IBM Security QRadar SOAR

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?

Hi Dung Dang -

The user can enter the field value that you would use in a condition point later in the playbook. The user can enter that value either in a field that you have placed on the task or by entering the value elsewhere in the incident view (e.g. on the Details Tab). Wherever you have placed the field.

Here is an example playbook with conditions. The first condition checks that the user has actually entered the value in the task "Select Email Classification" by checking to see if the Select Field has a value. If there isn't a value then the playbook loops back to that task forcing the user to make a classification decision before the playbook moves forward. After the user enters the Email Classification the playbook moves to the next condition which follows a path based on the classification value.  I am showing First True in this example but you could also use a Multi-Select field and use an Any True condition to allow multiple paths to execute.

Hope this helps. Let me know how it goes.

Ken

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?

Hi Ken Chinh, 

Thanks for the quick reply.

With input input on the details tab, the user must edit and I want users to input input from tasks, not through the incident interface. Does IBM SOAR have a way to clearly divide user input through each task?

Hi Dung Dang -

The user can enter the field value that you would use in a condition point later in the playbook. The user can enter that value either in a field that you have placed on the task or by entering the value elsewhere in the incident view (e.g. on the Details Tab). Wherever you have placed the field.

Here is an example playbook with conditions. The first condition checks that the user has actually entered the value in the task "Select Email Classification" by checking to see if the Select Field has a value. If there isn't a value then the playbook loops back to that task forcing the user to make a classification decision before the playbook moves forward. After the user enters the Email Classification the playbook moves to the next condition which follows a path based on the classification value.  I am showing First True in this example but you could also use a Multi-Select field and use an Any True condition to allow multiple paths to execute.

Hope this helps. Let me know how it goes.

Ken

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?

Hi Dung Dang -

Can you discuss in more detail what you mean by "clearly divide user input through each task" and in your original post "click on the Save button it doesn't work".

What isn't working exactly? 

It appears you already know how to edit a task to place a field in the task which should allow users to input from the task such as in the attached picture.

Hi Ken Chinh, 

Thanks for the quick reply.

With input input on the details tab, the user must edit and I want users to input input from tasks, not through the incident interface. Does IBM SOAR have a way to clearly divide user input through each task?

Hi Dung Dang -

The user can enter the field value that you would use in a condition point later in the playbook. The user can enter that value either in a field that you have placed on the task or by entering the value elsewhere in the incident view (e.g. on the Details Tab). Wherever you have placed the field.

Here is an example playbook with conditions. The first condition checks that the user has actually entered the value in the task "Select Email Classification" by checking to see if the Select Field has a value. If there isn't a value then the playbook loops back to that task forcing the user to make a classification decision before the playbook moves forward. After the user enters the Email Classification the playbook moves to the next condition which follows a path based on the classification value.  I am showing First True in this example but you could also use a Multi-Select field and use an Any True condition to allow multiple paths to execute.

Hope this helps. Let me know how it goes.

Ken

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?

Guessing a little bit here but if what you are needing help with is how to limit access to specific Tasks on an incident here are some ideas on how to accomplish this. 

1. Create an Incident type Playbook or Rule that runs whenever the incident type is created, or for all incident types or is run manually by the Incident Owner when he/she wants to bring specific SOC members into the incident. Have the Playbook or Rule run a script that adds the user or group to the incident (I believe an entity has to be on an incident to be added to a task but admittedly have not tested extensively):

newmember= 'SOC-1stLevel'incident.members=list(incident.members)+[newmember]

2. Create an Auto Task type Playbook or Rule that runs whenever a Task is created that assigns ownership, membership and other properties to the task. There is a dependency I believe on the owners/members being added to the incident. You can have one script for all Tasks but assign different properties based on Task Name with the IF block:

from datetime import datetimefrom datetime import timedeltanow = datetime.now()hour_from_now = datetime.now() + timedelta(hours=1)if task.name=="DEMO: Select Email Classification":  task.owner_id='SOC-1stLevel'  task.members='SOC-1stLevel'  task.due_date=hour_from_now  

Some testing is needed to determine any flow-through access to the Task. I'm pretty sure the Incident Owner has access to all Tasks on the Incident for example.

Let me know if this helps or provide some clarification on what problem you are looking to address.

Good luck!

Ken

Hi Dung Dang -

Can you discuss in more detail what you mean by "clearly divide user input through each task" and in your original post "click on the Save button it doesn't work".

What isn't working exactly? 

