How to access incidents a user is participant of

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to access incidents a user is participant of

L3 Networker

Roles field is a good way to restrict access to incidents. but in my case I just want to assign a group of people to manage an incident and not restrict the incidents to other people. In order to do that I am adding users to the incident as a team member. Team member is used mainly because it can add team members by tagging '@'

 

Once these users are logged in to XSOAR, they want to see incidents they are participant of, how can they find these incidents in the main account?

1 accepted solution

Accepted Solutions

L4 Transporter

The Team Members are stored in the investigation, can be accessed via investigation.users in the search screen.

 

For example, all open incidents, where they are a participant and not the owner:

 

-status:closed -category:job investigation.users:{me} and -owner:{me}

 

This is from the My Incidents Dashboard in the Case Management Generic Pack. 

View solution in original post

3 REPLIES 3

L4 Transporter

The Team Members are stored in the investigation, can be accessed via investigation.users in the search screen.

 

For example, all open incidents, where they are a participant and not the owner:

 

-status:closed -category:job investigation.users:{me} and -owner:{me}

 

This is from the My Incidents Dashboard in the Case Management Generic Pack. 

L3 Networker

@MBeauchamp2  Thank you, this answers my question and raises another question 🙂 what is the difference between an investigation and incident. incident apparently doesn't hold investigation field so it's something different like context I guess. I asked this question on the slack channel but I was told it could be the old naming convention. I am a little confused now.

 

I ran into a similar issue today, I created an incident and tried to execute some commands through the api on the new incident but I kept getting investigation not found error, so I had to make an api call to 'incident/investigate' to start the investigation. Incident exists but I am not allowed to run any commands because investigation hasn't started.

 

L4 Transporter

An investigation is created when the Incident is investigated, which happens automatically if a playbook is run automatically against it.   It's not context, it's more metadata about it, and things like the users etc.

 

As you noted, you can't run commands against an Incident that doesn't have an investigation.

  • 1 accepted solution
  • 1370 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!