IBM Security QRadar SOAR

 View Only
  • 1.  Incident Assignment Notification

    Posted 20 days ago

    When an offense is sent from SIEM to SOAR and an incident is created, I want to send an email to the concerned user informing them that the incident has been assigned to them. Is there any way or workaround to achieve this?



    ------------------------------
    Ahmad Hassan Tariq
    ------------------------------


  • 2.  RE: Incident Assignment Notification

    Posted 19 days ago
    Edited by karan kisnani 19 days ago

    To achieve this, you need to configure the "Outbound Email App" in your SOAR platform. Once configured, you can utilize prebuilt playbooks from the application to send emails to users. Additionally, you can customize these playbooks to meet your specific needs. For instance, you can hardcode a particular email ID or set up automatic triggers based on specific incident types. This way, an email notification can be sent automatically whenever a new incident will be created. 

    Another option is to assign the incident to an existing SOAR user from the incident details tab. When an incident is assigned this way, the user will receive a notificatio



    ------------------------------
    karan kisnani
    ------------------------------



  • 3.  RE: Incident Assignment Notification

    Posted 15 days ago

    If you go administrator settings -> notifications you should see different notification templates. There is a "Assigned Incident" template (screenshot below), make sure it's enabled and that all users have them enabled in My settings -> notifications. You can check if the notifications work by assigning an incident to yourself and seeing if you get an email. 

    When incidents are created how are they assigned to users? If they aren't and it says default group, then you need to make a rule that would assign them to someone.



    ------------------------------
    Maria Czapkowska
    ------------------------------



  • 4.  RE: Incident Assignment Notification

    Posted 14 days ago

    Hello Maria,  

    Thank you for the information provided earlier, it indeed proved to be a prompt solution.

    Nevertheless, in a scenario like this, if an incident is generated in SOAR for a specific user and their user ID is recorded as their email ID as artifact, it is worth considering whether it is feasible to send an email notification to the user regarding the incident that has taken place under their name.

    --------------------

    SOC

    --------------------



    ------------------------------
    SOC Team
    ------------------------------