Set "track change times" checkbox on the phase field.
This will then do the time tracking for you.
You can view the details on a single incident as follows.
https://www.ibm.com/docs/en/sqsp/51?topic=guide-incident-layouts#reference_wtl_c5d_mjb__title__1
You can also report on these times across all incidents in the analytics dashboard.
https://www.ibm.com/docs/en/sqsp/51?topic=team-creating-custom-incident-graphs#task_rk2_lsy_mjb__title__1
------------------------------
Martin Feeney
Product Manager, IBM Security QRadar SOAR
martin.feeney@ie.ibm.com------------------------------
Original Message:
Sent: Mon March 31, 2025 02:49 PM
From: Marsid Bicaku
Subject: Phase ID
Hello guys,
I am trying to track the time when the phases are change from Identification, to containment, eradication and so on....
I see that there is a default field in SOAR called Phase (phase_id), which changes when you close a phase and continue to another. I am trying to create a rule that it will trigger automatically when this field phase_id is change, but I cant find the field in the dropdown list of incident fields when I want to configure the triger condition.
This is the field:
This image shows that I cant find the "Phase" field in the rule condition.
Has anyone used this field before?
Best regards,
Marsid Bicaku
------------------------------
Marsid Bicaku
------------------------------