Investigating offenses automatically

You can configure the QRadar® Advisor with Watson™ app to investigate offenses in QRadar automatically.

Before you begin

You must have QRadar administrator privileges to configure offenses for automatic investigation.

About this task

Every 60 minutes, the QRadar Advisor with Watson app gets the list of offenses from QRadar that meet your specified criteria and that have not yet been analyzed. The app then queues up to 10 offenses at a time that match the criteria you configured and each offense is investigated.
Important: Automatic investigations are only run if the offense has not yet been analyzed and all of the criteria you configure matches an offense. Offenses that are more than seven days old are not analyzed. If an offense is updated after it was analyzed, it will not be automatically sent for investigation again unless you select the Enable automatic reinvestigation checkbox in step 10.

Starting with V2.5.2, if you don’t want to specify the criteria for auto-investigation of offenses, you can select the option to Investigate offenses suggested by Watson. Watson considers events and rules that triggered the offense, as well as other offense metadata, to predict the offenses that will most benefit from a full Watson investigation. It also learns from previous offense investigations. New offenses are pre-ranked by Watson and the offenses that benefit from a full Watson investigation are selected for auto-investigation. If none of the new offenses are chosen, then the latest offenses are selected for auto-investigation.

Note: If you are using QRadar domains, you should not enable automatic investigation unless you want offenses from all of your domains to be investigated automatically.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Apps section, under QRadar Advisor with Watson, click Configuration.
  3. Click Optional Settings to open the Optional Settings menu page.
  4. Click Automatic Investigation.
  5. Select the Enable automatic local investigation checkbox.
  6. Select from the following options:
    • Investigate offenses suggested by Watson
    • Investigate offenses that match configured criteria
  7. If you selected Investigate offenses that match configured criteria, configure the following criteria:
    Option Description
    Offense status Specify the type of offense you want included for automatic investigation.
    • Open: Select to investigate all open offenses that are active or inactive
    • Active: Select to investigate only open and active offenses. Inactive and closed offenses are not included for automatic investigation.
    Magnitude range Specify the magnitude range for an offense to be selected for automatic investigation. The offense magnitude must be within the defined range. For example, if the selected range is 8-10, offenses with magnitude 8, 9 and 10 match the criteria.
    Tip: If you want to limit the magnitude to a single integer, join the sliders so that they overlap.
    Offense start time Specify the amount of time (1 minute - 24 hours) that must pass before an offense is investigated. For example, if you specify 20 minutes, the offense must be at least 20 minutes old or older before it is investigated.
    Tip: If Watson is not discovering many observables, consider increasing the start time so more events can be collected by the QRadar system. Waiting until additional offenses are collected can provide more evidence for Watson to analyze.
    Tip: To see the start date and time of an offense, view the Start Date column on the Offenses tab.
    Last event/flow Specify the amount of time (0 minutes - 24 hours) that must pass after an offense is last updated with a new event before an offense is investigated. For example, if you specify 20 minutes, the event must have been updated at least 20 minutes before it is investigated.
    Tip: To see when the last event or flow of an offense occurred, view the Last Event/Flow column on the Offenses tab.
    Offense high-level categories Specify the offense high-level category.
    • All offense high-level categories: Select to investigate all offense high-level category types.
    • Selected offense high-level category: Select Available offense high-level categories from the list and then click the down arrow to add the type to the Selected offense high-level categories list.
      Note: You must select at least one high-level category offense from the list.
      Tip: You can see an offense high-level category and its associated low-level category by completing the following steps.
      1. From the Offense Summary page on the Offenses tab, click Display > Categories to view the low-level categories for the offense.
      2. From the Offenses tab, click By Category. Offenses are grouped by high-level category. To view low-level category for a specific high-level category, click the arrow icon next to the high-level category name.
      For more information, click the help icon.
    Offense types Specify an offense type.
    • All offense types: Select to investigate all offense types.
    • Selected offense types: Select Available offense types from the list and then click the down arrow to add the type to the Selected offense types list.
      Note: You must select at least one offense type from the list.
  8. Select the Enable Watson enriched investigation checkbox to send offenses, which meet the configuration criteria for automatic investigation, to Watson.
  9. Set the Maximum daily limit to allocate a maximum percentage of your daily limit to be used for automatic investigations. After the allocated percentage is used, the Watson enriched investigations stop for the day but the automatic local investigations will continue. Watson enriched investigations start again the following day when your daily quota is reset.
    Note: If you have an enterprise license, this option is not shown.
  10. Select the Enable automatic reinvestigation checkbox to automatically reinvestigate previously investigated offenses.

    When automatic reinvestigation is enabled, the QRadar Advisor with Watson app can reinvestigate previously investigated offenses that meet the following criteria: were automatically investigated one time and not reinvestigated and have accumulated more events and flows since the previous investigation.

  11. Click Submit.
    Automatic investigation screen
  12. Click Complete.

What to do next

Your configuration is complete. You can begin using the QRadar Advisor with Watson app.