IBM Security QRadar SOAR

Sometimes Resilient customers need to create many custom data tables, and the layouts of an incident could become quite messy. If some of the tables only apply to certain types of incidents, it make sense to hide/show those data tables based on certain condition. A good example here is the QRadar Advisor integrations. Some of the data tables included in the package only apply to incidents escalated from QRadar offenses. Thus it makes sense to show these data table only when an incident is associated with a QRadar offense. This post shows you how to do that.

First of all, you need to figure out what condition to use. For QRadar integration, there is a custom field called qradar_id. It contains the QRadar offense id, if an incident is associated with an offense. This is the condition we are going to use here.

There are two similar approaches here. First one is to put those data table in a conditional tab. The second one is to add them into a conditional section.

To add a conditional tab is straightforward. Go to Customization Settings, and click Incident Tabs-> Add a Tab.

Select Conditional, and then click Add Condition. Find qradar_id and select "has a value". Click Add.
Now a conditional tab has been created. You can drag the data tables into this tab. This tab will be visible only when qradar_id is set (for example, the Resilient plugin for QRadar sets qradar_id to the offense id when it escalates an offense). 

The second approach is to use a conditional section within a tab. Again, go to Customization Settings, and select the tab you want to show the data tables from Incident Tabs. Scroll down to the bottom of the page and select Section from Blocks. Drag it into the Tab.Once the section is added to the tab, click the following to edit its setting

Click Add Condition, and select the followings:

Now this section only appears in the Tab when qradar_id has a value. Drag data tables into this section.

Similar idea works even without an app like the Resilient QRadar plugin. For example, an automatic rule can be added to respond to the creation of new incident. You can then add logic in this rule to set a custom boolean field conditionally. Then the custom boolean field can be used to control whether to show the conditional tab/section.

------------------------------
Yongjian Feng
------------------------------

Thanks Mate, great to know that there are two options available.
Condition based on TAB or in Section is very flexible.

------------------------------
PABLO ROBERTO GARCIA
------------------------------

Original Message:
Sent: 02-25-2019 10:21 AM
From: Yongjian Feng
Subject: Use conditional tab/section to better organize incident layouts

Sometimes Resilient customers need to create many custom data tables, and the layouts of an incident could become quite messy. If some of the tables only apply to certain types of incidents, it make sense to hide/show those data tables based on certain condition. A good example here is the QRadar Advisor integrations. Some of the data tables included in the package only apply to incidents escalated from QRadar offenses. Thus it makes sense to show these data table only when an incident is associated with a QRadar offense. This post shows you how to do that.

First of all, you need to figure out what condition to use. For QRadar integration, there is a custom field called qradar_id. It contains the QRadar offense id, if an incident is associated with an offense. This is the condition we are going to use here.

There are two similar approaches here. First one is to put those data table in a conditional tab. The second one is to add them into a conditional section.

To add a conditional tab is straightforward. Go to Customization Settings, and click Incident Tabs-> Add a Tab.

Select Conditional, and then click Add Condition. Find qradar_id and select "has a value". Click Add.
Now a conditional tab has been created. You can drag the data tables into this tab. This tab will be visible only when qradar_id is set (for example, the Resilient plugin for QRadar sets qradar_id to the offense id when it escalates an offense). 

The second approach is to use a conditional section within a tab. Again, go to Customization Settings, and select the tab you want to show the data tables from Incident Tabs. Scroll down to the bottom of the page and select Section from Blocks. Drag it into the Tab.Once the section is added to the tab, click the following to edit its setting

Click Add Condition, and select the followings:

Now this section only appears in the Tab when qradar_id has a value. Drag data tables into this section.

Similar idea works even without an app like the Resilient QRadar plugin. For example, an automatic rule can be added to respond to the creation of new incident. You can then add logic in this rule to set a custom boolean field conditionally. Then the custom boolean field can be used to control whether to show the conditional tab/section.

------------------------------
Yongjian Feng
------------------------------