Managing your incidents

How you manage an incident depends on your role, the nature of the incident, and the playbook in place.

The following tasks are involved with managing an incident:
  • Add or update incident details.
  • Update breach information when Personal Information or Personal Data is involved.
  • Complete the tasks that are assigned to you.
  • Add, edit, or remove notes.
  • Add or remove attachments.
  • Add or remove artifacts.
  • View details of any playbook in progress for this incident. Cancel any running playbook for this incident.
  • Implement pre-defined actions and check their status.
  • Add information to data tables. If configured, interact with other security tools from data tables.

If you are an incident owner or a member, you might be able to add and assign tasks, and create custom tasks.

You can manage incidents individually by clicking Incidents in the menu bar to display all incidents then clicking an incident name to view its details. You can also complete specific management tasks on multiple incidents simultaneously in the Incidents page by clicking the check boxes next to those incidents then clicking Selected.

Note: Depending on your role and the configuration of the SOAR Platform, you might not be able to access all the tabs and features.

Updating incident details

As details about an incident emerge, you can update the information. Typically, you update the information in the incident’s Details tab.

For Personal Information or Personal Data, you update the information in the Breach tab. Depending on the playbook, the tabs might not be present, renamed, or in a different order than shown in the sample screen captures.

To modify information, go to the Details tab and click Edit then edit the various fields as needed. Changes might cause extra tasks to be added to the playbook.

If you change a value that affects Personal Information or Personal Data, review the Breach tab to enter any extra information. For example, if you change Exposure Type from Unknown to Yes, you must update the incident information under the Breach tab to determine any potential notification obligations.

The following is an example of the Details tab.

Modifying incident Breach information

The Breach tab displays the incident’s Personal Information or Personal Data, which you can update as needed.

Entering the Personal Information or Personal Data details allows the system to generate an assessment, which provides a summary of the reporting and notification requirements.

To modify breach information, go to the Breach tab, which is organized in various sections. To see the categories and fields in each section, click Edit. You can then edit the various fields as needed. Click Save to implement your changes.

The Regulators section organizes regulators by jurisdiction. You can select the regulators that apply to your company and are applicable to the incident. It is important to read each tooltip to determine applicability to the incident.

The Data Types section lists the default categories of data types. Choose the specific data types in each category that applies to the incident. If needed, click Edit Data Types to select extra or different data types.

The Number of Affected Individuals section lists the locations where individuals might reside. Document the number of affected individuals by residency. If needed, click Edit Location to select extra or different geological areas.

The SOAR Platform maintains a database of breach notification statutes, regulations, trade organization bulletins, and guidance documents, including penalties where applicable. You can review the statutes in the Resource Library, which you access by selecting Wiki from the system menu. The Activity Dashboard also has a link to the Resource Library. Select the jurisdiction or regulator to view the relevant text of the document. Hyperlinks to the full source documents are also included. The Resource Library is organized into sections. Access to each section depends on your organization’s subscription.

Accessing incident tasks

You can access incident tasks from a number of locations in the application.

To access tasks:

  • The activity dashboard lists those tasks that are assigned to you that are due soon. Click a task to go to that task’s page.
  • Click Dashboards > My Tasks in the menu bar to see a list of all the tasks that are assigned to you, regardless of incident. Click a task to go to that task’s page.
  • Open an incident from the Incidents page then click the Tasks tab to see all the tasks for that incident. Click a task to go to that task’s page.

Reviewing incident tasks

Use the Tasks tab in an individual incident to view and manage all the tasks for the incident you selected.

The Tasks tab organizes the tasks by phase, which you can expand or collapse. The following screen capture is an example of the tasks table.

