IBM Security QRadar SOAR

 View Only
  • 1.  Make a field required for a specific incident type

    Posted Fri November 01, 2019 04:57 PM
    Hello,

    I was wondering if anyone knew of a way to make certain fields required for a specific incident type only. I see you can make the field required but it seems that when you set that it is required for all incident types.

    We want to have a person be able to close a task inside an incident and make sure that the "required" fields are filled out. 

    Otherwise if this isn't possible, how are other people making sure that the fields are properly getting done on incidents?

    Thanks,

    ------------------------------
    Richard Giesige
    ------------------------------


  • 2.  RE: Make a field required for a specific incident type

    Posted Mon November 04, 2019 09:01 AM
    This is not possible out of the box currently. However you can accomplish this by:

    1) Set up the "required on incident type" fields as optional.
    2) Set up a script that checks if the specific fields are "not empty or null". If they are empty or null the script can use  helper.fail("The field Y is required when the incident type is X"). This message is shown as an error message to the user when the incident is saved.
    3) Set up a rule that runs when the incident type is X.

    If you have different fields that are required for different incident types this might require multiple scripts. If you want only one script you could do that with an if/else statement in the script. You'll then have to set up the rule to always fire on the incident.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Make a field required for a specific incident type

    Posted Fri November 22, 2019 11:13 AM
    Thanks Ben Lurie, that worked for us after some testing.

    ------------------------------
    Richard Giesige
    ------------------------------