Configuring the escalation workflow

You can escalate offenses automatically or you can escalate them manually from within IBM® QRadar®.

Before you begin

Automatic escalations run against new and existing open offenses in QRadar when the application is first installed.

Important: If you do not to create a case for all open offenses that match the escalation criteria, close any open offenses that match the escalation criteria before you enable automatic escalation.

About this task

The Escalation tab has settings for configuring how offenses are sent to SOAR.

Procedure

  1. On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  2. On the Escalations tab, configure the settings.
    1. In the Template Files section, choose the template to use.

      The template specifies how the fields from the QRadar offense map to the SOAR case fields.

      For more information, see Template mapping.

    2. In the Ignored Artifacts section, specify the reference sets that contain IP addresses that you do not want to use for creating artifacts.

      For example, you might add all IP addresses of internal systems to a reference set, and then use that reference set to build an ignore list for artifact creation.

      For more information about referencing ignored artifacts, see Case artifact mapping.

    3. In the Escalations section, select an artifact limit.

      An artifact limit is the maximum number of source and destination IP address artifacts to be created from IDs to addresses. The default limit is 20, and applies individually to source and destination addresses.

    4. In the Automatic Escalation Conditions section, add an escalation rule by specifying the rule conditions and the template to use.

      For offense fields that have integer values, such as severity, magnitude, credibility, and device count, the rule is matched on the exact value that you provide in the Value Match Expression field.

      For more information about the way that automatic escalations work, see Automatic escalations.

    5. In the Additional Escalation Options section, select Allow offense updates to create SOAR cases.
      With this option, any offense update message that does not find a matched SOAR case in the QRadar Offense is seen as a case_create request.
    6. In the Manual Escalation mode section, select the method of creating cases.
      Important: If Multiple Organization Support is enabled, this setting applies to all QRadar domains.
      • Choose Create incidents immediately upon escalation to send the offense directly to SOAR.
      • Choose Review incidents prior to escalation to review the case details before the offense is escalated to SOAR.

        With this option, IP address IDs are not converted as artifacts during the case creation process. Instead, in the following update cycle, if there are IP addresses to convert from IDs, they are mapped as artifacts up to the user-specified limit.

      With either option, the case is created and you can edit it in SOAR.

  3. Click Save.
    You must save the configuration to add the escalation rules to QRadar.
  4. Click Verify and Configure.

What to do next

Configure the options on the Preferences tab. For more information, see Custom actions.