List of cases

The Cases page displays the cases that you have permission to view. The Cases page provides an overview of cases, but you can determine which information is shown by selecting the columns.

Go to the list of cases page by selecting Menu > My applications > Case Management, as shown in the following graphic.

The surrounding text describes this graphic, which is a snap shot of the user interface.

To control the information that is displayed in the case list, click Customize columns on the right, and then check the columns that you want to view, and clear columns that you want to hide. You can also drag the columns to reorganize the information.

You can change the layout from a table view to a kanban card view by clicking the Switch view icon. