Table of Contents
Below you'll find a table of contents for the Incident Manager journey.
Streamline incident response with SecOps SOAR Incident Manager. Keep your team organized and focused by managing critical incidents from start to finish in one central platform. Collaborate across departments, track tasks with clear timelines, and organize information chronologically for easy reference. Improve team efficiency and ensure everyone's on the same page with a clear picture of the situation, decisions made, and next steps. Turn incident response into a well-oiled machine with SecOps SOAR Incident Manager.
Prerequisites
- Entitlement for SecOps SOAR on the account and project
- Administrative permissions to Chronicle SOAR
Actions
Define Departments
The first step is to define the departments that you will be working with. As you can see in the SOAR Settings > Incident Manager > Departments page, a default department is provided by default. This is to make sure that every internal user that you add to the incident will be automatically assigned to a department.
Prerequisites
See the Relevant Links section for more documentation regarding the prerequisites.
- Administrative permissions to Chronicle SOAR
Steps
-
Navigate to SOAR Settings > Incident Manager > Departments.
-
In the Departments page, click Add Department and fill out the new department information. At any stage you can choose to change the default department. The default department is the one that internal users are automatically added to.
-
Add in all the departments that you will be working with in the Incident Manager. You can also add departments that are external to your company.
Relevant Links
Define Auditors
An auditor is defined as an Incident Manager power user. The auditor is automatically added to every incident that is handled in the Incident Manager. They also have the ability to close and reopen incidents, as well as seeing closed incidents. The platform administrators are automatically considered as auditors.
Prerequisites
See the Relevant Links section for more documentation regarding the prerequisites.
- Administrative permissions to Chronicle SOAR
Steps
-
Navigate to SOAR Settings > Incident Manager > Auditors.
-
Click Add Auditors.
-
Choose the required user. This list is populated from any users in the system.
-
Choose the required department. This list is populated from the list of departments you previously created in SOAR Settings.
Relevant Links
Define Authorized Environments
Each customer is allowed to handle cases from a certain number of environments only. The number of environments is according to your license. The default environment is automatically added here.
Prerequisites
See the Relevant Links section for more documentation regarding the prerequisites.
- Administrative permissions to Chronicle SOAR
Steps
-
Navigate to SOAR Settings > Incident Manager > Authorized Environments. All the environments in your company will appear on the page.
-
Select those environments whose cases, if the need arises, can be handled in the Incident Manager. You can hide all the other environments once you have chosen the ones you need using a checkbox at the top of the page.
Relevant Links
Create Incident Reports
Generate clear reports to justify ROI to management, demonstrate transparency to stakeholders, and make data-driven decisions for future improvements. Turn incident data into actionable knowledge with reports in SecOps SOAR Incident Manager.
Prerequisites
See the Relevant Links section for more documentation regarding the prerequisites.
- Administrative permissions to Chronicle SOAR
Steps
-
Click Menu on the Dashboard tab in the Incident Manager.
-
Select Incident Report. A Microsoft Word document (.docx) is downloaded to your desktop containing all the incident details.
Relevant Links
Congratulations! Your Onboarding Journey for Chronicle SOAR is complete!
Previous Step: Security Operations SOAR: Step 4 - Custom Integrations