Amit,
Some questions to help me understand your goal.
1. Are the number of tasks for High (25), Medium (19), and Low (13) all unique to the specific Severity Level? Or are some of the Tasks shared between Severities/overlapped. For example are some of the Tasks in Low, also in Medium?
2. How often is the Severity changed? Is it a one time event, or is it possible it will change many times through the life of the Incident? In either event, you'd want to track that the severity was changed. The Initial Severity and the Final Severity. This will help you track overtime if Severities are changing on Incidents, and possibly uncover trends.
If the Severity is changed only once, you can set the conditions on the Medium Rule to (
see attachment/screenshot)
This will allow an Incident that went from Med->Low and Low->Med to maintain the Medium Tasks. The moment both of them no longer = Medium though, the Medium tasks will disappear.
Note: The Rules engine will Add Tasks when the conditions evaluate to True. The point when that Rule that added the Tasks no longer evaluates to True, it will remove the added Tasks (as you've experienced).
3. 32 Tasks on an Incident is a lot of Tasks! I would recommend 15-20 at most if possible. I would consider consolidating some of those Tasks together.
@Pablo
All Rules will evaluate if the Rule type is triggered. It wont matter if you put a Rule at the top or bottom. They don't operate like ACLs. They don't stop when there is a match. You determine the order of the Rules based on the impact they will have to each based on their Activities.
------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------
Original Message:
Sent: 03-26-2019 12:52 PM
From: Amit Kumar
Subject: Playbook Optimization
yes, existing rules are also triggering matching below criteria...
1) Customized Phishing-P1 > Total tasks = 25 ----Severity Selected is "High"
2) Customized Phishing-P2 > Total tasks = 19 ----Severity Selected is "Medium"
3) Customized Phishing-P3 > Total tasks = 13 ----Severity Selected is "Low"
is there way to achieve it?
------------------------------
Amit Kumar
Original Message:
Sent: 03-25-2019 11:51 AM
From: PABLO ROBERTO GARCIA
Subject: Playbook Optimization
Probably is because is matching other rule?... make sure put it at the top of the list.
Also you have to make sure that the condition is met...
regards,
------------------------------
PABLO ROBERTO GARCIA
Original Message:
Sent: 03-25-2019 11:39 AM
From: Amit Kumar
Subject: Playbook Optimization
Hi Pablo,
Thanks for your inputs.
>>
Low(13) to Medium(19)= Total tasks should be 32 tasks:
Rule 1: If is Low I will define 13
Rule 2: If is Medium I will define the 32 tasks...
>>
In this case, the rule for "Medium Priority" will add 32 tasks for a value of "Severity" selected "Medium" while creating an incident instead of 19 tasks.
------------------------------
Amit Kumar
Original Message:
Sent: 03-25-2019 04:05 AM
From: PABLO ROBERTO GARCIA
Subject: Playbook Optimization
Amit,
Based on your requirement is a bit complicated but I will try...
Low(13) to Medium(19)= Total tasks should be 32 tasks:
Rule 1: If priority is Low I will define 13
Rule 2: If priority is Medium I will define the 32 tasks...
Low(13) to High(25) = Total tasks should be 38 tasks
Same than above...
Is that possible to create separated rules for that?...
Regards,
------------------------------
PABLO ROBERTO GARCIA
Original Message:
Sent: 03-22-2019 09:58 AM
From: Amit Kumar
Subject: Playbook Optimization
Hi Pablo,
Let me put it this way
Three separate rules created, which add a specific count of tasks for a value of "Severity" selected while creating an incident.
The count is as below mentioned
1) Customized Phishing-P1 > Total tasks = 25 ----Severity Selected is "High"
2) Customized Phishing-P2 > Total tasks = 19 ----Severity Selected is "Medium"
3) Customized Phishing-P3 > Total tasks = 13 ----Severity Selected is "Low"
Now expectation is
After creating incident and SOC works on it and decides to decrease or elevate the "severity" of the incident
Use case 1: Incident with "High" severity created (25 tasks added), when the user decreases the severity to "Medium" or "Low" no tasks should be removed
Use Case 2: Incident with "Low" severity created (13 tasks added), when the user elevates the severity to "Medium" or "High" task should be appended
Results expected
Low(13) to Medium(19)= Total tasks should be 32 tasks
Low(13) to High(25) = Total tasks should be 38 tasks
------------------------------
Amit Kumar
Original Message:
Sent: 03-22-2019 04:30 AM
From: PABLO ROBERTO GARCIA
Subject: Playbook Optimization
I am not sure if I understand your request and either which policies you have in place, I will create a rule such as:
Please confirm if that make sense to you:
------------------------------
PABLO ROBERTO GARCIA
Original Message:
Sent: 03-21-2019 06:37 AM
From: Amit Kumar
Subject: Playbook Optimization
Hello All,
Currently, we have rules configured for playbooks based on the severity wherein its adding/removing tasks when the severity is changed.
Now the requirement is, tasks should not be added when severity changes from High to med, high to low or med to low.
and when moving from low to high, low to med or med to high, tasks should get added. can you please check this. How can we achieve this?