IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Request for Assistance: Ownership Assignment Management in QRadar & SOAR

  • 1.  Request for Assistance: Ownership Assignment Management in QRadar & SOAR

    Posted 10 hours ago

    Hello IBM SOAR Community,

    I am writing to inquire about a specific functionality need within the IBM QRadar SOAR platform and to propose it as a potential feature enhancement for a future release.

    Use Case and Requirement:

    In our organization, we have a requirement to prevent analysts from performing bulk assignments of incidents to themselves or other users from the incident list view. We want to enforce a process where each incident is reviewed individually before an owner is assigned. This helps ensure proper incident triage and prevents accidental mass-assignment of incidents that an analyst may not have the capacity to handle.

    Currently, if a user has the permission to change the owner of an incident, they can select multiple incidents in the list view and use the "Assign to -> Me" or "Assign to -> Select owner" option to change the owner for all selected incidents at once.

    Our goal is to disable this bulk assignment capability while still allowing a user to change the owner of a single incident from within the incident's details page.

    Current Limitations:

    Based on my review of the current permissions in IBM QRadar SOAR, it appears that the permission to change an incident's owner is a general permission that applies to both single and bulk operations. I have not found a way to granularly control this and disable only the bulk assignment feature in the incident list view. The only workaround I see at the moment is to completely revoke the permission to change the owner, which is not our desired outcome as it would hinder the intended workflow for single incident assignment.

    Proposed Solution/Feature Request:

    It would be highly beneficial to have a more granular permission setting that separates the ability to assign a single incident from the ability to perform bulk assignments. This could be implemented in a few ways:

    • A new, specific permission in the role settings, such as "Allow bulk incident assignment," that could be enabled or disabled for each role.

    • A UI customization option to hide or disable the "Assign to" button in the incident list view when multiple incidents are selected.

    Question to the Community:

    1. Has anyone else encountered a similar need and found a viable workaround to prevent bulk incident assignment without completely removing the assignment permission?

    2. Is there a non-obvious configuration, custom script, or playbook logic that could be used to intercept and block such bulk actions?

    We believe that adding this granular control over incident assignment would be a valuable enhancement to the IBM QRadar SOAR platform, providing better control over incident management processes for many organizations.

    Thank you for your time and any insights you can provide.

    Best regards,

    Dominik Siekierski



Related Content