Managing and configuring orchestration and automation

IBM® Security QRadar SOAR provides the tools and technology to automate and orchestrate your cybersecurity response. In this documentation, the terms cases and incidents are sometimes used interchangeably.

Overview

Your IBM Security QRadar SOAR administrator and playbook designer administer and customize the SOAR application to provide the full set of orchestration and automation capabilities to security analysts who are investigating and responding to cases. If you have apps that you want to use with IBM Security QRadar SOAR, an app developer can develop these apps.

SOAR administrators
IBM Security QRadar SOAR administrators can complete tasks such as setting up roles and permissions for IBM Security QRadar SOAR users, configuring inbound email connections, configuring notifications, and installing integration apps.
All of the administration tasks are described in System administrator.
Playbook designers
Playbook designers can create custom playbooks, which drive the orchestration and automation of cybersecurity response. Playbooks are essentially dynamic templates that automatically create case tasks and determine how cases are driven from creation to resolution. Playbook designers typically create different playbooks for different case types and according to their organization's processes and tools. Playbook designers can also customize the layout and content of the Case Management application that analysts use to respond to cases.
Playbooks and how to create them are described in detail in Playbook designer.
App developer
App developers can develop apps for the SOAR application to access and return external data, interact or integrate with other security systems, or work as a utility that performs a specific action.

Analysts in the case management team typically do not administer the IBM Security QRadar SOAR application or create playbooks and apps, although this depends on your organization. Security analysts are primarily concerned with responding to and managing cases.

IBM Security QRadar SOAR and Case Management

Users who do not have a license for IBM Security QRadar SOAR can access a basic version of Case Management. When you have a IBM Security QRadar SOAR license, you are entitled to an enhanced full feature version of Case Management. For example, the full feature version contains a global view of artifacts, analytics-driven insights into your cases, and the ability to configure inbound email connections and your own playbooks to drive case response. An IBM Security QRadar SOAR administrator and playbook designer can customize the full feature version of Case Management to suit your processes and requirements. With the full feature version of Case Management, you can access additional features by clicking Menu > My applications > Case Management.