Case creation and correlation

After correlating and enriching alerts, the QRadar platform escalates a case candidate to Case Management, where an automated analysis is completed to determine whether a new case is created or if it is merged with an existing case. A case candidate contains a case matching profile, case reference data, and a list of artifacts. This data provides Case Management with the ability to either match with an existing case or create a new case.

When Case Management receives a case candidate from the QRadar platform, it deduplicates by adding to an existing case, or it creates a new case.

Correlation: A case matching event is known as correlation. Case Management searches all of the existing open cases for matching case data. When it finds matching data, it merges the incoming case candidate into the oldest matching case. It also updates the News Feed tab for that case with a correlation event.
Note: Closed cases are not included as candidates for case merging, even when they contain case matching data.
Case creation: When the case candidate is unique and no matches are found in the list of existing cases, Case Management automatically creates a new case. Case Management adds a case creation event to the News Feed tab for the case.

Enrichment adds more information to the normalized alerts (findings) that come in from the separate tools to determine the severity of the alert. The IBM X-Force Threat Intelligence Service provides the severity score for the observables in an alert (files, IP addresses, URLs, domains). The enrichment rules from IBM Security look for specific observables in alerts that adjust the severity score.

Note: A new machine-learning service provides enrichments to alerts from all alert ingestion sources. Key parts of the enrichment include the confidence score of the machine-learning prediction, and key indicators (the attributes of the alert that led to the machine-learning prediction). Machine learning enrichment is in preview mode.

Correlation occurs after enrichment. The QRadar platform correlates similar findings that are collected from supported tools (data sources), and combines them into one case, with related alerts, for analysts to further investigate. If an alert matches a previous one based on the condition (properties), they are correlated together, based on cumulative severity score, into a case for the analyst to investigate.

As more insights are gained from user interactions and more enrichment services are added, improvements to creating case candidates that are based on alerts will occur over time.