Configure phases and tasks

Use the Phases & Tasks tab to define each stage of the incident response and the tasks that are associated with each stage.

The SOAR Platform defines distinct stages, called phases, for all incidents. Phases are useful for tracking progress. Each phase contains a number of tasks to complete before the incident can proceed to the next phase. Use the Phases & Tasks tab to define and order the phases, and define and order the tasks in each phase.

Managing and reordering phases

Phases are listed in the order of execution. The tasks within a phase are also listed in the order of execution.

You can manage phases in the Phases & Tasks tab as follows.

  • To create a phase, click Create Phase, specify a name, and save your changes.
  • You can edit the name of the phase by clicking the “pencil” icon next to the phase.
  • To delete a phase, first remove its tasks then click the Delete icon.
    Note: If you create a phase with the same name as a deleted phase, the deleted phase is reinstated.
  • You can reorder phases by clicking and dragging the icon next to the phase. You cannot move the first phase.
  • You can also reorder tasks within a phase by dragging them. You cannot drag a task from one phase to another.
  • Use the filters, such as Rules, Phase, and Name, at the beginning of the list of phases to show different views. Use More to select extra filters. You can deactivate a filter by clicking the x icon. To better visualize your playbook, select a rule in the Rules filter to show the tasks that are associated with the rule.

Manage incidents tasks

When you edit a task, the changes apply only to future instances of the task, not to existing incidents.

You can manage tasks as follows:
  • Tasks are ordered when assigned to a phase. When you assign a task to a phase, make sure that the tasks are in the order that you require.
  • Make sure that the task is enabled.
  • If a SLA (Service Level Agreement) is associated to that specific task, you can set the due date from the time the task is created on the incident.
  • You can provide instructions to users from within a task. Be as detailed as possible, using rich text, references to internal and external resources, hyperlinks, and embedded images when applicable.
  • You have the option of creating custom fields and data tables within the task creation. You can place these fields and data tables onto a task for ease of entry and information reference.
  • You can reference tasks in playbooks and workflows, which cause the tasks to be added to the associated incident’s task list when that playbook or workflow runs on the incident.
  • You can add a task to one or more rules, which causes the tasks to be added to the associated incident’s task list when that rule is run. You can also add and create new tasks when you create or edit a rule.
You can click the pencil icon in a task row to edit a task or click Create Task to create a new task. In either case, you can manage the following properties.
  • Task Name. Any text that you choose. For usability, make it descriptive of the task’s purpose.
  • Phase. Select the phase where the task is to appear.
  • Rules Using this Task. Lists the rules that run this task. It is the same set of rules that appears for the task in the Associated Rules column of the Phases & Tasks tab. To add the task to more rules, click in the field to list the available rules and then select the rules. The action is the equivalent of using the Add Tasks activity field when you create or edit a rule. To remove the task from a rule, click the x icon by the rule name.
  • Required. Select Mandatory if the task must be completed before the incident can enter the next phase; otherwise, select Optional.
  • Enabled. Disabled tasks are not displayed in the task library list when creating playbooks or workflows.
    Note: Changing the Enabled or Disabled status does not affect tasks being added to incidents by new playbook instances if the tasks are already included in playbooks.
  • Due Date. To impose a deadline, select Yes then enter the time as a number of days, hours, or minutes. The user must complete the task within that timeframe.
  • Instructions. Provide instructions to help users complete the task. You can insert links and images. The instructions appear when a user hovers over the task name in the Tasks tab of an incident.
  • Task layout. You can add fields, data tables, views, and blocks for users to enter information by dragging them to the layout section. This activity is the same as described in Fields, Data Tables, Views in incidents, and Blocks in incidents.

    For usability, the Artifacts view (incident level), Attachments view (task level), and Notes view (task level) contain the information in a Details tab of an incident's task. Any conditions in the Section block refer to incident properties. The views and blocks apply only to the Details tab on the incident task.

To delete a task, click the pencil icon in a task row then click the Delete icon.

Editing an instruction in a task in the Phases & Tasks tab updates new tasks only, not existing tasks. However, you can use the Incident Fields section to update both new and existing tasks.