Incident management team

IBM Security® QRadar® SOAR is a central hub for incident response. It is customizable and can be tailored to meet the needs of your company or organization. Therefore, how you interact with IBM Security QRadar SOAR depends on these customizations.

A security analyst in an incident management team is responsible for monitoring and responding to cases, assigning and resolving tasks, and analyzing data. Security analysts use IBM Security QRadar SOAR to manage incidents, respond to tasks, perform statistical analysis, and more.

An incident is an event in which data or a system might be compromised. IBM Security QRadar SOAR allows these incidents to be entered by users or systems that are integrated with it. You can then monitor the status from the start to resolution.

An incident in IBM Security QRadar SOAR can contain the following objects:

Task: a unit of work to be accomplished by a user, device, or process. IBM Security QRadar SOAR handles some tasks automatically. You can be assigned tasks to do manually and mark them those tasks as done when you complete them. Incident owners can track the progress of the various tasks.
Note: text added to an incident or task for clarification or additional information.
Attachment: a file that is uploaded and attached to an incident or task.
Artifact: data that supports or relates to the incident. Artifacts are organized by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample. Artifacts with the same value but in different incidents can be shown as related.

In addition to objects, an incident can run one or more workflows. A workflow is a predefined set of activities that can run a complex set of instructions. If you have permission, you can view the status of an incident’s workflows and, if necessary, stop a workflow.

If you are using the SOAR for MSSPs add-on, see SOAR for MSSPs.