Individual cases

A summary of key case data is shown on the Overview tab.

The following graphic shows an example of a case with the Overview tab displayed. Click a section to view more details.

The surrounding text describes this graphic, which is a snap shot of the user interface.

The Overview shows the following synopsis of the case:

Case details

The case details section shows a summarized view of the key case information from the Details tab, including the case owner, Automated severity as determined by QRadar platform alert enrichment, and current phase. Hover over the Automated severity to view the assigned score.

Findings

The Findings section shows enriched alerts, including enrichment from X-Force Threat Intelligence and rule-based enrichment.

The QRadar platform enriches artifacts and findings with context and other information, which helps to determine the severity of both the artifacts and the findings. Artifacts are used to determine the severity of findings. Multiple artifacts can be associated with one finding, so the severity of the individual artifacts has a cumulative effect on the overall severity of the finding. Also, enrichment rules have their own severity that impacts the severity of the finding it triggers.

The severity of a finding is the total of the severities of each of the unique artifacts associated with the finding.

You can click a finding to see a more detailed look at the finding in a side view, or click View findings to go to the findings in the Evidence tab.

Tasks list

The Tasks list section shows tasks and progress of tasks completed. The list of tasks is determined by the playbook, whether the case was create automatically by QRadar platform or created manually. You can click View tasks to go to the Tasks tab and see the detailed task information and available actions.

Investigation

The Investigation section shows the progress of any investigation by Threat Investigator.

Artifacts

Case artifacts, such as email, IP addresses, or file names, are shown in the Artifacts section. Artifact scores are assigned a severity score between 0 and 10, where 10 is the highest possibly severity. Hover over an artifact severity icon to view its score.

You can click an artifact to view the artifact details in a sidebar, as shown in the following graphic, or click View artifacts to go to the Evidence tab.

The surrounding text describes this graphic, which is a snapshot on the user interface.

Playbook status

If a playbook is running, its status is shown in Playbook status.

Related cases

Shows details of cases that match the open case. The following graphic shows an example with four related cases with 16 matching artifacts.