IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Analytics Dashboard - Open Incidents By Phase

    Posted Fri February 04, 2022 07:26 AM
    Reply

    I have a doubt about this widget.

    I have a workflow that goes like this


    In the incidents list, each incident shows the correct phase and status.

    However, in the dashboard, in the "open incidents by phase", all values are zero.

    Is it the expected behavior? I was expecting to have the same information I have in the incident list.

    I am using SOAR 42.2.41

    TIA

    Leo



    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------


  • 2.  RE: Analytics Dashboard - Open Incidents By Phase

    Posted Mon February 07, 2022 04:52 AM
    Reply
    Hi Leo,

    That wouldn't be expected, I'm assuming you have the same filter settings applied to the analytics dashboard as you have to the incident list ?
    Some of the OOTB widgets come with built in 30 day time ranges, not sure if this one does but would that explain it to ?

    ------------------------------
    Martin Feeney
    Product Manager, IBM Security SOAR
    martin.feeney@ie.ibm.com
    Ireland
    ------------------------------

    Original Message


  • 3.  RE: Analytics Dashboard - Open Incidents By Phase

    Posted Tue February 08, 2022 04:18 AM
    Reply
    Hello Leo,

    Due to the revised layout in 42, we faced similar issues when switching from 41 to 42. The remedy was to go over the filters again. global dashboard filter vs widget filter vs incident board filter.

    Best
    Robert

    ------------------------------
    Robert Doerge
    ------------------------------

    Original Message


  • 4.  RE: Analytics Dashboard - Open Incidents By Phase

    Posted Tue February 08, 2022 07:11 AM
    Reply
    Hi Robert

    I've removed all filters from the dashboard and it still shows only zeroes for all incidents x phases.

    The widget itself ("Open Incidents by Phase") does not have any parameter customization available.

    However, the "Phase" pie chart widget and the "Time in Phase by Incident Type" widgets are showing the correct data.

    My feeling is that the "Open Incidents by Phase" treats the phase info in a different way, which is IMO, just broken.

    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------

    Original Message


  • 5.  RE: Analytics Dashboard - Open Incidents By Phase

    Posted Thu February 10, 2022 09:24 AM
    Reply
    Hello Leo,

    after some revision,  i had sth different in mind.

    You're referring to the default "open incidents by phase" widget, which cannot be adjusted. We have the same "error".

    It does however trigger when you adjust the default field e.g. " was personal  information pr personal data involved" to yes -- > in the breach section i do see a new case then. ( searched for similarities among the few amount of cases which actually do show up out of all test cases; they all have " breach" in common)

    Meaning this widget only works with certain default fields. (stays true in v43) 

    Hope this helps.

    Best
    Robert

    ------------------------------
    Robert Doerge
    ------------------------------

    Original Message


  • 6.  RE: Analytics Dashboard - Open Incidents By Phase

    Posted Thu February 10, 2022 10:16 AM
    Reply
    Hi Robert

    This is a very interesting insight. If I can make it work just enabling some attribute in the incident, it just solves my problem.

    I'll do some experimentation down here.

    Thanks!

    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------

    Original Message