IBM Security QRadar SOAR

 View Only

  • 1.  IBM Resilient Escalation Rules

    Posted Mon January 23, 2023 07:08 AM
    I have a question. I currently have deployed IBM Resilient SOAR version 43 installed in a production environment. As you know that the offense tickets are sent to the designated team to resolve. The question at hand is, that is there any mechanism in Resilient that if the concerned team does not close the ticket directed at them for example since 10 days then we escalate the offense ticket through email to their respective manager or group head?

    ------------------------------
    Usman Saeed Raja
    ------------------------------


  • 2.  RE: IBM Resilient Escalation Rules

    Posted Mon January 23, 2023 09:37 AM
    Hi,
    You could create a task in your incident and mark it with a "due date".  Then go to  "Administration Settings" and Notifications.  There you can create a new notification on the object type "Task" and give it a condition "Due date" is "Past by" the number of days you need.  This will send a notification or an email to whom you need.

    You could also install the "Timer function for SOAR"  and create a workflow or playbook calling the function followed by whatever task needs to be done when the delay parameter in the function is expired.

    HTH

    ------------------------------
    Pierre Dufresne
    ------------------------------

    Original Message


  • 3.  RE: IBM Resilient Escalation Rules

    Posted Fri January 27, 2023 01:28 AM

    Hi Pierre,

    Thank you for the response.

    Kindly assist in the following.

    We have around 10 12 different teams working in the organization like Network, Automation, IT Support, System etc.
    The customer requires that a escalation rule to exist in which all the different team groups are given a ticket to close. Each ticket's response is based on severity level and then emailed direct to their manager incase of no response.

    Scenario 1:

    A ticket is created for IT support team with severity 5 consisting of a time period of 5 days for response of closure. IF they do not respond then on the 6th day the ticket is escalated to their manager or higher upper management.

    Scenario 2:

    A ticket is created to Automation team with severity 1 consisting of a time period of 1 day or few hours for response of closure. IF they do not respond then on the next minute, the ticket is escalated to their manager or higher upper management.

    Looking forward to your response.



    ------------------------------
    Usman Saeed Raja
    ------------------------------

    Original Message


  • 4.  RE: IBM Resilient Escalation Rules

    Posted Mon January 30, 2023 10:11 AM
    Hi Usman,
    Please note I am just trying to help. I am no SOAR expert, just a user like you.
    Here is my suggestion, which is not garanteed to work:

    First, I would install the app "Timer Function for SOAR".
    When an incident is created, you could launch an automatic playbook which would start with a call to the timer function. To set the function's parameters, use the script method. In the script you could set the parameter (time to wait) based on the group to which it is assigned and the severity.
    To send  emails, you could install the app "fn_outbound_email".  Also use the script method to specify the parameters.

    One more point, there should be a condition point before calling the fn_outbound_email app to check if the incident is already closed ("incident.plan_status == 'C'".  Otherwise, an email will always be sent after the delay you have specified.  This is because a playbook is not cancelled when an incident is closed by another playbook.  Depending on the SOAR version you are using, this could also be achieved using the "automatic cancelation" feature for playbooks.

    Hope this helps

    ------------------------------
    Pierre Dufresne
    ------------------------------

    Original Message


  • 5.  RE: IBM Resilient Escalation Rules

    Posted Tue January 31, 2023 04:42 AM
    How can we engage an IBM Specialist on Community?

    ------------------------------
    Usman Saeed Raja
    ------------------------------

    Original Message