IBM QRadar SOAR

Hello,

Recently I created new phase with some tasks for the incidents. I created a custom rule of incident type for those new task (phishing, intrusion, malware, DoS, others). And i disabled some rules for not interfere my rule. But when I create a new incident (intrusion system type), it appears with the same phases and task. My custom phases and task are not showing there. I can't find the problem, any ideas about that?

Thank you.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

It should work as you expect. I typically troubleshoot these types of issues by disabling other rules and only enabling the rules I want. If a rule is not creating tasks as you expect it means that the conditions of the rule did not match the incident data. Start with a basic rule condition and make sure it functions then add additional conditions and activities as you go. That way it is easier to find out which part of the rule is not functioning as expected.

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Thu December 19, 2019 12:32 PM
From: Aitor Vivanco Sata Cruz
Subject: Phase and Task creations

Hello,

Recently I created new phase with some tasks for the incidents. I created a custom rule of incident type for those new task (phishing, intrusion, malware, DoS, others). And i disabled some rules for not interfere my rule. But when I create a new incident (intrusion system type), it appears with the same phases and task. My custom phases and task are not showing there. I can't find the problem, any ideas about that?

Thank you.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Hello Ben, 

I connected my custom tasks and custome phases with "Cyber: General" rule and it worked perfectly. I copied the same conditions of that rule to my  general custom rule, but it doesn't work. Im thinking that the problem could be the name of the rule, but it seems unlogical.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Original Message:
Sent: Fri December 20, 2019 07:19 AM
From: Ben Lurie
Subject: Phase and Task creations

It should work as you expect. I typically troubleshoot these types of issues by disabling other rules and only enabling the rules I want. If a rule is not creating tasks as you expect it means that the conditions of the rule did not match the incident data. Start with a basic rule condition and make sure it functions then add additional conditions and activities as you go. That way it is easier to find out which part of the rule is not functioning as expected.

------------------------------
Ben Lurie

Original Message:
Sent: Thu December 19, 2019 12:32 PM
From: Aitor Vivanco Sata Cruz
Subject: Phase and Task creations

Hello,

Recently I created new phase with some tasks for the incidents. I created a custom rule of incident type for those new task (phishing, intrusion, malware, DoS, others). And i disabled some rules for not interfere my rule. But when I create a new incident (intrusion system type), it appears with the same phases and task. My custom phases and task are not showing there. I can't find the problem, any ideas about that?

Thank you.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

The name of the rule would not affect the behavior. If you can post a screenshot of the rule that works and the rule that does not work maybe I could see what the problem is.

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Fri December 20, 2019 08:42 AM
From: Aitor Vivanco Sata Cruz
Subject: Phase and Task creations

Hello Ben, 

I connected my custom tasks and custome phases with "Cyber: General" rule and it worked perfectly. I copied the same conditions of that rule to my  general custom rule, but it doesn't work. Im thinking that the problem could be the name of the rule, but it seems unlogical.

------------------------------
Aitor Vivanco Sata Cruz

Original Message:
Sent: Fri December 20, 2019 07:19 AM
From: Ben Lurie
Subject: Phase and Task creations

It should work as you expect. I typically troubleshoot these types of issues by disabling other rules and only enabling the rules I want. If a rule is not creating tasks as you expect it means that the conditions of the rule did not match the incident data. Start with a basic rule condition and make sure it functions then add additional conditions and activities as you go. That way it is easier to find out which part of the rule is not functioning as expected.

------------------------------
Ben Lurie

Original Message:
Sent: Thu December 19, 2019 12:32 PM
From: Aitor Vivanco Sata Cruz
Subject: Phase and Task creations

Hello,

Recently I created new phase with some tasks for the incidents. I created a custom rule of incident type for those new task (phishing, intrusion, malware, DoS, others). And i disabled some rules for not interfere my rule. But when I create a new incident (intrusion system type), it appears with the same phases and task. My custom phases and task are not showing there. I can't find the problem, any ideas about that?

Thank you.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------