IBM Security QRadar SOAR

Hi,
I created a simple dashboard with a Customize Incident Widget to show the average time spent in each phase.
To configure the widget, I put "Time Tracker" in "Fields"  and then to configure the time tracker I used  Field-->Phase, Operation-->Sum and Calculation-->Average.
When the graph is displayed, it shows the average time for each phase.  What I am curious about is the time spent in the phase called "Complete".  There is no task in this phase.  How is the time spent in this phase calculated?
When it is displayed in the graph, it can be filtered out by clicking on it.  Is it possible to filter it out permanently?  without the user having to filter it out every time it is displayed?

thanks

------------------------------
Pierre Dufresne
------------------------------

The phase an incident is in is controlled by which tasks are visible and open at any given time and whether they're mandatory or not.

For example, if you have a mandatory task still open in a 'Mitigation' phase then your ticket will be in the 'Mitigation' phase. Once you close that mandatory task, the workflow will 'drop through' to the next mandatory task. If that task is in the 'Eradication' phase (say) then ticket will move to the 'Eradication' phase.

That doesn't apply to optional tasks - if you still have optional tasks open in the 'Mitigation' phase, the ticket will (generally, given the workflow) drop through to the phase of the next mandatory task that's visible.

(That's one of the tricky things about Mandatory/Optional - it's not that the task has to be completed if it's set mandatory, it's that the phase _cannot_ be closed until all the visible mandatory tasks in that phase are closed).

So, in this case, you'll be in the 'Complete' phase whenever there's no mandatory tasks open and visible. For example, if you're now in 'Eradication', have closed the mandatory task but still have open optional tasks, the ticket will "drop through" 'Eradication' to the 'Complete' phase. If, during the workflow, new mandatory tasks appear, the ticket can end up going backwards from 'Complete' to a prior phase. I've found there's some quite subtle interactions between the tasks, phases, workflows and the setting of mandatory/optional if you like your phases to happen in the right order...

In terms of the graph, you should be able to add a search filter to the widget which says 'Phase [does not have one of] "Complete"' to hide it entirely.

------------------------------
J V
------------------------------

Original Message:
Sent: Tue October 25, 2022 01:25 PM
From: Pierre Dufresne
Subject: Time spent in "Complete" phase

Hi,
I created a simple dashboard with a Customize Incident Widget to show the average time spent in each phase.
To configure the widget, I put "Time Tracker" in "Fields"  and then to configure the time tracker I used  Field-->Phase, Operation-->Sum and Calculation-->Average.
When the graph is displayed, it shows the average time for each phase.  What I am curious about is the time spent in the phase called "Complete".  There is no task in this phase.  How is the time spent in this phase calculated?
When it is displayed in the graph, it can be filtered out by clicking on it.  Is it possible to filter it out permanently?  without the user having to filter it out every time it is displayed?

thanks

------------------------------
Pierre Dufresne
------------------------------