Automatically closing cases

You can set the IBM® QRadar® SOAR Plug-in app to close a SOAR case automatically whenever the corresponding offense is closed.

About this task

When an offense is closed, rules that are included in the IBM QRadar SOAR Plug-in 5.x content pack content pack are used to post a close message in the message queue. When the app detects the close message, the corresponding SOAR case is closed.

To close cases automatically, you must configure the SOAR resolution fields in the app.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  3. On the Preferences tab, select the Close Case when Offense closes checkbox.
  4. In the Map SOAR Fields Required on Closing section, map a value for each of the case fields that are required upon closing.
    Image showing the app configuration screen to map resolution values.

    The Resolution Summary can include text or offense fields, and some fields might be required to close. You must map those fields by using Jinja2 syntax.

    For example, the Resolution Summary might look like this: QRadar Offense Status: {{offense.status}}.

    For more information about Jinja2 syntax, see Filter expressions.