For each task, you can access the following information, from left to right:

  • Hover over the clipboard icon to see whether the task is generated by the system or added by a user.
  • If the circle and checkmark icon is green, the task is completed; otherwise, it is incomplete. You can click the icon to mark a task as completed.
  • Hover over the task name to see its instructions.
  • Owner column. Click the down arrow to select an owner, if unassigned, or reassign the task. The menu lists only those users who are members of the incident and groups who are members of the incident and are enabled to be task owners. When you save your changes, the assignees receive a notification.
  • Due Date column. Click the date to change or assign a due date.
  • Flags column, notes icon. Displays the number of notes added to the task. Click the icon to open the task and view or add notes.
  • Flags column, attachments icon. Displays the number of attachments added to the task. Click the icon to open the task and view or add attachments.
  • Actions column. Click […] to see the available actions for the task. Click the action to run it.

You can run an action on multiple tasks. Select the tasks then click Selected and choose the action. To select multiple tasks, click the clipboard icon of one task then hold the Shift or Ctrl key (Windows), or Command key (Mac) and click the clipboard icon of the other tasks.

You can create custom tasks, which are extra tasks beyond the ones that are generated by the playbook. Click Add Task, enter the appropriate information in the dialog, and click Create. The custom task is added to the playbook, where you can assign it to a user or group for completion.

Reviewing individual tasks

An individual task also has tabs that display the source of the task, record notes, and upload attachments.

In the Members tab, you can mark a task as Private if you consider the task as sensitive and do not want it to be viewed by the incident team. The owner of the incident and members of the task can view a private task.

If you have permissions, you can also mark the task as completed by clicking Complete and Close. Marking a task complete not only informs the incident owner that the task is done, but also allows the SOAR Platform to implement the next step in the playbook.

The following screen capture is an example of an individual task.

Adding incident notes

You can add a note or a comment to be shared with other members of the incident team.

To add a note or a comment to be shared with other members of the incident team, go to the Notes tab (at incident or task level). Type your comment in the text box. You can use the toolbar to add pictures, links, or a link to a SOAR Wiki page, or accent your text. Click Post to post the note on incident team members’ Activity Dashboard. With the appropriate permission, you can edit or delete notes by selecting the appropriate option on the Notes tab.

To direct a note to a specific incident member, place your cursor in the text box and type the “@” symbol, and a list of all the incident members appears. Select one or more appropriate members and continue entering the note. When complete, click Post and the members you selected receive a notification that directs them to log in and view it.

Changed in 51.0.4.0 Adding attachments to incidents or tasks

If the feature is available in your configuration, you can upload attachments that are related to the incident.

You can upload attachments to the incident or individual task. To attach a file, open the appropriate incident or task then select the Attachments tab. Click Upload File and select the file that you want to attach. The maximum file size is 25 MB. You can delete attachments from the incident or task by clicking Action > Delete next to the appropriate file.

The following example shows the attachments table on the Attachments tab. You can toggle to show task attachments.

Adding incident milestones

You can add milestones for important events.

The Timeline tab features a robust timeline display that can be set to display days, weeks, and months. Additionally, you can add milestones to call out important events within the timeline. To add a milestone, click New Milestone. You can add a date, title, and description of your milestone.

Managing and reviewing artifacts

An artifact is data such as an indicator of compromise that supports or relates to incidents. An artifact can also be stand-alone, where it is not attached to any incident.

The Changed in 51.0.4.0 Managing incident artifacts shows artifacts that were added to any particular incident and organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, and malware sample.

The Reviewing global artifacts shows all artifacts across the organization, including all artifacts that are added to incidents, and also any stand-alone artifacts.

Note: Any IPv4 addresses encoded in an IPv6 format are displayed in the IPv4 format. True IPv6 addresses are displayed in IPv6 format.

Reviewing global artifacts

The Artifacts view shows all artifacts in the organization from a single page. You can see artifacts across all incidents and any stand-alone artifacts. It provides a clear picture of the frequency of any particular artifact, providing insight and visibility into the overall impact of any artifact in the organization.

Your role must include the View the global list of artifacts permission to access the artifacts view. To create, edit, or delete artifacts or artifact tags from the artifacts view, your role must include the Manage Artifacts permission.

To go to the artifacts view, select Artifacts from the menu bar. All of the artifacts in the organization are displayed, including all incident artifacts and stand-alone artifacts, but not any artifact of the Observed Data artifact type. Stand-alone artifacts are artifacts that are not added to an incident. The following graphic shows an example of the artifacts view.

