IBM Security QRadar SOAR

Hello,

I have an issue and try to understand this is by design or this is a bug.
The Resilient has a lot of Regulation tasks enabled by default. Those tasks don't need to me and I manually disable all the tasks.
When I'm installed a new update - all Regulation tasks enabled again.
For me personally this is very inconvenience because they appear in my playbooks.
This is an issue or not?

------------------------------
Alexey Fedorov
------------------------------

Hey Alexey, 

we unfortunately have the same issue with this built-in feature.
Our solution was to shift all regulatory tasks into the phase obsolete and deactivate them by hand. This is an reoccurring task for any major release roll-out.
Luckily, the staged configs always contain the setting.

We have yet not identified all possibilities when these are triggered as the rules behind are hidden.

Best
Robert

------------------------------
Robert Doerge
------------------------------

Original Message:
Sent: Mon July 18, 2022 08:51 AM
From: Alexey Fedorov
Subject: Regulatory tasks

Hello,

I have an issue and try to understand this is by design or this is a bug.
The Resilient has a lot of Regulation tasks enabled by default. Those tasks don't need to me and I manually disable all the tasks.
When I'm installed a new update - all Regulation tasks enabled again.
For me personally this is very inconvenience because they appear in my playbooks.
This is an issue or not?

------------------------------
Alexey Fedorov
------------------------------

Hello Robert,

This is not works for me. It's very strange that Resilient has no feature to automatically disable default tasks. Sometimes I spend a lot of time twice a day to disable Regulatory tasks.

------------------------------
Alexey Fedorov
------------------------------

Original Message:
Sent: Tue July 19, 2022 03:28 AM
From: Robert Doerge
Subject: Regulatory tasks

Hey Alexey, 

we unfortunately have the same issue with this built-in feature.
Our solution was to shift all regulatory tasks into the phase obsolete and deactivate them by hand. This is an reoccurring task for any major release roll-out.
Luckily, the staged configs always contain the setting.

We have yet not identified all possibilities when these are triggered as the rules behind are hidden.

Best
Robert

------------------------------
Robert Doerge

Original Message:
Sent: Mon July 18, 2022 08:51 AM
From: Alexey Fedorov
Subject: Regulatory tasks

Hello,

I have an issue and try to understand this is by design or this is a bug.
The Resilient has a lot of Regulation tasks enabled by default. Those tasks don't need to me and I manually disable all the tasks.
When I'm installed a new update - all Regulation tasks enabled again.
For me personally this is very inconvenience because they appear in my playbooks.
This is an issue or not?

------------------------------
Alexey Fedorov
------------------------------

@Alexey Fedorov and @Robert Doerge can you please tell me why are you are each disabling the Regulatory (Privacy) Tasks​​?

The Regulatory Tasks will only appear on an Incident if both of the following are true:
- The Privacy Field Was personal information or personal data involved? in the New Incident Wizard and or the Breach Tab in the Incident is answered Unknown or Yes
- The follow on Privacy Fields in the New Incident Wizard and or the Incident Breach Tab are filled out

Regulatory Tasks are filtered out of the Phases & Tasks page in Customization Settings by default to reduce the number of Tasks shown and improve the page load time.

Regulatory Tasks are not shown in the Playbook Builder in the Task selector.

Regulatory Tasks are maintained and updated by IBM on each new update/fix release. The only time the content of the Tasks will not be up updated is if they are Disabled or modified in any way in that Organization, and they are then considered to be "Overridden". It's possible that on upgrade that the Regulatory Tasks will be Re-Enabled.

The only Regulatory Task that will always appear by default in an Incident is Investigate Exposure of Personal Information/Data if the Privacy Field Was personal information or personal data involved? is left to the default value of Unknown or if it is changed to Yes. This (and only this) Regulatory Task could be Disabled in the Phases & Tasks section of the Customization Settings if you choose to never care about the Field value.

My suggestion is not to modify the Regulatory Tasks in any way, to leave them as is.

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient
------------------------------

Original Message:
Sent: Mon July 18, 2022 08:51 AM
From: Alexey Fedorov
Subject: Regulatory tasks

Hello,

I have an issue and try to understand this is by design or this is a bug.
The Resilient has a lot of Regulation tasks enabled by default. Those tasks don't need to me and I manually disable all the tasks.
When I'm installed a new update - all Regulation tasks enabled again.
For me personally this is very inconvenience because they appear in my playbooks.
This is an issue or not?

------------------------------
Alexey Fedorov
------------------------------

Hello Brenden,

Thank you for the detailed answer. First of all I don't know about the privacy field Was personal information or personal data involved? and now I set the field to No for all my templates.

My issue is disabled regulatory tasks marked as Overriden are enabled again even without software update. This is happens when a new incident created by API or through script processing inbound email.


------------------------------
Alexey Fedorov
------------------------------

Original Message:
Sent: Wed July 27, 2022 03:31 PM
From: Brenden Glynn
Subject: Regulatory tasks

@Alexey Fedorov and @Robert Doerge can you please tell me why are you are each disabling the Regulatory (Privacy) Tasks​​?

The Regulatory Tasks will only appear on an Incident if both of the following are true:
- The Privacy Field Was personal information or personal data involved? in the New Incident Wizard and or the Breach Tab in the Incident is answered Unknown or Yes
- The follow on Privacy Fields in the New Incident Wizard and or the Incident Breach Tab are filled out

Regulatory Tasks are filtered out of the Phases & Tasks page in Customization Settings by default to reduce the number of Tasks shown and improve the page load time.

Regulatory Tasks are not shown in the Playbook Builder in the Task selector.

Regulatory Tasks are maintained and updated by IBM on each new update/fix release. The only time the content of the Tasks will not be up updated is if they are Disabled or modified in any way in that Organization, and they are then considered to be "Overridden". It's possible that on upgrade that the Regulatory Tasks will be Re-Enabled.

The only Regulatory Task that will always appear by default in an Incident is Investigate Exposure of Personal Information/Data if the Privacy Field Was personal information or personal data involved? is left to the default value of Unknown or if it is changed to Yes. This (and only this) Regulatory Task could be Disabled in the Phases & Tasks section of the Customization Settings if you choose to never care about the Field value.

My suggestion is not to modify the Regulatory Tasks in any way, to leave them as is.

------------------------------
Brenden Glynn
CISSP, GCIH
Incident Response Business Consultant
IBM Resilient

Original Message:
Sent: Mon July 18, 2022 08:51 AM
From: Alexey Fedorov
Subject: Regulatory tasks

Hello,

I have an issue and try to understand this is by design or this is a bug.
The Resilient has a lot of Regulation tasks enabled by default. Those tasks don't need to me and I manually disable all the tasks.
When I'm installed a new update - all Regulation tasks enabled again.
For me personally this is very inconvenience because they appear in my playbooks.
This is an issue or not?

------------------------------
Alexey Fedorov
------------------------------