Automatically closing offenses

The IBM® QRadar® SOAR Plug-in app uses an automatic action to notify QRadar whenever a SOAR case is closed. You can configure the action to close the corresponding offense as well.

About this task

When the offense is closed, a closing reason is provided. If the resolution on the case matches a closing reason in QRadar, then that reason is used. If the resolution does not exist as a closing reason in QRadar, then the closing reason for the offense defaults to Policy Violation.

Ideally, the Custom Offense Closing Reasons in QRadar and the Resolution Values in SOAR match. For more information about configuring QRadar close reasons, see Custom offense close reasons.

When you configure the app, it warns you of any SOAR resolution values that do not have a corresponding QRadar closing reason.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  3. On the Preferences tab, select the Close Offense when Case closes checkbox.
  4. Select the SOAR resolution fields that are required to close the case.

Results

When the offense is closed, a note is added to it that shows the SOAR user who closed the case, the resolution ID, and the resolution summary.