Skip to main content
MuhammadFaruqi1
MuhammadFaruqi1
Visitor III
November 2, 2023
Solved

Queue Management and Shift handovers

  • November 2, 2023
  • 6 replies
  • 6074 views

FortiSOAR 

Hi Experts,

The idea is to create a shift handover using FortiSOAR.

 

Lets say, in current shift 05 alerts triggered, out of those, 3 were closed successfully, 02 were in progress/investigating. Lest say, during the investigation of those 2 alerts, shift time is over. The current shift SOC analyst would initiate the shift handover and would handover the "in progress/investigating" alerts to next shift.

 

Need to create the above scenario in FortiSOAR. Please help! I shall be extremely grateful.

 

Regards,

MFaruqi 

Best answer by bbhaskar

Resolution provided -
1. Check the teams that were added in queue settings on edit queue - user assignment page - update record ownership.
2. Add these teams to the appliance 'Playbook'. Application Settings -  Appliance - Playbook - Check Teams Section.


Reason - The permission on appliance 'playbook' decides for which record both inclusion and exclusion of record to/from queue will work. When the record was first created the record owner(teams) and playbook appliance owner(teams) were same so the record gets added to the queue successfully, but the queue was also updating the teams ownership of record once it was added to the queue. and the appliance 'playbook' was not part of these teams. Hence exit queue function did not work on the record.

6 replies

A
Anonymous_User
New Contributor III
November 2, 2023

Please refer to this doc for more details https://docs.fortinet.com/document/fortisoar/7.4.2/user-guide/965289/queue-shift-and-leave-management

 

If any further assistance is required, please let us know, thanks!!

MuhammadFaruqi1
MuhammadFaruqi1Author
Visitor III
March 19, 2024

Hi Srivastavad,

 

First of all, apology for a delayed response. 

 

Thank you for your support on the topic. I have created the queue and it is automatically being populated with all the conditions that I set. 

 

I created a queue on the condition that when an alert is created and status is open, then assign it to the queue. But when it is closed, it is not being removed from the queue. Although the automatically exit criteria says that when the status is changed to closed, it should be removed from the queue. Can you help me on auto-removal of the alert when its status is changed to closed?

I shall be extremely grateful.

Regards,

MFaruqi

bbhaskar
Staff
bbhaskar
Staff
March 19, 2024

can you please check if automatic exit criteria is set correctly for the alerts.  Queue settings button is present on right side of the Queue and shift page.
1. Queue Exit Criteria checkbox is enabled

2. Select record fields to monitor for updates to monitor is set to 'Status'

3. Filter Condition is set as Status set to closed.

If it does not work, please attach the screenshot for queue rule page, and queue exit criteria for further investigation

MuhammadFaruqi1
MuhammadFaruqi1Author
Visitor III
May 2, 2024

Hi Experts!

 

There is a requirement for the Shift Management. I create the Shifts in FSR by manually entering all the shifts like Morning, Afternoon and Night Shift and provide the start time and duration of each shift. After that, the team members for each shift are updated manually.

 

Is there any way to generate the shift by uploading any pdf or csv file of monthly shift roaster and the whole months shifts are generated in FSR? 

 

Kindly let me know if this is possible? I shall be extremely grateful.

 

@bbhaskar @Anonymous @jankit6 

MuhammadFaruqi1
MuhammadFaruqi1Author
Visitor III
May 5, 2024

Hi Experts!

 

Can we generate a report on closed alerts of last shift? 

 

For example, when a morning shift is ended, and a handover is given to afternoon shift, can we generate the report of the closed alerts that were generated during the morning shift?

@bbhaskar @Anonymous  

A
Anonymous_User
New Contributor III
May 6, 2024

Thanks for reaching out MuhammadFaruqi1, our team will get back shortly!

 

~Deepti Srivastava

MuhammadFaruqi1
MuhammadFaruqi1Author
Visitor III
May 12, 2024

Hi Team,

 

Need support on two points that have already been mentioned earlier, but I am summarizing it here:

 

1- A report from last shift: Lets say, shift duration is 8 hours. So in last 8 hours how many alerts were closed, and how many alerts are opened, investigating or pending.

 

2- Can we upload a csv or a pdf file from duty roaster to generate the shifts in FortiSOAR?

 

Regards,

Burhan

AmitJain
Staff
AmitJain
Staff
May 13, 2024

Hi @MuhammadFaruqi1  - 

1. For last shift report - you can create a report in the format you want, enabling dynamic parameters in the report like Created Date is In Last X hours, and/or shift details if you need. Now, in a playbook, use the Reporting Connector and pass these dynamic values to the report from the playbook and then your report will run automatically based on the dynamic values it gets everytime. 

Screenshot 2024-05-13 at 11.51.35 AM.png

2. For generating shifts using CSV - yes, should be possible. Refer this article in general for creating records from CSV and that should help. https://community.fortinet.com/t5/FortiSOAR-Discussions/Upload-CSV-and-update-FortiSOAR-Records/m-p/219994

MuhammadFaruqi1
MuhammadFaruqi1Author
Visitor III
May 14, 2024

Shift_SOAR.pngHI Amit,

 

Thanks for the response. I would like to add our SOC duty roaster in csv format as per the attachement here. Can we be able to upload this CSV file and create our shift using this CSV file? 

AmitJain
Staff
AmitJain
Staff
May 23, 2024

Yes, as I said earlier - follow the article there for suggestions on how this can be done. https://community.fortinet.com/t5/FortiSOAR-Discussions/Upload-CSV-and-update-FortiSOAR-Records/m-p/219994

Terms & ConditionsAccessibility statement