Incident management team

When you finish the task, you mark the task as completed so that the response plan can continue to the next set of tasks. You might also be able to add explanatory notes and relevant attachments to the task.

To view all incidents, click Incidents in the menu bar. Click an incident name to view the details of that incident. Each incident organizes data by various tabs, such as Tasks, Details, Notes, and Artifacts. On the Tasks page, you can see the current phase of the incident, which phases and tasks are completed and which still need to be done. Your playbook designer defines and customizes these tabs. Some tabs might be conditional and appear only when one or more given conditions occur.

You can generate a report on a single incident or multiple incidents by using a standard template or your own template. The template determines which information to include. You can save the report as an Excel spreadsheet or in a printable format, such as PDF.

The Analytics Dashboard displays charts and graphs for viewing statistical information. You can use a number of pre-defined widgets for various types of information, such as open tasks by owner, open incidents by severity, and incidents over time by type. You can also create your own widgets. You access this dashboard from Dashboard > Analytics Dashboard in the menu bar.

If you have the SOAR for MSSPs add-on, you can use the global dashboard organization to view and analyze incident data from all the child organizations.

You can also create an incident manually. The SOAR Platform provides an incident wizard that guides you through entering the incident details and reviewing the recommended actions based on those specifics. It can also help you put together an incident response team. Your organization's playbook designer creates and customizes this wizard.

How you manage an incident depends on your role, the nature of the incident, and the playbook in place. If you are an incident owner or a member, you might be able to add and assign tasks, and create custom tasks.

As the incident progresses, you might need to add or update incident details, notes, attachments, artifacts, and more, which you can do by editing the appropriate tabs in the incident.

You might also need to update information in data tables, which can appear in the various tabs of the incident. If the SOAR Platform is integrated with other security systems, you might be able to start an action with that system directly from the data table. For example, when integrated with BigFix, you determine that a file that is listed in the data table needs to be deleted. From that row in the data table, you select the action for BigFix to delete that file from all computers.

If you manage incidents that involve Personal Information or Personal Data, enter the information in the Breach or Incident Breach Information tab to determine any potential notification obligations. The SOAR Platform maintains a database of breach notification statutes, regulations, trade organization bulletins, and guidance documents, including penalties where applicable. Using the database, the platform can provide a summary of the reporting and notification requirements, automatically generate tasks, and update the incident.

You might need to reassign incidents and tasks that depend on your team’s availability. You can reassign the incidents and tasks from the Members tab in an incident or task.

Playbook designers can design playbooks to process these emails and automatically generate incidents from the emails, or add emails to existing incidents. These email messages can be seen in the incident’s Email tab.

Some emails might need to be manually processed. You can find those emails by clicking Inbox in the menu bar. You can then manually create or update an incident based on the information in the email.

The wikis can be part of incident response process because it can be used as a central repository for storing content, references, and guidelines to support users who work on incidents and tasks. Users can link to existing wiki pages from incident and task notes and other wiki pages.

The user guide is available in Incident management team.

If you are using the SOAR for MSSPs add-on, refer also to the SOAR for MSSPs User Guide for all the MSSP-specific incident response team features. The guide is available in SOAR for MSSPs.