IBM Security QRadar SOAR

 View Only
  • 1.  Incident View Restriction

    Posted Wed January 05, 2022 01:42 PM
    Due to legal privilege there are some incidents which cannot be in the SOAR. Is there a way to restrict who is able to access/view an incident?

    Nicholas Jelinek

  • 2.  RE: Incident View Restriction

    Posted Thu January 06, 2022 08:48 AM
    SOAR has very robust RBAC controls. Every users access to an incident is controlled by the permissions they have. The permissions come from the roles they are assigned and the groups they are part of. In addition, the access can further be segregated by an incident Workspace. An incident workspace is typically used to partition the incident access either vertically (e.g. Tier 1, Tier. 2, Tier 3 support) or horizontally (e.g. IT department, Security Department).

    Take a look a the Administration|Users page for role and group assignment. Take a look at the Administration|Roles page for setting up role permissions. Take a look at the Adminstration|Groups page for group assignment. Take a look at the Administration|Workspace page for managing Workspaces. Workspaces are assigned to incidents on the incident details edit page.


    Ben Lurie

  • 3.  RE: Incident View Restriction

    Posted Thu January 06, 2022 09:55 AM
    Just to follow up on Ben's comments and say that this is exactly how we do it at the company I work for.

    We have a similar thing where X users need to see cases/requests for this type of legal or HR request but the rest of the groups can't see it. So we have a group for them that assigns workspace roles and we put the required people into that group. Then we automate some of the request information with templates and such on the HR/Legal side so we can key off parts of the email and route to the right workspace and notify the right team members.

    Richard Giesige
    Security Engineer
    Oshkosh Corporation