Background: Currently the attribute of Mandatory on a Task only governs the change of Phase in an Incident. For Phases to transition to the next, all Mandatory Tasks in that Phase must first be complete. Optional Tasks are not evaluated for Phase change.
Why: Tasks (detailed response actions and results!) that are prescribed by SOP/TTPs should be followed to completion as outlined. Tasks in a Playbook, are a description of actions/resources for the user. When Completed, are indication of work performed, and a historical reference. As such, they are auditable and can be used as an indication of the effectiveness of response, for lessons learned/tuning activities.
How: The last Phase in every Incident is Complete. This is a system Phase that is not exposed or editable in Phases & Tasks. An Incident only ever reaches the Complete Phase when all Mandatory Tasks are complete! So the method shown below, checks that the Incident is in the Complete Phase before it allows a user to Close an Incident. Thus enforcing Mandatory Task Closure.
Method: An Incident Rule is triggered when a user attempts to change the Incident (Status Field) to Closed, which runs an Incident Script that evaluates the current Phase, and checks to see if the Incident is in the Complete Phase. If not, it throws an error to the User, informing them of their attempted premature Incident Closure.
Let me know what you think. This could be modified to allow for Conditionally Mandatory Tasks. For example on Incident Type, Group Member, Severity, etc.. Any Incident Field Value!
Next I will post a Rule/Script Combo that allows a user to
Mark Mandatory Tasks as Optional/Not Applicable (use these two Mod Cons together wisely)!
Script:
if incident.phase_id != 'Complete':
helper.fail("You must complete all Mandatory Tasks before closing the Incident.")
Screenshots:Incident Rule
------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------