Automatic case updates

An offense in IBM® QRadar® continues to evolve over time, and new events and IP addresses can become associated with an offense after it is created.

These updates are automatically pushed to the corresponding case if both the case and the offense remain open. Because the same template that was used to create a case is used to update it, any changes to that template after a case is created affects how it is updated. Similarly, deleting a template results in no further updates to the cases that were created with it.

Case fields that contain a mapping that uses the Jinja2 syntax are updated each time that the offense changes, unless the template marks the field as locked. For more information, see Case field mapping.

Depending on how the app is configured, updates to the QRadar offense can also trigger new artifacts to be created for the SOAR case. For information about customizing the template to include artifact creation, see Creating templates by using the Case Mapping tool.