IBM Security QRadar SOAR

Hi Team,

In IBM SOAR is it possible to create a task (part of incident --> Parent ) as new incident?

The newly created incident needs to mapped as child incident to the parent incident from where the new child incident got created.

Please let me know the steps to achieve the same.

Hi,

Although there isn't a straightforward method within the user interface (UI) to accomplish this, you have the option to utilize the application, SOAR Function Utilities for SOAR. By employing the Create Incident function from the SOAR Utilities, you can generate a child Incident from an existing parent Incident. Simply provide the necessary basic details as function inputs for the incident creation process. Upon successful creation, a URL will be provided, which can be saved as a note. For further guidance, please consult the accompanying documentation.

Hi Team,

In IBM SOAR is it possible to create a task (part of incident --> Parent ) as new incident?

The newly created incident needs to mapped as child incident to the parent incident from where the new child incident got created.

Please let me know the steps to achieve the same.

Hi Calvin,

Thanks for your response.

1. When particular task is completed we need to create a new incident(Child) from the existing incident (Parent), mapping between parent and child, also we need to assign specific tasks to the new child incident created.
2. Once the tasks are completed by the analyst/engineer (in child incident) the tasks in the parent incident should continue.
3. Now we are in parent incident, the analyst again he may assign tasks back to analyst in the child incident based on the investigation.

Please suggest how can we achieve this .

Hi,

Although there isn't a straightforward method within the user interface (UI) to accomplish this, you have the option to utilize the application, SOAR Function Utilities for SOAR. By employing the Create Incident function from the SOAR Utilities, you can generate a child Incident from an existing parent Incident. Simply provide the necessary basic details as function inputs for the incident creation process. Upon successful creation, a URL will be provided, which can be saved as a note. For further guidance, please consult the accompanying documentation.

Hi Team,

In IBM SOAR is it possible to create a task (part of incident --> Parent ) as new incident?

The newly created incident needs to mapped as child incident to the parent incident from where the new child incident got created.

Please let me know the steps to achieve the same.

Hi,

As mentioned before, you could create a playbook for the above mentioned requirements, using the SOAR Function Utilities for SOAR. I have created a sample playbook to do the same.

Notice activation set to Automatic and condition is set to trigger playbook on task close.






Notice the input field can be used to send information from the parent incident to the child incident. You are not just restricted to incident information, you can also send any task related information too. To know more about the input format, see end of message.

Output:




After closing task 1:



Note: parent description imported to child incident. You are not just restrected to description, you can specify most incident properties while its being created from the parent incident.


Note: Link to child incident in parent notes. You are not just restricted to the URL. A lot more details regarding the child incident created is returned. This can be accessed in the post-processing script of the playbook. Instead of notes, you could even create a data-table and add all incident related information to it.

Tasks can also be created in a similar fashion using the IBM SOAR Task Helper Functions application.

You can find details regarding the Incident datatype using the SOAR REST API reference section, built into QRadar Soar. 

- To know more about the properties that can be specified while creating a incident, navigate to SOAR REST API Refernce -> JSON -> FullIncidentDataDTO

- To know more about task related properties. navigate to SOAR REST API Refernce -> JSON -> FullTaskDataDTO

Hi Calvin,

Thanks for your response.

1. When particular task is completed we need to create a new incident(Child) from the existing incident (Parent), mapping between parent and child, also we need to assign specific tasks to the new child incident created.
2. Once the tasks are completed by the analyst/engineer (in child incident) the tasks in the parent incident should continue.
3. Now we are in parent incident, the analyst again he may assign tasks back to analyst in the child incident based on the investigation.

Please suggest how can we achieve this .

Hi,

Although there isn't a straightforward method within the user interface (UI) to accomplish this, you have the option to utilize the application, SOAR Function Utilities for SOAR. By employing the Create Incident function from the SOAR Utilities, you can generate a child Incident from an existing parent Incident. Simply provide the necessary basic details as function inputs for the incident creation process. Upon successful creation, a URL will be provided, which can be saved as a note. For further guidance, please consult the accompanying documentation.

Hi Team,

In IBM SOAR is it possible to create a task (part of incident --> Parent ) as new incident?

The newly created incident needs to mapped as child incident to the parent incident from where the new child incident got created.

Please let me know the steps to achieve the same.