Global Artifacts screenshot

The Related Incident Count column shows the number of incidents that this artifact is impacting.

You can complete the following actions:
  • Search through the artifacts list by value or summary. To search, click in the search box and enter your search criteria.
  • Sort by most columns. For example, you can sort by the Related Incident Count column to see the high frequency artifacts that are impacting the most incidents.
  • Customize the columns to show the information of most importance to you. To customize the columns, click the settings icon and select the columns that you want to view. You can rearrange the order of the columns by dragging the column names under columns selected. When done, click Apply.
  • Click Set timeframe and limit the view to artifacts updated, created, or seen within a specific time.
  • Limit the view to specific criteria. Click Filters to specify the tags or types you want to view. You can also filter by the Relate Incidents and Threat Scan settings. For each selection, you can further filter the results. In the following example, you use the action menu for the URL artifact types to specify whether the list of artifacts contains the URL artifact type.
    To remove filters, click Clear filters.
Note: Any deleted artifact types are shown but with a strikethrough line, such as testtesttest in the example.

Click an artifact ID or name to see the details of that artifact, as shown in the following graphic.

Click in Summary to edit inline. To add artifact tags, click in Tags and select an existing tag, if any exist, or enter a new tag. Tags are case-sensitive.

Use the Relate incidents toggle to view the incidents that have the same artifact. The incidents are shown in the Incidents with Related Artifacts section where you can click the ID to go to the incident. Set Relate incidents to Off to reduce clutter for artifacts that appear in multiple incidents but the information is not useful.

Use the Threat scan toggle to send an artifact to a cyberthreat source to be scanned. This setting applies only to system provided artifact types that can be scanned by system provided threat sources.

Any Whois information that is loaded for a DNS artifact in the incident Artifacts tab is displayed in the Whois section.

The Geolocation section provides the geolocation data for IP address artifact types, if your organization has enabled this feature.

The Hits section provides a scan report for each hit. The scan report displays information that is provided by the threat source. You can filter the list by threat source.

The Artifact History section provides a newsfeed of the artifact history, including when the artifact was created, changed, added to or removed from an incident and any hits from a threat source. Use the filters to control what is shown in the history.
Note: If you are using the MSSP add-on, artifacts from child organizations are not shown in the global dashboard.

Creating a stand-alone artifact

You can create a stand-alone artifact that is not attached to an incident. However, you cannot create file-based or Observed data type stand-alone artifacts.

To create a stand-alone artifact:
  1. Go to the artifacts view by selecting Artifacts from the main menu.
  2. Click Create Artifact.
  3. Select an artifact type, enter a value for the artifact. If you want, you can add a summary and tags.
    Note: You can create an artifact with the same value as an existing artifact if the artifact type is different.
  4. Click Create.
The artifact is added to the list of artifacts on the artifacts view.

Demo

The following video is a demo of the artifacts view.
  • Moving from the list of incidents to the artifact view.
  • Sorting the list of artifacts by the Artifact Value column.
  • Selecting an artifact.
  • Clicking into Summary.
  • Clicking into Tags and selecting a tag.
  • Turning Threat scan off.
  • Saving the changes.

Changed in 51.0.4.0 Managing incident artifacts

The Artifacts tab for an incident lists all of the artifacts added to the selected incident. You can add, edit, and select actions on artifacts. You can also export incident artifacts.

Viewing incident artifacts

You add artifacts by clicking Add Artifact. Select the type of artifact and enter information such as the type, an attachment if prompted, and a description of the artifact, including how it relates to the incident. For some artifact types, you can enter multiple values, such as IP addresses. Make sure to separate new values with a newline, space, or comma, depending on the artifact type. See the tooltip by the artifact value to see the valid separators. After you add an artifact to the incident, it is also added to the organization-wide artifacts view, as described in Reviewing global artifacts.

You can limit the table to specific artifacts. If the list is long, you can filter by artifact type. Click Filters to specify the criteria. For most selections, you can further filter the results. Additionally, you can click Set timeframe and limit the view to artifacts added or modified within a specific time.

