Configuring the escalation workflow
Before you begin
Automatic escalations run against new and existing open offenses in QRadar when the application is first installed.
About this task
The Escalation tab has settings for configuring how offenses are sent to SOAR.
- On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
On the Escalations tab, configure the settings.
In the Template Files section, choose the template to use.
The template specifies how the fields from the QRadar offense map to the SOAR case fields.
For more information, see Template mapping in the IBM QRadar SOAR Plug-in app.
In the Ignored Artifacts section, specify the reference sets that
contain IP addresses that you do not want to use for creating artifacts.
For example, you might add all IP addresses of internal systems to a reference set, and then use that reference set to build an ignore list for artifact creation.
For more information about referencing ignored artifacts, see Case artifact mapping in QRadar SOAR Plug-in app.
In the Escalations section, select an artifact limit.
An artifact limit is the maximum number of source and destination IP address artifacts to be created from IDs to addresses. The default limit is 20, and applies individually to source and destination addresses.
In the Automatic Escalation Conditions section, add an escalation rule
by specifying the rule conditions and the template to use.
For offense fields that have integer values, such as severity, magnitude, credibility, and device count, the rule is matched on the exact value that you provide in the Value Match Expression field.
For more information about the way that automatic escalations work, see Automatic escalations.
In the Manual Escalation mode section, select the method of creating
Important: If Multiple Organization Support is enabled, this setting applies to all QRadar domains.
- Choose Create incidents immediately upon escalation to send the offense directly to SOAR.
- Choose Review incidents prior to escalation to review the case details
before the offense is escalated to SOAR.
With this option, IP address IDs are not converted as artifacts during the case creation process. Instead, in the following update cycle, if there are IP addresses to convert from IDs, they are mapped as artifacts up to the user-specified limit.
With either option, the case is created and you can edit it in SOAR.
- In the Template Files section, choose the template to use.
You must save the configuration to add the escalation rules to QRadar.
- Click Verify and Configure.
What to do next
Configure the options on the Preferences tab. For more information, see Custom actions.