Escalating a case manually

A security analyst can manually escalate an offense to SOAR from the Offenses tab on the QRadar® Console. You can also add IP address artifacts to existing SOAR cases.

Important:

To raise a case and add artifacts to a case, your user role must have the IBM® QRadar SOAR Plug-in permission. Without this permission, you cannot see the Send to SOAR button on the Offenses tab in QRadar.

Before you begin

Ensure that pop-up windows are enabled in your browser.

Procedure

  1. In the QRadar Console, click the Offenses tab.
  2. Select an offense in the offense table.
  3. In the toolbar, click Send to SOAR.

    The Select Case Template File pop-up window opens for you to select the mapping template that you want to use to create the case. For more information, see Template mapping in the IBM QRadar SOAR Plug-in app.

    Tip: If you are in the QRadar Offense Details window, the Send to SOAR button is on the Offense details toolbar.

    In QRadar Analyst Workflow, you can also send an offense to SOAR from the Actions menu.

  4. Select a template from the list and click OK.

    The case is created and the artifacts are added.

    If Multiple Organization Support is enabled, the domain information of the selected offense is used to find the mapped SOAR organization. If an organization is found, the offense is escalated to that organization. If not found, an error message is shown.

Results

The QRadar offense is escalated and sent to SOAR.

On the Offense Summary page, you can use the SOAR Case URL to view it in SOAR.

Tip:

After logging in to SOAR, if you cannot see the case and you see the following message, Error: Unable to find object with ID <xxxxx>, you might be logged in to the wrong organization.

Verify that you are logged in to the same SOAR organization as the one that is configured in the QRadar SOAR Plug-in app.