SIR Workspace Related Records
This section consists of the related lists items that are grouped into sections such as associated observables and configuration items.
The following related lists groups that are available as a part of the base system. You can modify these groups or create groups within the application and their respective actions.
| Related list | Grouped item |
|---|---|
| Business Impact |
|
| Threat Intel |
|
| Phishing |
|
| Related Security Incidents |
|
| SLA Records | Task SLAs |
| Source Events/Alerts | Source events or alerts are the SIEM integration enabled related list such as Source Email, LogRhythm Drill Down Logs, LogRhythm Events, Aggregated IBM QRadar Offense and so on. Note: This list is completely
dependent on the integration that you have in your instance. To view the relevant SIEM integration related list, you must install the latest version. |
| Sighting Search |
|
| Observable Enrichment |
|
| Endpoint Detection and Response (EDR) |
|
Configure Security Incident Related List
You can add new related lists or new related list groups, and modify existing groups or related lists that appear in the SIR Workspace.
Before you begin
The security incident related list are grouped and displayed as group related list items on the Related Records tab on the workspace.
Role required: sn_si.admin
Procedure
-
In the classic UI, navigate to .
-
Go to .
The Configuring related lists on Security Incident form is displayed.
-
Select the newly created view.
After you select the view, choose the required related list fields from the slush bucket.Note:If you want to modify anything, select the view and remove or add the items.
-
Select Security Incident Response Workspace.
The UX Application Security Incident Response Workspace page is displayed.
-
Go to UX Page Properties tab and select
relatedListLayoutConfig option in the list
view.
-
Add the newly created view name separated by a comma to an already existing
list of values in the Value text box under the
sn_si_incident.viewsUsedForGrouping field.
For example, if you had created a new view name as, Business Impact then in the Value text box you must specify it as business_impact (which is separated by underscore within the view name and separated by a comma after an existing value) under the sn_si_incident:groups field.Note:Below is an example view which shows the newly created views added.If you add the new view name under sn_si_incident.viewsUsedForGrouping field then the entry will be created in the Related Records tab of the workspace.
If you update the view name entry in si_other_records.viewsUsedForGrouping then the related list group will get added in the Other Records tab of the workspace.
Note:requiredRolesForGrouping contains comma separated sys_user_role record names. SIR Workspace user should have at least one of these roles, to use the grouped related lists. When a user does not have any of these roles then related lists view configured for the current user role using view rule configuration will be represented vertically without grouping. This property is ignored when isGrouped property is set to false. If this property is empty any user can access the grouped related lists.
Configure Response Task Related List
Use this section to configure response tasks new related lists that appears on the Security Incident Response application.
Procedure
-
Navigate to .
-
Go to View name and select sirw
view.
-
Select the desired related list fields from the slush bucket.
For example, Affected Locations.
-
Navigate to .
The configured related lists (For example, Affected Users as selected) is listed within the Related Records list.