In addition to manually adding users to a Post Incident Review (PIR) assessment list for a security incident, you can define assignment rules for automatically adding users or group to the list.
Before you begin
Role required: sn_si.admin, sn_si.manager, sn_si.analyst
Procedure
Navigate to All > Security Incident > Administration > Post Incident Review - Assessments Setup.
Select the Configure button corresponding to the User Assignment Rules section.
On the Post Incident Review Assignment Rules page, select New.
Fill in the fields, as needed.
Field
Description
Name
The name of this assignment rule.
Active
Option to activate the rule.
Order
Controls the display order of this assignment rule. Assignment rules with lower sequence numbers appear first.
Note:
Only the first matching assignment rule is executed, and only the users defined in
that rule are added to the assessment list.
Condition
Option to configure the
condition builder to define the conditions that must be met in the security incident for this rule to be executed. For more information, see the example
below.
Assign to users
Field to add users to the review list. After the field is unlocked, options are available for adding or removing multiple users, roles, or entering user email addresses.
Assignment Group
Option to add an assignment group. All the active users of this group with the sn_si.analyst role are added to the post incident review for a security incident.
Select Submit.
Malicious code activity
In the post incident review assignment rule shown here, when a security incident with the Category field set to Malicious code activity transitions to the
Review state, the three users identified (who happen to be experts in dealing with malicious code activity) are added to the list of users who receive the post incident review questionnaire for this
security incident.Figure 1. Malicious code activity