Hi Experts,
The idea is to create a shift handover using FortiSOAR.
Lets say, in current shift 05 alerts triggered, out of those, 3 were closed successfully, 02 were in progress/investigating. Lest say, during the investigation of those 2 alerts, shift time is over. The current shift SOC analyst would initiate the shift handover and would handover the "in progress/investigating" alerts to next shift.
Need to create the above scenario in FortiSOAR. Please help! I shall be extremely grateful.
Regards,
MFaruqi
Solved! Go to Solution.
Created on 03-26-2024 03:39 AM Edited on 03-26-2024 03:42 AM
Resolution provided -
1. Check the teams that were added in queue settings on edit queue - user assignment page - update record ownership.
2. Add these teams to the appliance 'Playbook'. Application Settings - Appliance - Playbook - Check Teams Section.
Reason - The permission on appliance 'playbook' decides for which record both inclusion and exclusion of record to/from queue will work. When the record was first created the record owner(teams) and playbook appliance owner(teams) were same so the record gets added to the queue successfully, but the queue was also updating the teams ownership of record once it was added to the queue. and the appliance 'playbook' was not part of these teams. Hence exit queue function did not work on the record.
Created on 11-02-2023 09:06 AM Edited on 11-02-2023 09:18 AM
Please refer to this doc for more details https://docs.fortinet.com/document/fortisoar/7.4.2/user-guide/965289/queue-shift-and-leave-managemen...
If any further assistance is required, please let us know, thanks!!
Hi Srivastavad,
First of all, apology for a delayed response.
Thank you for your support on the topic. I have created the queue and it is automatically being populated with all the conditions that I set.
I created a queue on the condition that when an alert is created and status is open, then assign it to the queue. But when it is closed, it is not being removed from the queue. Although the automatically exit criteria says that when the status is changed to closed, it should be removed from the queue. Can you help me on auto-removal of the alert when its status is changed to closed?
I shall be extremely grateful.
Regards,
MFaruqi
can you please check if automatic exit criteria is set correctly for the alerts. Queue settings button is present on right side of the Queue and shift page.
1. Queue Exit Criteria checkbox is enabled
2. Select record fields to monitor for updates to monitor is set to 'Status'
3. Filter Condition is set as Status set to closed.
If it does not work, please attach the screenshot for queue rule page, and queue exit criteria for further investigation
Created on 03-20-2024 02:22 AM Edited on 03-20-2024 02:22 AM
this looks correct and working as expected on my set up
when you say record is not removed from queue what does it mean, is the record still present in the queue. You can check it it two ways
1. There is a queue column on alert grid/table view on alerts page. You can select that column and it will be displayed on grid. Check if the queue column becomes blank for that alert once it is closed.
2. On Queue page itself there is a view button under actions column for every queue record. Click that and see if the records is not present in queue view
If the record is still present. Please try one scenario manually
1. Create an alert and check if it is actually added to queue (See point 1 above).
2. Close the alert manually, check the alert status and it should be closed now and then see if now the record is removed from the queue.
Lastly you can check the audit log tab in alert record detail view (it comes when you come on any alert). The audit log tab will have all the activities related to the alert, if queue is changed it will be shown in the logs.
Answer of 1. The alert is seen in the Queue that i created and it doesnt become blank when the status is changed to Close
Answer of 2. Yes, in Queue page, when i click view button on top right corner, i can see the list of all the alerts in the queue. In this queue all the alerts are seen that are created and status is opened. But when the alert status is changed to closed, the same alert remains in the queue.
I have tested the scenario by generating test alert and result is same, i.e. alert is not being removed from the queue.
The audit log for the alert screen shot is uploaded for reference.
Kindly help to resolve this issue.
tbh, as this is working as expected on my set up with the same settings , i could not figure out what exactly is wrong with your system, can you try few more things (just for testing , later you can revert the settings)
1. Delete the queue and create a new one.
2. change the exit criteria setting for alert, like status equals to investigating and then once you change the status of alert in the queue to investigating, it should be removed from the queue
.If it does not work export queue records and and queue settings (Export - Modules, Administrative Settings -> System Views -> Queue Management Configuration) and see if you can share the exported file in this chat
Please also tell what version of FortiSOAR are you using.
Created on 03-26-2024 03:39 AM Edited on 03-26-2024 03:42 AM
Resolution provided -
1. Check the teams that were added in queue settings on edit queue - user assignment page - update record ownership.
2. Add these teams to the appliance 'Playbook'. Application Settings - Appliance - Playbook - Check Teams Section.
Reason - The permission on appliance 'playbook' decides for which record both inclusion and exclusion of record to/from queue will work. When the record was first created the record owner(teams) and playbook appliance owner(teams) were same so the record gets added to the queue successfully, but the queue was also updating the teams ownership of record once it was added to the queue. and the appliance 'playbook' was not part of these teams. Hence exit queue function did not work on the record.
Thanks bbhaskar for the support. Really appreciate the team efforts!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.