IBM Security QRadar SOAR

 View Only
  • 1.  Conditional Select Fields

    Posted Fri September 18, 2020 01:11 PM

    I know that this would likely have to be a change in the coding of the application, but I am wondering what others have done to create a conditional select or multiselect field.

    We are working on moving our system tracking from NIST to Mitre and want to be able to track things like the main category and subcategories, but based on the current abilities of the application I don't see a way to track sub abilities based on the main category.

    Any help on this would be appreciated. I will also go and check Ideas and see if this is already requested or request it myself.



    ------------------------------
    Nick Mumaw
    ------------------------------


  • 2.  RE: Conditional Select Fields

    Posted Mon September 28, 2020 02:24 PM
    It is not easy in Resilient and depends on where you will use those fields.
    I have a solution for "Tab" view:
    Show Select/Multi Select Fields incident.properties.my_category
    For each Category, use a section that will show the specific Sub Category  Select/Multi Select field only if it matches the Category in reference.
    Section, Criteria incident.properties.my_category = Value A
         Show Select/Multi Select Fields incident.properties.my_category_a
    Section, Criteria incident.properties.my_category = Value B
         Show Select/Multi Select Fields incident.properties.my_category_b
    Section, Criteria incident.properties.my_category = Value C
         Show Select/Multi Select Fields incident.properties.my_category_c
    etc.

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 3.  RE: Conditional Select Fields

    Posted Tue September 29, 2020 05:00 PM
    So I was thinking that we could finish that off with 1 total subcategory and a scrip that whenever one of the individual sub categories changes it updates the total subcategory for reporting purposes. These does seem overly complicated when trying to do something like the Mitre Attack frame work. where I would have to have 12 subcategories. I appreciate you candor on this!

    ------------------------------
    Nick Mumaw
    ------------------------------



  • 4.  RE: Conditional Select Fields

    Posted Tue September 29, 2020 05:20 PM
    Maybe I did not get the full story of what you want to do.
    If it is for reporting, using Category and Sub Category existing in Mitre Attack model,
    You could have a script that
    - Take this category from Mitre Attack and populate a Field "Category"
    - Take this Sub Category from Mitre Attack and populate a Field "Sub Category"
     
    When doing the report, in the Dashboard Filter or Widget Filter, use the filter on "Category" and you will have just the Sub Category relevant to this category in your Widget.
     
    If you have a potential of multiple Category and Multiple Sub Category on a single incident, they should be Multi Select Field with predefined values, to allow multi entry.