You can export the incident artifacts to a .csv file to share indicators of compromise with third parties. To export the incident artifacts, click Export Artifacts and then click Download.

You can take actions on each artifact in the Artifacts tab by clicking the vertical ellipsis under Actions. The available actions depend on the type of artifact. For example, for an IP address artifact, you can click the menu and run a “Search LDAP” action to search your Active Directory for more information about the address.

In the list of artifacts, you can see any matches from threat intelligence feeds in the Hits column. The Value column shows the artifact value.

The setting for each artifact type determines whether to show or ignore relationships with other incidents. If you can view relationships, the Related Incident Count column displays the total number of incidents that have artifacts with the same value, regardless of artifact type. A dash in the Related Incident Count column indicates the relate incidents settings is not enabled.

You can customize the columns by clicking the icon in the upper right side of the table, as shown by the mouse pointer the screen capture. Most columns are self-explanatory. The Flags column displays an icon when the Relate incidents or Threat scan setting is not enabled. In the image, Threat scan is not enabled for the first artifact and Relate incidents is not enabled for the second artifact. You can click the icon to display a tooltip about the setting. No icon in the Flags column indicates that both settings are enabled.

Individual artifact

Click the link in the Related Incident Count or Value column to see the details of the artifact.

  • From here you can see the incident artifact details, showing the details of this artifact as it relates to the incident, for example, when it was added to the incident. You can click in the Description to edit inline.
  • The Artifact Summary is an organization-wide view of the artifact, with the organization name displayed. The section shows the artifact details, such as when the artifact itself was created. You can do the following in the Artifact Summary:
    • Click in the Summary to edit inline, or click in Tags to add or remove artifact tags, where tags are case-sensitive.
    • Use Relate incidents to determine whether to show a relationship between incidents when they contain the same artifact.
    • Use Threat scan to determine whether an artifact of the artifact type is sent to a cyberthreat source to be scanned. This setting is available only to system provided artifact types that can be scanned by system provided threat sources.
    • Click the First seen link to go to the incident to which the artifact was first added. Click Last seen link to go to the incident to which the artifact was most recently added.
    • From the Hits section, you can view the hits information, which shows any hits from threat intelligence sources.
  • For DNS type artifacts, the Whois section shows Whois information for the DNS name when you click Load.
  • The Hits section provides a scan report for each hit. The scan report displays information that is provided by the threat source. You can filter the list by threat source.

  • The Geolocation section provides the geolocation data for IP address artifact types, if your organization has enabled this feature.
  • The Related Incidents section provides a list of any related incidents. You can click incidents for which you have permission to view. If you do not have permission, you can see the incident's ID and owner but you cannot access the incident.
  • The Artifact History section provides a newsfeed of the artifact history, showing when the artifact was created, changed, added to or removed from an incident and any hits from a threat source. You can add or remove filters to control what is shown in the history.

The following graphic shows an example of an artifact of type IP Address. Some of the sections are minimized. You can see a tag in the organization-wide view of the artifact.

Note: When you add an artifact that is the same type and value as an existing artifact, the artifact is updated and the description is appended to the existing one. The behavior does not apply to the Observed Data artifact type and non-malware file samples such as log files and emails attachments.

Artifact graph display

You can change the artifacts view from a table to a graph to see a visual representation of the artifact.

By default, the artifacts are displayed in a table. You can display the artifacts visually as a graph by clicking the graph icon in the table header, as shown by the mouse pointer in the following screen capture.

The graph displays the incident as a circular node with each artifact as a block attached to the node.

You can take the following actions in the graph:

  • Drag the artifacts to rearrange them so that you can better show the relationship to each other.
  • Hover over the incident node or the artifact to display its details and the Actions menu.
  • The SOAR Platform examines supported file types for matches with threat intelligence feeds. If a match is found, the artifact is highlighted in red.
  • Click within the graph area then use the mouse wheel to resize the graph.
  • If any artifact is also associated with another incident, the graph shows that incident as a separate circular node. You can click each node to focus on that incident and its artifacts.
  • Use the timeline under the graph to limit the view to a specific length of time. If you have multiple incidents in the graph, a red horizontal line over the timeline represents each incident. Hover over each line to display the incident name.

