Set Owner To Escalated Incident
LAST UPDATED: AUG 04 2024
Assigns a user to serve as the incident owner.
READER NOTE
This utility command is for D3 vSOC versions 16.8 and above.
This command is only applicable within an event playbook, after either the Create Incident or Create Incident With Conditions commands have run.
The command filters eligible users from a global list based on their expertise. It further narrows down candidates by assessing their availability and site assignment. The user list is then refined according to the incident type, followed by consideration of each user's current workload (if Least Incidents is set to Yes). If online status filtering is set to Yes, the system limits the selection to users who are currently online. In cases where multiple users meet the criteria, a random selection is made if randomization is set to Yes – otherwise the top user from the database is selected.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT OWNER |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
User Global List | Optional | A global list formatted according to D3’s structure, specifying personnel availability and expertise type. See the Required Global List section. If neither the User Global List nor Expertise Fields parameters are provided, the command will filter users based on the other parameters. If the User Global List parameter is provided, the Expertise Fields parameter must also be included. | "Sample Global List" See the Required Global List section. |
Expertise Fields | Optional | The areas of user expertise sought. If neither the User Global List nor Expertise Fields parameters are provided, the command will filter users based on the other parameters. If the Expertise Fields parameter is provided, the User Global List parameter must also be included. |
JSON
|
Online User | Optional | If set to Yes, only online users will be considered. If set to No, both online and offline users will be considered. By default, the value is set to No. | Yes |
Least Incidents | Optional | If set to Yes, users with the fewest incidents assigned will be prioritized. If set to No, users will be selected regardless of their current incident load. By default, the value is set to No. | Yes |
Randomize | Optional | If set to Yes, and multiple eligible users are found, one user will be randomly selected from the eligible candidates. If set to No, the user who was created first will be selected. By default, the value is set to Yes. | No |
Default Assigned Owner | Required | The default user to assign as the owner if no eligible users are found from the global list. Define this user using their D3 username. If this parameter is not provided and no users meet the filtering criteria, the assignee of the escalated incident will remain unchanged. | admin |
Required Global List
REQUIRED LIST STRUCTURE
{
"type": "array",
"items": {
"type": "object",
"properties": {
"UserName": {
"type": "string",
"description": "Name of the user"
},
"Expertise": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of expertise tags related to cybersecurity"
},
"Availability": {
"type": "object",
"properties": {
"Timezone": {
"type": "string",
"description": "Timezone of the user, specified using the UTC offset (e.g., 'UTC+07:00')"
},
"WorkShift": {
"type": "object",
"properties": {
"Days": {
"type": "array",
"items": {
"type": "string",
"enum": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"]
},
"description": "Days of the week the user is working"
},
"Time": {
"type": "object",
"properties": {
"Start": {
"type": "string",
"format": "time",
"description": "Start time of the work shift in HH:MM:SS format, in the user's timezone"
},
"End": {
"type": "string",
"format": "time",
"description": "End time of the work shift in HH:MM:SS format, in the user's timezone"
}
},
"required": ["Start", "End"],
"description": "Time range of the user's work shift"
}
},
"required": ["Days", "Time"],
"description": "User's work shift schedule"
},
"DaysOff": {
"type": "array",
"items": {
"type": "object",
"properties": {
"Start": {
"type": "string",
"format": "date-time",
"description": "Start of the off time (leave/day off) in ISO 8601 format with timezone"
},
"End": {
"type": "string",
"format": "date-time",
"description": "End of the off time (leave/day off) in ISO 8601 format with timezone"
}
},
"required": ["Start", "End"],
"description": "Date-time range during which the user is off duty, with timezone information"
},
"description": "List of specific time ranges the user is unavailable"
}
},
"required": ["Timezone", "WorkShift", "DaysOff"],
"description": "Details about the user's availability, work schedule, and timezone"
}
},
"required": ["UserId", "UserName", "Expertise", "Availability"],
"description": "User object containing information about expertise and availability"
}
}SAMPLE GLOBAL LIST
[
{
"UserName": "jdoe",
"Expertise": [
"Phishing Email Analysis",
"Malware Detection",
"Network Security"
],
"Availability": {
"Timezone": "UTC+00:00",
"WorkShift": {
"Days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"],
"Time": {
"Start": "09:00:00",
"End": "17:00:00"
}
},
"DaysOff": [
{
"Start": "2024-10-07T00:00:00",
"End": "2024-10-08T00:00:00"
},
{
"Start": "2024-10-06T12:00:00",
"End": "2024-10-06T17:00:00"
}
]
}
},
{
"UserName": "jsmith",
"Expertise": [
"Incident Response",
"Cyber Threat Intelligence",
"Vulnerability Assessment"
],
"Availability": {
"Timezone": "UTC+00:00",
"WorkShift": {
"Days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"],
"Time": {
"Start": "10:00:00",
"End": "18:00:00"
}
},
"DaysOff": [
{
"Start": "2024-10-06T00:00:00",
"End": "2024-10-07T00:00:00"
}
]
}
},
{
"UserName": "ejohnson",
"Expertise": [
"Penetration Testing",
"Web Application Security",
"Social Engineering Defense"
],
"Availability": {
"Timezone": "UTC+00:00",
"WorkShift": {
"Days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"],
"Time": {
"Start": "08:00:00",
"End": "16:00:00"
}
},
"DaysOff": [
{
"Start": "2024-10-05T00:00:00",
"End": "2024-10-06T00:00:00"
}
]
}
}
]