IBM Security QRadar SOAR

 View Only

  • 1.  Incident Details Page Edit option

    Posted Mon April 01, 2019 08:40 AM
    Hi Team,

    Incident details tab allows analysts to modify the incident details (please refer attached screen shot).Usually analysts should not modify the incident details . 

    We have tried with user roles and disabled Edit Incidents role. But this will not allow user to even modify Members, owner and status.

    We need incident name  and Description filed(contains source IP,Destination IP,Hash value etc) should not be modified by analysts and owner and status fields should be editable.

     Please refer attached screen shots for more clarity.

    76hjOCEDR061VXd1RteR_field editing.jpg

    Regards,
    Sajin MB

    ------------------------------
    Sajin MB

    ------------------------------


  • 2.  RE: Incident Details Page Edit option

    Posted Tue April 02, 2019 11:11 AM
    Edited by Brenden Glynn Tue April 02, 2019 11:12 AM
    Hello Sajin,

    This is currently not a feature in Resilient, creating "Read Only" Fields. The way Permissions work in resilient is that you can Restrict the edit-ability to User/Owner as those are high impact Fields. Whereas, the majority of the time Analysts/Users will be interacting with the Alert and Investigation data (Incident Fields).

    There are some cases where Level 1 Analysts/Monitoring Analysts are to just make determinations on the information present. Not to update that information. Which sounds like your case. The Resilient Ideas (RFEs) listed below should they be implemented will support your need.

    Please review and vote for the existing Idea for this request here: 

    Read Only Tabs/Fields: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-402
    Read Only Data Tables: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-131

    In the interim, you if you would like to restrict User edit of some Fields while allowing them edit others (Member, Owner) you can:

    Place any Fields you do not want Users to be able to edit in the Incident Summary Layout. This will allow Users to review the information but not edit it (as there is no "Edit" feature of the Summary Layout).



    Now this will be visually unappealing for any Fields with large amounts of data (Text Areas, ex: "Description"). And you will not be able to place Data Tables in the Summary Layout (as they will not fit).

    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------

    Original Message


  • 3.  RE: Incident Details Page Edit option

    Posted Wed April 03, 2019 02:29 AM
    Hi  @Brenden Glynn,

    Thanks a lot for your suggestions.
    I have already voted this RFE. As you said , showing read only fields on Summary session may not be appealing . 


    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 4.  RE: Incident Details Page Edit option

    Posted Wed April 03, 2019 03:40 PM

    Another idea you may want to consider in the meantime:
    * Place the read-only fields on their own tab
    * Prevent editing those fields via script using `helper.fail("Do not change fields on XYZ tab")`

    It's not ideal, and certainly adding RBAC operations at the field level would probably meet your needs in a better way, but seems like another approach that you might decide is okay for you.



    ------------------------------
    Marty James
    ------------------------------

    Original Message


  • 5.  RE: Incident Details Page Edit option

    Posted Thu April 04, 2019 07:58 AM
    @Marty James    
    Thanks. Can you explain in detail. 
    How can we prevent the field editing by using script. can you give me sample script please.


    ​​​

    ------------------------------
    Sajin MB
    ------------------------------

    Original Message


  • 6.  RE: Incident Details Page Edit option

    Posted Thu April 04, 2019 11:25 AM
    So, suppose your field is named "Don't Edit"...

    Create a rule that gets triggered on:

    Incident Field: Don't Edit  is changed

    Then the activity for that rule is to run a script that prevents the save from happening:

    helper.fail("Don't Edit field is not editiable")

    This might be will be a surprise for your end users, which is why I suggested combining it with some other treatment, e.g. putting these fields on a different tab; or maybe just updating the field prompt to read "My Field (Not editable)"

    It's certainly not ideal, but might be a usable workaround

    ------------------------------
    Marty James
    ------------------------------

    Original Message


  • 7.  RE: Incident Details Page Edit option

    Posted Thu April 04, 2019 02:53 PM
    Edited by Marty James Thu April 04, 2019 02:53 PM
    I should point out, that this example will result in that rule running always... you'll need to call that `helper` method conditionally to allow api access to change that field. Conditioning on the api-user to allow it through seems like a good idea.

    Or you could update the conditions under which the rule is ran I suppose...

    Marty

    ------------------------------
    Marty James
    ------------------------------

    Original Message


  • 8.  RE: Incident Details Page Edit option

    Posted Tue July 27, 2021 02:32 PM
    Hi Brenden,

    I found your response to Sajin from April 2019, but suspect that things may have changed with Resilient since that time.  Can you advise whether read-only access is still not an option, say for a client?

    Kind regards,
    Chris

    ------------------------------
    CHRISTOPHER Erdmann
    ------------------------------

    Original Message


  • 9.  RE: Incident Details Page Edit option

    Posted Wed July 28, 2021 04:05 AM
    Hi Chris,

    We have an idea (https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-97) that Product Management is tracking. You may want to vote/comment on it to receive updates on it's status.

    ------------------------------
    BEN WILLIAMS
    ------------------------------

    Original Message