The example graph contains with multiple incidents. One artifact is associated with four incidents. All four are shown in the graph as circles and as red lines in the timeline.

Reviewing incident email

Your playbook designer and the playbook define how emails are automatically associated to incidents. In some cases, an incident might be generated from an incoming email, such as a phishing threat service. In other cases, an incoming email might be associated with an existing incident.

Your playbook designer can modify a template that is provided by IBM Security® to process incoming email and automatically create tasks, set the incident type and severity, and extract artifacts from the email. If the incoming email contains an attachment, the attachment can be added to the Attachments tab on the incident.

The following graphic shows an example of an incident that is automatically generated from an email. In this example, a phishing threat service sent a potential phishing email to the SOAR Platform, which generated an incident.

The email is added to the Email tab of the incident. From the Email tab, you can view the mailbox from which the email originated, the email sender, and the subject. If you have the necessary permissions, you can also download the email by hovering over the email then clicking the download icon.

On the Artifacts tab, URLs or IP addresses from the email are displayed.

Download a group of emails

You can select multiple emails and download them as a group. Each email is saved as a text file within a downloadable .zip file.
  • Select the emails that you want to download, and click the Download () icon.
    • To download the file immediately, in the Download generation complete notification, click the Download link.

      When the download is complete, the file is immediately removed from the system. Closing this notification window without downloading the file also removes it from the system.

    • To download the file later, in the Generating download notification, click Email link.

      You can download the file from the Generated Downloads section of the Activity Dashboard. The link expires after a set number of days, according to the Download Link Expiry setting for the organization.

Viewing the progress of an incident playbook

The Playbook progress page shows which playbooks are running on an incident. You can view the overall status of the incident playbooks, or you can drill through to view the playbook progress and status of each node.

Procedure

To open the Playbook progress page, follow these steps:
  1. On the Incidents tab, click the name of the incident that you want to review.
  2. To view the list of incident playbooks, click Playbook progress.
    Click the arrow () to expand the playbook row and view information about the playbook functions.
  3. To view the playbook progress, click the playbook name.
  4. To view the functions of the playbook, click the View full playbook activities () icon.
  5. To cancel a running instance of the playbook, click the Cancel playbook () icon.

Playbook progress visualization

The Playbook progress visualization shows the progress of a running incident playbook. Click each node on the canvas to view more information about it.

Figure 1. Playbook progress visualization page
Graphical representation that shows the status of each node in the playbook. To the right, the details pane shows information about the node that is selected.

Active nodes in the playbook are shown with a status indicator in the upper right. Inactive playbook nodes do not have an indicator and appear less bright on the canvas.

Table 1. Status indicators for activated playbook nodes
Status indicator Description

Completed

In progress

Suspended

Canceled

Error
Tip: The Playbook progress visualization is read-only. Use Playbook Designer to change a playbook.

Running actions on incidents or tasks

Your administrator and the playbook define the actions that you can run on an incident or task.

For multiple incidents, you can go to the Incidents page and click the check boxes for those incidents then click Selected and choose the action to take.

For an individual incident, you can click Actions on the incident’s page.

For a task, you can click [] in a Task page.

To view the status of actions from within the incident page, click Actions then select Action Status near the end of the menu.

Reviewing incident data tables

Data tables are used to organize information in a tabular format by using rows and columns, and can be found in the various tabs of the incident. Typically, you can add information to these tables.

The SOAR Platform can integrate with various Security Information and Event Management (SIEM) systems so that incident information can be escalated into the SOAR Platform and presented in a data table. Depending on the level of integration, you can run commands on the data, which is then acted on by the security system.

The following example shows a data table for the Exchange Online app. You can have the app create artifacts, delete messages and more from the data table.

Reviewing incident workflows

A SOAR workflow is a predefined set of activities that can run a complex set of instructions.

