Creating templates by using the Case Mapping tool

Use the Case Mapping Tool to create customized templates that tell the IBM® QRadar® SOAR Plug-in app how to map the QRadar offense fields to the SOAR case fields.

Before you begin

You must know how to write filter expressions by using the Jinja2 template language. To learn more, see Filter expressions.

Procedure

  1. On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  2. Click the Escalation tab, and click Build a New Template.

    The list of fields that you can use to build your template are automatically retrieved from SOAR.

  3. In the Template Name field, type a descriptive name for the template.
  4. For each field that you want to map, type the Jinja2 filter expression.

    A red asterisk next to a field indicates that the field is required.

    Tip: The refresh icon that appears next to the field indicates that the field is updated each time that the offense is updated. If you do not want the field to refresh, click the refresh icon to lock it.
  5. In the Generate Artifacts section, select the offense fields that you want to automatically create artifacts from.
    1. Select the checkbox for each type of offense field that you want to include.
    2. For each type of offense data, select the Apply Ignore List checkbox if you want to exclude specific addresses from creating artifacts.

      The addresses that you want to ignore must be part of a reference set.

      Tip: The name of the reference set to ignore is specified on the Escalation tab.
  6. In the Create Additional Artifacts section, add your own definitions for creating artifacts.

    Only normalized offense fields can be used to create artifacts.

  7. Click Test Template.
    1. Select Render Test Only to validate only the field mappings.
    2. Select Render and Submit Simulated Incident to validate the field mappings and submit a simulated case to the SOAR platform.
      Important: To create a simulated case, the SOAR user role or API key must have Simulation Permissions specified in the SOAR administration settings.
  8. Click Save Template.
    A template file is generated based on the name and field-mapping definitions that you defined.