IBM Security QRadar SOAR

 View Only
  • 1.  Visibility of tasks for different user groups

    Posted Mon November 25, 2019 08:42 AM
    Hi,

    I have a custom incident category. We have created custom phase and tasks for this category. I have created a rule for adding tasks to incident.

    But we have different user groups. For example tier2 might see only specific tasks. How can I do this from rule? 

    For example tier1 can see only 2 of tasks in below image. 

    Best
    Jasmine


    ------------------------------
    Jasmine
    ------------------------------


  • 2.  RE: Visibility of tasks for different user groups

    IBM Champion
    Posted Mon November 25, 2019 10:59 AM
    1.  Set all tasks to private by default ("Administrator Settings" > "Organization" > "General" > "Settings" > "Default Tasks" > "ON").

    2.  For roles that should only see their own tasks, go to the role settings ("Administrator Settings" > "Roles)
             and uncheck the settings for "View Private Tasks"

    3.  Via a rule, set the members of the tasks.
               Rule type: Task
               Rule conditions: 'Task is created' AND ('Task name is equal to abc' OR 'Task name is equal to def' OR ...)
               Activities: 'Set Field   Task: Members   role_name_here'


    From the Resilient User Guide v34:
    "When viewing an individual task, there are also tabs to view the source of the task, record notes, and upload attachments. In the Members tab of the task, you can mark a task as Private if you consider the task as sensitive and do not wish it to be viewed by the incident team in general. The owner of the incident and members of the task can view a private task."


    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 3.  RE: Visibility of tasks for different user groups

    Posted Wed November 27, 2019 03:30 AM
    I think that is isn't the correct way, because when we want to create a simulation, there is an error:



    ------------------------------
    Jasmine
    ------------------------------



  • 4.  RE: Visibility of tasks for different user groups

    Posted Mon December 02, 2019 10:44 AM
    Groups cannot be used as task owners.

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Visibility of tasks for different user groups

    IBM Champion
    Posted Mon December 02, 2019 11:32 AM
    Hey @Ben Lurie​​,

    I advised setting the task membership to the group (not ownership). Is this what you meant?

    Is setting a group as the members of a task also not possible? That would be a poor design, as this seems like an important use case.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 6.  RE: Visibility of tasks for different user groups

    Posted Wed November 27, 2019 04:33 AM
    Could you please provide a document or working example of this issue?

    ------------------------------
    Jasmine
    ------------------------------



  • 7.  RE: Visibility of tasks for different user groups

    IBM Champion
    Posted Wed November 27, 2019 10:00 AM
    Is the group listed as an incident member? I forgot to add that in the steps, sorry!

    Recall that tasks cannot be assigned to non-incident members.

    I do not have an example of this to provide, as we do not use this functionality to-date.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 8.  RE: Visibility of tasks for different user groups

    Posted Mon December 02, 2019 01:38 PM
    Groups can be assigned as task members.

    ------------------------------
    Ben Lurie
    ------------------------------



  • 9.  RE: Visibility of tasks for different user groups

    Posted Tue December 03, 2019 06:16 PM
    We are currently evaluating methods of assigning Tasks to Groups, and with that how do we expose that to the Users in the Groups in the platform. Most likely under the My Tasks section under Dashboards.

    Assign tasks to a group

    https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-90

    Assign tasks to a group or person who isn't a member of an incident
    https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/RESI-I-10

    It is an interesting thought to control visibility of the Tasks now owned by Groups:

    1. Limit the exposure of the Tasks to the rest of the Members/Owner of the Incident. As mentioned below, can be done today using the Member/Private feature of a Task - with the caveat that the Task Owner will implicitly always have access to that Private Task.
    2. Limit the exposure of the Incident to the Group that has been assigned a Task. So allowing a Groups/it's Members access to only the Task assigned, but not the Incident (or its other Tasks). We would then have to use something like the My Tasks to show those Tasks, because the User(s) would not have access to the Incident.

    Please have at a look at those two RFEs/Ideas, vote, and leave comments/feedback so our Product team can include them in our design thinking.

    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------