Original Message:
Sent: Mon July 03, 2023 07:23 PM
From: Nick Mumaw
Subject: Linking Child Incident to Parent Incident automatically
I am still thinking about how what you are talking about could be achieved. The trouble is that if I did this in a field you would have to have a new field for every task and every time it was moved. Then the next option would be a data table, but that might be complicated to do a calculation automatically for task tracking by team.
As for the other things that I am working on adding is pushing a task to a child incident. And syncing the notes from the child back to the parent. I have a few things I am working on so I don't have a timeline currently.
------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
Original Message:
Sent: Mon July 03, 2023 12:57 PM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
The one which I was asking on below requirement which you agreed to build in your future update of the app.
I really helps if you can consider in your further release:
Parent Incident(Team A, and members of TeamA )
Child Incident (Team B and members of Team B),
Child Incident (Team C and members of Team C),
Child Incident (Team D and members of Team D), considering more teams which comes as more child incidents as escalating from Parent Incident...
Escalation from Team A to Team B:
While escalating from Parent Incident to Child Incident, the timer/clock in Parent Incident should be stopped because the Team A member is waiting for Team B member to complete the tasks on Child Incident.
Escalation from Team B to Team A:
While Team B member working on Child Incident , he might require some addition information/inputs from Team A, so he should able to send back the request to Team A, now the timer at specific task should be stopped as Team B member is waiting for input from Team A.
So communication between the Parent and multiple Child Incidents should be vice versa/bi-directional.
If we are able to get the overall time spent by each Team member to complete each task and overall Incident to show it in a report , it will be really helpful as feature.
After you suggested the query_bulider.euals() method last week , I tried and it was working, but thanks again for the detailed post.
------------------------------
SOAR Engineer
Original Message:
Sent: Mon July 03, 2023 12:04 PM
From: Nick Mumaw
Subject: Linking Child Incident to Parent Incident automatically
I have no intentions of adding the first one as that is unique and specific to your use case and can be accomplished within the platform itself. As for the other one, it is something I will consider, but I also see the merits in being able to connect this to something previously thought to be closed and can be done within the platform as well. Below is how I would recommend doing what you mentioned.
Idea 1:
This will check to see if whatever you are wanting to compare already exists in a parent incident, meaning the first query_builder line is what you want to look for and the second and third lines verify it is already a parent incident and an active incident. Of course if you don't care about if it is already a parent or not feel free to remove as well as add as many lines as you want to the first section of the query builder below to get specific with your search. Keep in mind to automate this you will need to put your playbook condition to fire whenever the value(s) you are searching for change to verify it doesn't now relate.
# Specify your search in the line(s) below.query_builder.equals(fields.incident.description, incident.description)# The lines below will need to exist to ensure you get an already established parent that is active.query_builder.equals(fields.incident.properties.relations_level, 'Parent')query_builder.equals(fields.incident.plan_status, 'A')query = query_builder.build()incidents = helper.findIncidents(query)if len(incidents) == 0: helper.fail('No Available Parent Incidents')elif len(incidents) >= 2: helper.fail('Too Many Parent Incidents Found, Please Refine Search.')else: input.relations_parent_incident_id = incidents[0]['id'] input.relations_child_incident_id = incident.id
Idea 2:
This will just check if the incident you are trying to associate it to is in a closed state. This one assumes the user provided the parent incident ID in the playbook input form, but you could reference the one above if you want this to be in a more automated fashion.
query_builder.equals(fields.incident.id, playbook.inputs.relations_parent_incident)query = query_builder.build()incidents = helper.findIncidents(query)if incidents[0]['plan_status'] == 'C': helper.fail('Parent Incident is Closed.')else: input.relations_parent_incident_id = playbook.inputs.relations_parent_incident input.relations_child_incident_id = incident.id
------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
Original Message:
Sent: Sat July 01, 2023 02:07 PM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi @Nick Mumaw ,
Is there any update or when can we expect the updated Function Relations app for above requirement.
Thanks in advance.
------------------------------
SOAR Engineer
Original Message:
Sent: Fri June 16, 2023 10:58 AM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi Nick Mumaw ,
Thanks for the suggestion definitely I will try.
I really helps if you can consider in your further release:
Parent Incident(Team A, and members of TeamA )
Child Incident (Team B and members of Team B),
Child Incident (Team C and members of Team C),
Child Incident (Team D and members of Team D), considering more teams which comes as more child incidents as escalating from Parent Incident...
Escalation from Team A to Team B:
While escalating from Parent Incident to Child Incident, the timer/clock in Parent Incident should be stopped because the Team A member is waiting for Team B member to complete the tasks on Child Incident.
Escalation from Team B to Team A:
While Team B member working on Child Incident , he might require some addition information/inputs from Team A, so he should able to send back the request to Team A, now the timer at specific task should be stopped as Team B member is waiting for input from Team A.
So communication between the Parent and multiple Child Incidents should be vice versa/bi-directional.
If we are able to get the overall time spent by each Team member to complete each task and overall Incident to show it in a report , it will be really helpful as feature.
Thanks in advance.
