05-29-2024 04:01 AM
Does anyone mind sharing any resources or practical examples of how they're using XSOAR to transition events/incidents across multiple analysts or shifts?
05-30-2024 09:53 PM
Hi @Mcballew , I think this is a complicated question. It depends on the level of maturity of your automation journey.
- Simple: Modify incident owner to new analyst. You can also invite the analyst to join the incident by adding a warroom entry like "@user This is why the incident was assigned to you".
- Moderate: There are multiple choices available. The below steps will also add entries to the user My Task dashboard.
- Assign a workplan task to an analyst
- Create an ad-hoc task assigned to the new analyst
- If you've implemented a queuing system. You can choose to remove yourself as the incident owner. Change the incident role to the new analyst's role (ex "IR L2"). The incident will then show in their queue which will then be picked up by the next available analyst.
- We also have an automation called !AssignAnalystToIncident which can be used if the new analyst should be chosen based on some logic like online only, least workload or special SME (machine learning).
- Complex: We have a shift management pack that includes a more involved process of analysts creating shift handover incidents. The process is detailed here - https://xsoar.pan.dev/docs/reference/packs/Shift_management
Depending on your use case you might consider a combination of the above recommendations. I hope you find this helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
