Managing SOAR Platform groups

It is often useful to have groups of predefined users so that they can easily be added to incidents together. For example, you might have different teams who are added to an incident based on the incident type, location, or privacy breach component. You can create groups from the Groups tab.

To create a new group.
  1. From the Groups tab, click Create Group.
  2. Enter a name for the group.
  3. If you want to allow this group to own incidents, check the Allow Incident Ownership box.
  4. If you want the group that you are creating to be the default group for incidents that do not have an assigned owner, check the Default Incident Owner box.
  5. If you want to allow this group to be assigned tasks, check the Allow Task Ownership box.
  6. In the Global Role section, assign global roles to the group that you are creating, if needed.
  7. Add users to the group by searching for and selecting them from the Search: Users box under the Members section.
  8. In the Workspace section, assign any workspace roles to the group, as needed.
  9. When you finish, click Create.

You can modify an existing group by selecting it in the list, making your modifications and saving. You can also add users to existing groups from the Users tab.

The Default Incident Owner group is used by the SOAR Platform as the default owner of incidents that do not have an assigned owner during incident creation. This group is used to assign incidents that are created by apps or external scripts when the incident owner is not specified during incident creation.

You can choose another group as the default group by selecting Default Incident Owner when creating or editing the group. Only one group can be the default group. When you choose a default group, do not select a group that contains LDAP groups.

If you have LDAP enabled in the Organization tab, you can link a group to an LDAP group. For more information, see LDAP authentication for SOAR.