Hi all,

I'd like to propose a feature enhancement or, if a solution already exists, ask for guidance on how to implement it.

Current Challenge:

We utilize two custom incident fields, "Incident Handler" and "Incident Observer," which are both "select" (dropdown) fields. Currently, every time a new analyst joins our team, we have to manually edit these fields to add the new user to the list of available options. This process is manual, prone to being overlooked, and inefficient as our team grows.

Desired Functionality:

We would love the ability to have these fields dynamically populate their choices from the list of active IBM QRadar SOAR users. Ideally, we could have a custom field type that functions similarly to the built-in "Owner" or "Members" fields, which are always synchronized with the platform's user list. This would ensure that any new user is immediately available for selection as a handler or observer without administrative overhead.

Question:

Is there a way to achieve this dynamic population natively?

If not, I've been exploring the REST API as a potential workaround. My goal would be to create a script that:

1. Fetches the current list of users from the SOAR API.

2. Updates the "values" for our custom "Incident Handler" and "Incident Observer" fields with this user list.

However, I'm having trouble finding the specific API endpoint or method to modify the list of available choices for a "select" type field. I've looked through the documentation but haven't found a clear path for updating field definitions in this manner.

Could someone point me in the right direction? Is it possible to update the values of a select-list via the API? Any examples or documentation references would be greatly appreciated. It seems like a common need for scaling a SOAR implementation, and automating this would be a significant quality-of-life improvement.

Thanks in advance for your help

Hi Dominik

You can use IBM Ideas Portal to request new features: IBM's security products ideas portal