Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-20-2023 12:11 AM
Roles field is a good way to restrict access to incidents. but in my case I just want to assign a group of people to manage an incident and not restrict the incidents to other people. In order to do that I am adding users to the incident as a team member. Team member is used mainly because it can add team members by tagging '@'
Once these users are logged in to XSOAR, they want to see incidents they are participant of, how can they find these incidents in the main account?
09-20-2023 07:45 AM
The Team Members are stored in the investigation, can be accessed via investigation.users in the search screen.
For example, all open incidents, where they are a participant and not the owner:
-status:closed -category:job investigation.users:{me} and -owner:{me}
This is from the My Incidents Dashboard in the Case Management Generic Pack.
09-20-2023 07:45 AM
The Team Members are stored in the investigation, can be accessed via investigation.users in the search screen.
For example, all open incidents, where they are a participant and not the owner:
-status:closed -category:job investigation.users:{me} and -owner:{me}
This is from the My Incidents Dashboard in the Case Management Generic Pack.
09-21-2023 07:54 AM - edited 09-21-2023 07:54 AM
@MBeauchamp2 Thank you, this answers my question and raises another question 🙂 what is the difference between an investigation and incident. incident apparently doesn't hold investigation field so it's something different like context I guess. I asked this question on the slack channel but I was told it could be the old naming convention. I am a little confused now.
I ran into a similar issue today, I created an incident and tried to execute some commands through the api on the new incident but I kept getting investigation not found error, so I had to make an api call to 'incident/investigate' to start the investigation. Incident exists but I am not allowed to run any commands because investigation hasn't started.
09-21-2023 08:14 AM
An investigation is created when the Incident is investigated, which happens automatically if a playbook is run automatically against it. It's not context, it's more metadata about it, and things like the users etc.
As you noted, you can't run commands against an Incident that doesn't have an investigation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
