IBM Security QRadar SOAR

 View Only
  • 1.  Incident Assignment Notification

    Posted Fri May 24, 2024 03:48 AM

    When an offense is sent from SIEM to SOAR and an incident is created, I want to send an email to the concerned user informing them that the incident has been assigned to them. Is there any way or workaround to achieve this?

    Ahmad Hassan Tariq

  • 2.  RE: Incident Assignment Notification

    Posted Sat May 25, 2024 02:20 AM
    Edited by karan kisnani Sat May 25, 2024 02:23 AM

    To achieve this, you need to configure the "Outbound Email App" in your SOAR platform. Once configured, you can utilize prebuilt playbooks from the application to send emails to users. Additionally, you can customize these playbooks to meet your specific needs. For instance, you can hardcode a particular email ID or set up automatic triggers based on specific incident types. This way, an email notification can be sent automatically whenever a new incident will be created. 

    Another option is to assign the incident to an existing SOAR user from the incident details tab. When an incident is assigned this way, the user will receive a notificatio

    karan kisnani

  • 3.  RE: Incident Assignment Notification

    Posted Tue May 28, 2024 06:38 AM

    If you go administrator settings -> notifications you should see different notification templates. There is a "Assigned Incident" template (screenshot below), make sure it's enabled and that all users have them enabled in My settings -> notifications. You can check if the notifications work by assigning an incident to yourself and seeing if you get an email. 

    When incidents are created how are they assigned to users? If they aren't and it says default group, then you need to make a rule that would assign them to someone.

    Maria Czapkowska

  • 4.  RE: Incident Assignment Notification

    Posted Wed May 29, 2024 05:24 AM

    Hello Maria,  

    Thank you for the information provided earlier, it indeed proved to be a prompt solution.

    Nevertheless, in a scenario like this, if an incident is generated in SOAR for a specific user and their user ID is recorded as their email ID as artifact, it is worth considering whether it is feasible to send an email notification to the user regarding the incident that has taken place under their name.




    SOC Team