IBM Security QRadar SOAR

Due to legal privilege there are some incidents which cannot be in the SOAR. Is there a way to restrict who is able to access/view an incident?

------------------------------
Nicholas Jelinek
------------------------------

SOAR has very robust RBAC controls. Every users access to an incident is controlled by the permissions they have. The permissions come from the roles they are assigned and the groups they are part of. In addition, the access can further be segregated by an incident Workspace. An incident workspace is typically used to partition the incident access either vertically (e.g. Tier 1, Tier. 2, Tier 3 support) or horizontally (e.g. IT department, Security Department).

Take a look a the Administration|Users page for role and group assignment. Take a look at the Administration|Roles page for setting up role permissions. Take a look at the Adminstration|Groups page for group assignment. Take a look at the Administration|Workspace page for managing Workspaces. Workspaces are assigned to incidents on the incident details edit page.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Wed January 05, 2022 01:33 PM
From: Nicholas Jelinek
Subject: Incident View Restriction

Due to legal privilege there are some incidents which cannot be in the SOAR. Is there a way to restrict who is able to access/view an incident?

------------------------------
Nicholas Jelinek
------------------------------

Just to follow up on Ben's comments and say that this is exactly how we do it at the company I work for.

We have a similar thing where X users need to see cases/requests for this type of legal or HR request but the rest of the groups can't see it. So we have a group for them that assigns workspace roles and we put the required people into that group. Then we automate some of the request information with templates and such on the HR/Legal side so we can key off parts of the email and route to the right workspace and notify the right team members.

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
Oshkosh
------------------------------

Original Message:
Sent: Thu January 06, 2022 08:47 AM
From: Ben Lurie
Subject: Incident View Restriction

SOAR has very robust RBAC controls. Every users access to an incident is controlled by the permissions they have. The permissions come from the roles they are assigned and the groups they are part of. In addition, the access can further be segregated by an incident Workspace. An incident workspace is typically used to partition the incident access either vertically (e.g. Tier 1, Tier. 2, Tier 3 support) or horizontally (e.g. IT department, Security Department).

Take a look a the Administration|Users page for role and group assignment. Take a look at the Administration|Roles page for setting up role permissions. Take a look at the Adminstration|Groups page for group assignment. Take a look at the Administration|Workspace page for managing Workspaces. Workspaces are assigned to incidents on the incident details edit page.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Wed January 05, 2022 01:33 PM
From: Nicholas Jelinek
Subject: Incident View Restriction

Due to legal privilege there are some incidents which cannot be in the SOAR. Is there a way to restrict who is able to access/view an incident?

------------------------------
Nicholas Jelinek
------------------------------