You can escalate offenses automatically or you can escalate them manually from within IBM®
QRadar®.
Before you begin
Automatic escalations run against new and existing open offenses in QRadar when the application is
first installed.
Important: If you do not to create a case for all open offenses that match the
escalation criteria, close any open offenses that match the escalation criteria before you enable
automatic escalation.
About this task
The Escalation tab has settings for configuring how offenses are sent to
SOAR.
Procedure
-
On the QRadar
Admin tab, in the IBM QRadar SOAR Plugin section,
click Configuration.
-
On the Escalations tab, configure the settings.
-
In the Template Files section, choose the template to use.
The template specifies how the fields from the QRadar offense map to the SOAR case fields.
For more information, see Template mapping.
-
In the Ignored Artifacts section, specify the reference sets that
contain IP addresses that you do not want to use for creating artifacts.
For example, you might add all IP addresses of internal systems to a reference set, and then use
that reference set to build an ignore list for artifact creation.
-
In the Escalations section, select an artifact limit.
An artifact limit is the maximum number of source and destination IP address artifacts to be
created from IDs to addresses. The default limit is 20, and applies individually to source and
destination addresses.
-
In the Automatic Escalation Conditions section, add an escalation rule
by specifying the rule conditions and the template to use.
For offense fields that have integer values, such as severity, magnitude, credibility, and device
count, the rule is matched on the exact value that you provide in the Value Match
Expression field.
For more information about the way that automatic escalations work, see Automatic escalations.
- In the Additional Escalation Options section, select
Allow offense updates to create SOAR cases.
With this option, any
offense update message that does not find a matched SOAR case in the QRadar Offense is seen as a
case_create request.
-
In the Manual Escalation mode section, select the method of creating
cases.
Important: If Multiple Organization
Support is enabled, this setting applies to all QRadar domains.
- Choose Create incidents immediately upon escalation to send the offense
directly to SOAR.
- Choose Review incidents prior to escalation to review the case details
before the offense is escalated to SOAR.
With this option, IP address
IDs are not converted as artifacts during the case creation process. Instead, in the following
update cycle, if there are IP addresses to convert from IDs, they are mapped as artifacts up to the
user-specified limit.
With either option, the case is created and you can edit it in SOAR.
-
Click Save.
You must save the configuration to add the escalation rules to QRadar.
-
Click Verify and Configure.
What to do next
Configure the options on the Preferences tab. For more information, see
Custom actions.