Adding data to a QRadar reference set

You can configure the IBM® QRadar® SOAR Plug-in app so that you can add data to QRadar reference sets directly from SOAR.

You can use reference sets to track QRadar offense data that is not valuable to SOAR, such as the IP addresses of internal systems. Used with the Ignored Artifacts capability, this capability prevents including unwanted artifacts in SOAR cases.

If Multiple Organization Support is enabled, you cannot use this feature.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  3. On the Preferences tab, click the Enable Adding Reference Entries From SOAR checkbox.
  4. Select the reference sets that you want to make available to SOAR.

    The QRadar reference sets appear in the Reference Sets list.

  5. On the Escalation tab, under Ignored Artifacts, specify which reference sets to use to suppress artifact creation.

Results

The reference sets are configured for use in SOAR.

What to do next

In SOAR, open a case. On the Artifacts tab, under the Actions menu, select the reference set to add the information to.

Image shows the case Artifact tab in SOAR, with the Actions menu expanded to show the option to add to a reference set.

Choose the reference set to add the data to.

Image shows SOAR window with drop-down list of QRadar reference sets.
As a QRadar administrator, you can see the values that are added to the reference set.
  1. On the Admin tab, in the System Configuration section, click Reference Set Management.
  2. Select the reference set and click View contents.

    The reference set values appear in the Content list.

    Image shows the values of a reference set in QRadar.