Started by an action, a workflow is a predefined set of activities that can run a complex set of instructions. When started, a workflow runs all its activities until it reaches its conclusion.

If you have permission, you can view the status of an incident’s workflows. From within the incident page, click Actions then select Workflow Status near the end of the menu. The Workflow Status window opens, as shown in the following example.

The status of a workflow can be Running, Completed, Suspended, or Terminated.

A Suspended workflow can occur when the incident closes before the workflow completes. Reopening an incident resumes the workflow. You can permanently terminate a workflow if it is suspended and you do not plan to reopen the incident. You can also terminate a workflow if you find that it does not complete in an expected amount of time and is preventing the completion of the incident. Normally, you do not terminate a workflow in an open incident.

You can add a reason when you terminate a workflow. This text displays when a user hovers over the workflow status.

Multiple objects in the same incident can start the same workflow, which causes multiple instances of the workflow to appear in the status table. To understand which object caused each workflow, hover over Object / Object Details in the workflow row for additional information, such as the specific row in a data table that started the workflow.

Managing the incident team

As an incident owner, you can add or remove members of an incident team.

To access the incident team, open the appropriate incident, click the Members tab then select Edit. Open the menu and select the username or group that you want to add. The user or group appears under the list of members. To remove a team member or group, click Remove next to the name.

Reassigning incidents to another workspace

If you have the permission, you can reassign incidents to a different workspace.

To reassign incidents to a different workspace:
  1. Go to the Incidents page.
  2. If needed, use the filters, including the workspace filter, to view the specific incidents to reassign.
  3. Multi-select all of the incidents.

    You can reassign incidents, both open and closed, from more than one workspace to a target workspace.

  4. Click Manage > Move.
  5. In Move to workspace, select a target workspace for the incidents.
  6. Click Move.

    A message displays if you do not have the permissions to reassign any of the selected incidents.

This process might take some time if you reassign several incidents.

Closing an incident

You can close an incident where the incident responders completed all tasks and required fields.

If you try to close an incident that has an incomplete required field, the platform prompts you to complete the field.

If you close multiple incidents simultaneously and the same required field is incomplete on a subset of the incidents, the value you enter applies to all the incomplete fields. It does not override the value in the completed fields.

To close an incident, click Actions then select Close Incident near the end of the menu.

To close one or more incidents from the Incidents page, select the incidents, click Manage then click Close.

Deleting an incident

If you have the permission, you can delete incidents. When you delete an incident, it is permanently deleted from the SOAR Platform.

Typically, you close an incident instead of deleting it.

The following actions occur when you delete one or more incidents:
  • The incident’s attachments, such as tasks and artifacts, are deleted.
  • The audit data for the incident and child objects is deleted. However, the audit log contains a log of the deletion itself.
  • All references to the incident are removed from the news feed and any existing system notifications.
  • If you delete multiple incidents, the incidents are deleted serially and in the background. Incidents that are submitted for deletion remain visible until they are deleted.
  • If the incident deletion fails, the error is logged in client.log, but does not stop other incidents from being deleted.
  • The incident deletion includes deleting it from the database.
If you intend to delete many incidents, you can take the following actions to minimize disruptions:
  • Disable any rules or playbooks that are configured to run when an incident is deleted. If you do not have permission to access rules or playbooks, contact your system administrator.
  • In the Administrator Settings Notifications tab, disable any system or email notifications that are related to incident deletions to prevent multiple notifications, including the default Incident Deleted notification. If you do not have access to the Notifications tab, contact your system administrator.
  • Disable the Incident Deleted notification in the Administrator Settings Notifications tab. If enabled, it sends an email for each incident deleted. If you do not have access to the Notifications tab, contact your system administrator.

To delete an incident from the incident page, click Actions then select Delete Incident at the end of the menu.

To delete one or more incidents from the Incidents page, select the incidents, click Manage then select Delete.

You can verify that the incident is deleted by checking the Incidents page and verifying that the incident is no longer shown. With permission, you can check the audit log for deleted incidents.