IBM Security QRadar SOAR

 View Only
  • 1.  Logging changes to incidents

    Posted Wed December 01, 2021 09:00 AM
    Hi everybody,
    When you look at the newsfeed associated with an incident, it can tell you that "User xxx modified the incident".
    Is there a log somewhere that can tell what was changed? 

    Our use case here is that we have a custom field within a certain type of incident that can change over time and we would like to be able to trace the values it took over time.

    thanks for your time

    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: Logging changes to incidents

    Posted Thu December 02, 2021 01:05 PM
    I'm not sure there's an 'official' way to do this, but I have similar use cases, and have two different 'solutions':

    - Turn on time tracking for the field, which allows you to track the total time a field was in a given state. It's not a timeline (i.e., it won't show something changing from A to B and back to A) but if you're looking for aggregate data, it works.

    - To do what you're looking for, I have a custom field called 'Ticket metadata' which is basically a serialised representation of a json object. A rule fires when the field of interest changes, and a script will grab the contents of 'Ticket metadata', deserialise it, update those contents appropriately and re-serialise it back to the ticket field.
    If nothing else, doing it that way saves me from having to create 8 zillion tracking fields for things...

    ------------------------------
    J V
    ------------------------------



  • 3.  RE: Logging changes to incidents

    Posted Mon December 06, 2021 08:34 AM
    Edited by Brenden Glynn Mon December 06, 2021 08:40 AM
    If the provided suggestions don’t fit the bill, I recommend using the Generate Incident History Report feature in the lower right side of the Incident page. It generates a report of changes to Incident Fields over time by user.




  • 4.  RE: Logging changes to incidents

    Posted Thu December 02, 2021 04:55 PM
    Edited by Elizabeth Hecht Thu December 02, 2021 05:02 PM

    Hi Pierre,
    I would recommend using the time tracking feature, there is information on how to enable it here:
    https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=layouts-displaying-time-tracking-information-in-tab#reference_wtl_c5d_mjb
    Then you can create graphs of how the fields changes over time:

    https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=tutorials-tutorial-creating-custom-graphs-over-time

    In addition the incident history report will give you more details on the timeline of actions in the incident.
    https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=analysis-generating-incident-report

    • Within an incident, click Download Incident History Report. This report provides a list of fields in the incident, the user who created or changed it, the date it occurred, and the old and current values.


    ------------------------------
    Elizabeth Hecht
    ------------------------------