In addition to manually adding users post incident review assessment list for a
security incident, you can define assignment rules for automatically adding users to the
list.
Before you begin
Role required: sn_si.admin, sn_si.manager, sn_si.analyst
Procedure
Navigate to All > Security Incident > Administration > Post Incident Review - Assessments Setup.
Drill down to the User Assignment Rules section.
Click Configure.
Click New.
Fill in the fields, as needed.
Field
Description
Name
The name of this assignment rule.
Active
Select this check box to make the rule
active.
Order
Enter a numerical value to specify where in the list
of assignment rules this rule should appear. Lower
numbers appear at the top of the list.
Note:
Only the
first matching assignment rule is executed, and only
the users defined in that rule are added to the
assessment list.
Condition
Use the
condition builder to define the conditions
that must be met in the security incident for this rule
to be executed. For more information, see the example
below.
Assign to users
Click the lock icon to add users to the review list.
After the field is unlocked, options are available for
adding or removing multiple users, roles, or entering
user email addresses.
Click Submit.
Malicious code activity
In the post incident review assignment
rule shown here, when a security incident with the Category
field set to Malicious code activity transitions to the
Review state, the three users identified (who happen to
be experts in dealing with malicious code activity) are added to the list of users
who will receive the post incident review questionnaire for this security
incident.Figure 1. Malicious code activity