------------------------------
SOAR Engineer
Original Message:
Sent: Thu June 15, 2023 03:15 PM
From: Nick Mumaw
Subject: Linking Child Incident to Parent Incident automatically
As for the schema, I am not sure how to do that off the top of my head, however, you can do reports off of this in a couple of ways. For individual reporting you can just add the Tab where the Timers Widget is to your report.
If you want to track across multiple incidents, we would want to use the analytics dashboard to create an Average report. To do that, add a new widget and select `Custom Incident Widget`. From here we would want to select how to display the information (I suggest either a Pie, Bar, or Column graph) then adding the Time Tracker to the bottom Fields section and the field you are comparing (such as owner) to the top Fields section. From there you can edit the Time Tracker view to specify which field you are tracking (such as Phase) and the time unit you want to use. Not sure if this gives the exact view you want, but that is how I would start to get the view I am looking for. Of course you can switch my recommendation with whatever fields you are turning on tracking for.
As for your other question about sending tasks from the parent to the children, I had never thought about that before. I have some enhancements that I plan on making like syncing artifacts between the child and the parent, but I am looking into the ability to push tasks to a child as well. Thanks for the idea!
------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
Original Message:
Sent: Thu June 15, 2023 09:35 AM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi Nick Mumaw,
Thanks for the inputs and prompt response.
We are looking to track the time spent on each task by the team member of Team A/Team B and overall time taken to complete all task within the incident to generate a report.
I think timer widget is one you are suggesting, can we show the data which is available with timer widget as a report ?
Timer widget is built out of a view from postgres DB, is there a way to see the timer widget view schema?
Please suggest.
------------------------------
SOAR Engineer
Original Message:
Sent: Wed June 14, 2023 04:40 PM
From: Nick Mumaw
Subject: Linking Child Incident to Parent Incident automatically
Hey SOAR Engineer,
Currently the integration allows for the communication between incidents in the way of syncing notes, updating the parent when the status or name changes on the incident, or even closing incidents. As for communicating between and allowing incidents to share workflows, that is not possible even within the platform. If you are just looking at how to track information like How long Team A was working on something vs how long Team B was working on something that can be done outside of the integration if you are changing who is assigned to the incident or the workspace the incident is assigned to. You would just need to turn on the Track Change Times on the Workspace field or if using Owner it is already turned on and you can track the amount of time each person is assigned by checking your stats page under timers.
Hope this helps, or if I have not understood your question feel free to correct.
Thanks!
------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
Original Message:
Sent: Wed June 14, 2023 02:10 PM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi Richard/Team,
In IBM SOAR , is inter communication possible between Parent - Child incidents?
For Example: Consider two teams Team A, Team B
Step 1: Team A in Parent Incident executing Task1, on completing the task1 need to create a New Child Incident to Team B.
Step 2: Now Team B is executing Child incident tasks, in between is it possible to navigate back to Parent Incident and complete some tasks and come back to Child incident…? and vice versa …
Is it possible to get the total time spent by Team A and Team B independently.
Please suggest, is this capability available/achievable ..
------------------------------
SOAR Engineer
Original Message:
Sent: Tue June 06, 2023 03:23 PM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi Richard,
I was able to achieve by using workflow.addProperty() method,
In Post-Processing script of Example: SOAR Utilities Create Incident:
props = {"parnt_inc_id": results.content['id']}
workflow.addProperty('parentOutput', props)
In Pre-Processing script of Relations:Assign Parent Workflow:
inputs.relations_child_incident_id = workflow.properties.parentOutput.parnt_inc_id
inputs.relations_parent_incident_id = incident.id
Once again thanks Richard.
------------------------------
SOAR Engineer
Original Message:
Sent: Tue June 06, 2023 08:30 AM
From: Richard Swierk
Subject: Linking Child Incident to Parent Incident automatically
playbook
------------------------------
Richard Swierk
Original Message:
Sent: Mon June 05, 2023 09:34 PM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Thanks Richard,
You are right it's Incident Relations app.
It's a manual app where we need to enter Parent incident I'd manually to map to Child incident.
Looking for a workflow where we can linking/relate Parent and Child incident automatically.
Is it possible to enable operational logs for workflows? meaning I want to print the logs from pre/post processing script of workflows to client.log
Can we share data between two different workflows? meaning from Workflow A, pre/post processing script to workflow B pre/post processing script.
Unfortunately we need to go with workflow approach.
Can you please share the play book hope it is not attached
------------------------------
SOAR Engineer
Original Message:
Sent: Mon June 05, 2023 10:17 AM
From: Richard Swierk
Subject: Linking Child Incident to Parent Incident automatically
Here is a playbook I just created for your problem. This is a manual incident playbook that will create a child incident from a parent incident and then link the child incident to the parent incident.
------------------------------
Richard Swierk
Original Message:
Sent: Fri June 02, 2023 10:55 AM
From: SOAR Engineer
Subject: Linking Child Incident to Parent Incident automatically
Hi,
- I have created Child incident from Parent Incident using SOAR Utilities Create Incident workflow -> Child Incident got created
- Now I want to relate/link Child Incident with Parent Incident, using Relations:Assign Parent Workflow of fn_realtions app automatically.
Please suggest.
------------------------------
SOAR Engineer
------------------------------