IBM Security QRadar SOAR

Many times, we have been requested a SLA system in QRadar SOAR. There is none OOTB, but I have created a working example that could be a good start to be updated to match your specific needs (speak to 5 customers, they all have 5 different way to calculate and work SLA

The solution given here is a self package playbook, that will use the OOTB integration Utility Functions for SOAR with the function Timer, on an App Host.

The Playbook is here:

The first script is calculating all elements and fixing SLA & Alert time.
you can change there the SLA value and the ALERT value, or use your own SLA calculation base on severity, security or service level
sla = 30 # Time to solve the incident
alert = 10 # Time to send the alert - in this example, notification from a note
incident.properties.sla_in_minutes = sla
incident.properties.sla_alert_in_minutes = alert

# SLA Minutes Left Calculation

import time

first_time = incident.create_date/1000
later_time = time.time()
difference = round((later_time - first_time)/60)

# SLA ALERT in minutes
# This value could be calculated and set by other scripts if needed
sla = 30   # Time to solve the incident
alert = 10 # Time to send the alert - in this example, notification from a note
incident.properties.sla_in_minutes = sla
incident.properties.sla_alert_in_minutes = alert

# calculating pause time
slatimer = round ((sla - difference - alert )/2)
if slatimer < 1:
  slatimer = 1
incident.properties.sla_timer_in_minutes = slatimer

# We have plenty of time
if alert > difference:
  incident.properties.out_of_sla = False
  incident.properties.sla_minutes_left = sla - difference
# We are out of sla
elif difference > sla:
  incident.properties.out_of_sla = True
else:
  incident.properties.out_of_sla = False
  incident.properties.sla_minutes_left = sla - difference
  
# all the following fields will be listed in the condition below to be taken in the export package
log.info(incident.properties.out_of_sla)
log.info(incident.properties.sla_minutes_left)
log.info(incident.properties.sla_timer_in_minutes)
log.info(incident.properties.sla_alert_in_minutes)
log.info(incident.properties.sla_in_minutes)

 
The Timer function entry is a script, as I recalculated it at each loop:

inputs.utilities_time = "{}m".format(incident.properties.sla_timer_in_minutes)

The Alert is a script, but you could replace it by Text Message alert with TWILIO integration, or Email Alert message with Outbound Email integration for example, or just create a Notification to owner / members on this note creation. I have also added a Milestone.

By default, I loop here every minute on the alert time, but you can change that on previous script

# calculating pause time
slatimer = round ((sla - difference - alert )/2)
if slatimer < 1:
slatimer = 1
incident.properties.sla_timer_in_minutes = slatimer

import datetime
date = datetime.datetime.now()
# Sample alert on a notification
# Create a note for notification, could be change by any other script or function
incident.addNote("@BenoitRostagni (email:benoit.rostagni@ibm.com) We are almost Out Of SLA: {}".format(incident.properties.sla_minutes_left))
incident.addMilestone("SLA Warning", "We are almost Out Of SLA: {}".format(incident.properties.sla_minutes_left), date)

There is no message at the end, when you are OUT OF SLA, but it is easy to add one just before the End Point !

You can download this package from my Github