QRadar SOAR Plug-in app

The IBM® QRadar SOAR Plug-in app helps you to simplify and streamline the process of escalating and managing cases by providing bidirectional transfer of information between IBM QRadar and SOAR.

The app is installed on the QRadar Console. The app sends offense information to SOAR, and ensures synchronization of notes and closing information on both systems.

The app also includes extra features and workflows that extend the SOAR capabilities. From within a case, you can use the QRadar Ariel Query Language (AQL) to search QRadar data, and you can add case data to QRadar reference sets.

Throughout the entire workflow, SOAR reports case investigation notes back to the QRadar offense. You can also configure the app to close the QRadar offense when the SOAR case is closed.

SOAR organizations

In a standard configuration, a single organization is used for all cases. You can also configure SOAR with multiple organizations. For example, you might configure one organization for each business division within your company. Or, you might configure one organization for development and testing, and another for production. In a standard configuration that has multiple organizations, each organization is managed separately.

MSSP deployments

The SOAR for Managed Security Service Providers (MSSP) deployment option allows for multiple SOAR child organizations to be managed from a single configuration organization. Security analysts and other users can monitor cases in multiple child organizations.

If you are connecting to a SOAR for Managed Security Service Providers (MSSP) deployment, you must configure the QRadar SOAR Plug-in to enable Multiple Organization Support and map the app to the SOAR configuration organization. When you make changes in the configuration organization, a SOAR administrator must push the changes to the child organizations.