Transitioning Events/Incidents Across Analysts

Mcballew — Wed, 29 May 2024 11:01:21 GMT

Does anyone mind sharing any resources or practical examples of how they're using XSOAR to transition events/incidents across multiple analysts or shifts?

Re: Transitioning Events/Incidents Across Analysts

jfernandes1 — Fri, 31 May 2024 04:53:21 GMT

Hi @Mcballew , I think this is a complicated question. It depends on the level of maturity of your automation journey.

- Simple: Modify incident owner to new analyst. You can also invite the analyst to join the incident by adding a warroom entry like "@user This is why the incident was assigned to you".

- Moderate: There are multiple choices available. The below steps will also add entries to the user My Task dashboard.

- Assign a workplan task to an analyst

- Create an ad-hoc task assigned to the new analyst

- If you've implemented a queuing system. You can choose to remove yourself as the incident owner. Change the incident role to the new analyst's role (ex "IR L2"). The incident will then show in their queue which will then be picked up by the next available analyst.

- We also have an automation called !AssignAnalystToIncident which can be used if the new analyst should be chosen based on some logic like online only, least workload or special SME (machine learning).

- Complex: We have a shift management pack that includes a more involved process of analysts creating shift handover incidents. The process is detailed here - https://xsoar.pan.dev/docs/reference/packs/Shift_management

Depending on your use case you might consider a combination of the above recommendations. I hope you find this helpful.

topic Re: Transitioning Events/Incidents Across Analysts in Cortex XSOAR Discussions

Transitioning Events/Incidents Across Analysts

Re: Transitioning Events/Incidents Across Analysts