IBM Security QRadar SOAR

Hi Everyone,

I'm sure I'm making this harder than it needs to be, but currently we have several "escalation" menu item rules that set the Incident:Members field.  Is there a way to add members instead of resetting the field? We've run into an issue where other groups are being removed as members from incidents due to the way "Set Field" works.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi @Jason Jemmott,

The "Set Field" will overwrite the field as you're experiencing. The solution is to instead use a script for more advanced field manipulation (like adding).

incident.members is a simple list. It looks like:

['user1_email@domain.com', 'user2_email@domain.com', 'Group Name 1']

So, this would work for you in the script:

(incident.members).append('Group Name 2')

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Thu October 22, 2020 03:18 PM
From: Jason Jemmott
Subject: Adding groups to tickets

Hi Everyone,

I'm sure I'm making this harder than it needs to be, but currently we have several "escalation" menu item rules that set the Incident:Members field.  Is there a way to add members instead of resetting the field? We've run into an issue where other groups are being removed as members from incidents due to the way "Set Field" works.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi @Jared Fagel,

This worked like a charm - so simple and elegant (and enlightening), now knowing I can perform these types of manipulations from within the GUI-based scripts vs overcomplicating it with the Integration server ​is a huge eye opener.  Thanks again!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Original Message:
Sent: Thu October 22, 2020 08:18 PM
From: Jared Fagel
Subject: Adding groups to tickets

Hi @Jason Jemmott,

The "Set Field" will overwrite the field as you're experiencing. The solution is to instead use a script for more advanced field manipulation (like adding).

incident.members is a simple list. It looks like:

['user1_email@domain.com', 'user2_email@domain.com', 'Group Name 1']

So, this would work for you in the script:

(incident.members).append('Group Name 2')

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Thu October 22, 2020 03:18 PM
From: Jason Jemmott
Subject: Adding groups to tickets

Hi Everyone,

I'm sure I'm making this harder than it needs to be, but currently we have several "escalation" menu item rules that set the Incident:Members field.  Is there a way to add members instead of resetting the field? We've run into an issue where other groups are being removed as members from incidents due to the way "Set Field" works.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------