It appears you already know how to edit a task to place a field in the task which should allow users to input from the task such as in the attached picture.

Hi Ken Chinh, 

Thanks for the quick reply.

With input input on the details tab, the user must edit and I want users to input input from tasks, not through the incident interface. Does IBM SOAR have a way to clearly divide user input through each task?

Hi Dung Dang -

The user can enter the field value that you would use in a condition point later in the playbook. The user can enter that value either in a field that you have placed on the task or by entering the value elsewhere in the incident view (e.g. on the Details Tab). Wherever you have placed the field.

Here is an example playbook with conditions. The first condition checks that the user has actually entered the value in the task "Select Email Classification" by checking to see if the Select Field has a value. If there isn't a value then the playbook loops back to that task forcing the user to make a classification decision before the playbook moves forward. After the user enters the Email Classification the playbook moves to the next condition which follows a path based on the classification value.  I am showing First True in this example but you could also use a Multi-Select field and use an Any True condition to allow multiple paths to execute.

Hope this helps. Let me know how it goes.

Ken

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?

Hi ken ching,

This is exactly what I was planning on doing. My goal is to create a process to handle an incident using playbook tasks, I will assign members corresponding to the tasks created when the incident occurs. I want each member to decide what to do by editing the value fields in "Layout Task" and depending on the input, the next tasks will be given to other members. I'm having a problem that I can't use the "Save" button to save the input value. If this approach is not correct, is there another way to achieve the original goal of "creating a process to handle an incident using playbook tasks?"

Guessing a little bit here but if what you are needing help with is how to limit access to specific Tasks on an incident here are some ideas on how to accomplish this. 

1. Create an Incident type Playbook or Rule that runs whenever the incident type is created, or for all incident types or is run manually by the Incident Owner when he/she wants to bring specific SOC members into the incident. Have the Playbook or Rule run a script that adds the user or group to the incident (I believe an entity has to be on an incident to be added to a task but admittedly have not tested extensively):

newmember= 'SOC-1stLevel'incident.members=list(incident.members)+[newmember]

2. Create an Auto Task type Playbook or Rule that runs whenever a Task is created that assigns ownership, membership and other properties to the task. There is a dependency I believe on the owners/members being added to the incident. You can have one script for all Tasks but assign different properties based on Task Name with the IF block:

from datetime import datetimefrom datetime import timedeltanow = datetime.now()hour_from_now = datetime.now() + timedelta(hours=1)if task.name=="DEMO: Select Email Classification":  task.owner_id='SOC-1stLevel'  task.members='SOC-1stLevel'  task.due_date=hour_from_now  

Some testing is needed to determine any flow-through access to the Task. I'm pretty sure the Incident Owner has access to all Tasks on the Incident for example.

Let me know if this helps or provide some clarification on what problem you are looking to address.

Good luck!

Ken

Hi Dung Dang -

Can you discuss in more detail what you mean by "clearly divide user input through each task" and in your original post "click on the Save button it doesn't work".

What isn't working exactly? 

It appears you already know how to edit a task to place a field in the task which should allow users to input from the task such as in the attached picture.

Hi Ken Chinh, 

Thanks for the quick reply.

With input input on the details tab, the user must edit and I want users to input input from tasks, not through the incident interface. Does IBM SOAR have a way to clearly divide user input through each task?

Hi Dung Dang -

The user can enter the field value that you would use in a condition point later in the playbook. The user can enter that value either in a field that you have placed on the task or by entering the value elsewhere in the incident view (e.g. on the Details Tab). Wherever you have placed the field.

Here is an example playbook with conditions. The first condition checks that the user has actually entered the value in the task "Select Email Classification" by checking to see if the Select Field has a value. If there isn't a value then the playbook loops back to that task forcing the user to make a classification decision before the playbook moves forward. After the user enters the Email Classification the playbook moves to the next condition which follows a path based on the classification value.  I am showing First True in this example but you could also use a Multi-Select field and use an Any True condition to allow multiple paths to execute.

Hope this helps. Let me know how it goes.

Ken

Hello community
I created a playbook to create workflows for the SOC team. I have set up tasks in the playbook for each appropriate person. I want to get input from the user processing a task to use the condition point to decide the next task to run. Initially, I thought I could use the task layout to edit the incident field and then use that field for the condition point, but to enter a value for that field, I had to edit the task layout and enter a value for the field, after I edited it. and click on the Save button it doesn't work. I have found out that only Task Permissions such as Edit Task Header can perform the above action. Is there any way to handle the problem of getting input from the user to use for condition points?