but were created based on different security controls. For example. AV alert, related hids/ids alert, proxy alert and so on.
    If there is an option to select all of these and do something like merge that would be awesome. The merge function will allow specifying if the investigation should continue in one of the selected incidents (and auto-close the rest with a note) or if it should create a new merged incident. In both cases, it could somehow add a note about the detections from incidents being closed. 

    I know in an ideal world we should correlate more before creating an incident in Resilient, but it's not easy every time.

    What is your approach to similar situations?

    Thank you

    -Jaro

    ------------------------------
    Jaroslav Brtan
    ------------------------------


  • 2.  RE: incident merger functionality

    Posted Sun June 30, 2019 09:20 AM
    Hi Jaroslav,

    I had posted something similar in here:
    https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=bdc98224-6899-4798-89ce-9014e1ddf200&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bmbdc98224-6899-4798-89ce-9014e1ddf200

    And I believe there is a function in app exchange that is capable of doing what you are asking.

    Kind regards,
    Zohra SMAIL

    ------------------------------
    Zohra SMAIL
    ------------------------------

    Original Message


Related Content