IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Prevent to Close incident without any artifact

    Posted Wed December 02, 2020 06:26 AM
    Hi All,

    We would like to know if there's a way to prevent to close the resilient incident if there's no artifact(IOC).

    thanks

    ------------------------------
    Marc Lainez
    ------------------------------


  • 2.  RE: Prevent to Close incident without any artifact

    Posted Thu December 03, 2020 08:52 AM
    Probably the easiest way is to have an incident level custom property that keeps track of if there is any artifacts associated with it. A boolean value. It would get set when an artifact is created.

    Then you can create a script that uses helper.fail() on incident close if the incident boolean value is not "true".

    There would potentially be a problem with this approach when/or if an artifact is removed.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


Related Content