Introduction to incident response
The IBM Security® QRadar® SOAR Platform is a purpose built tool for the unique requirements of consistently and efficiently managing computer-related security incidents or the breach of personally identifiable information.
SOAR incidents and objects
An incident is an event in which data or a system might be compromised. The SOAR Platform allows these incidents to be entered by users or systems that are integrated with the SOAR Platform. You can then monitor the status from the start to the resolution of the incident.
- Task. A unit of work to be accomplished by a user, device, or process. The SOAR Platform handles some tasks automatically. You can be assigned tasks to accomplish manually and mark them those tasks as done when you complete them. Incident owners can track the progress of the various tasks.
- Note. Text added to an incident or task for clarification or additional information.
- Attachment. A file that is uploaded and attached to an incident or task.
- Artifact. Data that supports or relates to the incident. The SOAR Platform organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample. Artifacts with the same value but in different incidents can be shown as related.
In addition to objects, an incident can run one or more workflows. A workflow is a predefined set of activities that can run a complex set of instructions. With the proper permission, you can view the status of an incident’s workflows and, if necessary, stop a workflow.
Playbook
Your organization designs and implements the set of conditions, business logic, and tasks that are used to respond to an incident. This set is referred to as a playbook. These playbooks provide the SOAR Platform the means to update the response to an incident automatically as the input changes or the incident progresses.
The playbook determines which information is available to you, which tasks are assigned to you, and which actions you can take on any particular incident. As the incident changes, so can the assigned tasks and actions.
Workspaces and groups
A workspace is a container or partition for grouping different incidents. You can use workflows to manage incidents more efficiently across multiple teams and within teams. They provide the flexibility to assign particular incidents to specific teams, restricting access and control to only the teams and users that need it. For example, you might have a workspace for the Security team and a second workspace for the IT Operations team. Within these two workspaces, each team manages their security or IT operations incidents separately and independently.
Your administrator creates and manages workspaces. If you have the create incident permission, you might be prompted to select a workspace when you create an incident. You might also have the permission to reassign incidents to a different workspace.
Simulating incidents in SOAR
Simulations are hypothetical circumstances that can help your team to understand the impact of data loss situations and rehearse the response process. You can use simulations to create incidents for test purposes to see how each component of your playbook responds.
The process of working with simulated items is identical to working with real incidents. You use the same actions as you can on incidents.
To create simulations, you must have the Create Simulations permission in your role. The Simulation menu item is available from Create incident in the menu bar. If you have the permission to create both incidents and simulations, click the arrow on Create incident and select Create simulation.
Your role in incident response
Your administrator defines your role, which determines how you interact with incidents. For example, an observer role can view incident information but not change it, while an incident creator can enter and manage incidents. You might be able to access all incidents or specific incidents only.
Depending on your role and the configuration of the SOAR Platform, you might not be able to access all the tabs and features.
- Create an incident.
- Generate reports on one or more incidents.
- Check the status of the incident.
- Edit incident information and monitor the tasks.
- Complete tasks as assigned.
- Close an incident.
- Delete an incident.
- Run other actions configured by your administrator. These actions are accessible through Actions in the incident page, or […] near an object.
Managed Security Service Providers add-on
The SOAR for MSSPs add-on option is for customers who want to manage multiple SOAR organizations from a single view.
The SOAR for MSSPs add-on consists of multiple child organizations, a single global dashboard, and a single configuration organization. Each child organization can be assigned to a different group, division, or company to meet their incident response requirements.
Security analysts use the global dashboard to analyze incident data from all the child organizations. For more information, see the SOAR for MSSPs User Guide.
Users in each child organization can use the information in this User Guide. The features and functions of the child organizations in an MSSP add-on deployment are the same as a non-MSSP deployment.