Configuring the escalation workflow

You can escalate offenses automatically or you can escalate them manually from within IBM® QRadar®.

Before you begin

Automatic escalations run against new and existing open offenses in QRadar when the application is first installed.

Important: If you do not to create a case for all open offenses that match the escalation criteria, close any open offenses that match the escalation criteria before you enable automatic escalation.

About this task

The Escalation tab has settings for configuring how offenses are sent to SOAR.

Procedure

On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
On the Escalations tab, configure the settings.
1. In the Template Files section, choose the template to use.
  
  The template specifies how the fields from the QRadar offense map to the SOAR case fields.
  
  For more information, see Template mapping.
2. In the Ignored Artifacts section, specify the reference sets that contain IP addresses that you do not want to use for creating artifacts.
  
  For example, you might add all IP addresses of internal systems to a reference set, and then use that reference set to build an ignore list for artifact creation.
  
  For more information about referencing ignored artifacts, see Case artifact mapping.
3. In the Escalations section, select an Artifact Limit.
  
  Each time the case is created, or needs to be updated, the Artifact Limit applies a ceiling to the number of artifacts sent to SOAR. The limit applies separately to the source and destination IP Address artifacts. The default value is 20. Fewer than the limit might be sent if there is an overlap between the data in an update and the existing IP artifacts in SOAR.
4. In the Escalations section, select Number of Artifact threads.
  
  This setting sets the maximum number of simultaneous requests that the plugin makes to update a case in SOAR. If artifact playbooks are used to update the case object, this value should be set to 1.
5. In the Escalations section, select Maximum Number Of Artifacts Per Payload.
  
  This setting sets the maximum number of artifacts allowed for each case update payload.
  
  The plugin will make a series of requests to SOAR to add the artifacts to a case. Each request payload contains at most the "Maximum Number Of Artifacts Per Payload" artifacts. Smaller values are preferred.
6. In the Automatic Escalation Conditions section, add an escalation rule by specifying the rule conditions and the template to use.
  
  For offense fields that have integer values, such as severity, magnitude, credibility, and device count, the rule is matched on the exact value that you provide in the Value Match Expression field.
  
  For more information about the way that automatic escalations work, see Automatic escalations.
7. In the Additional Escalation Options section, select Allow offense updates to create SOAR cases.
  With this option, any offense update message that does not find a matched SOAR case in the QRadar Offense is seen as a case_create request.
8. In the Manual Escalation mode section, select the method of creating cases.
  Important: If Multiple Organization Support is enabled, this setting applies to all QRadar domains.
  - Choose Create incidents immediately upon escalation to send the offense directly to SOAR.
  - Choose Review incidents prior to escalation to review the case details before the offense is escalated to SOAR.
    With this option, IP address IDs are not converted as artifacts during the case creation process. Instead, in the following update cycle, if there are IP addresses to convert from IDs, they are mapped as artifacts up to the user-specified limit.
  With either option, the case is created and you can edit it in SOAR.
Click Save.
You must save the configuration to add the escalation rules to QRadar.
Click Verify and Configure.

What to do next

Configure the options on the Preferences tab. For more information, see Custom actions.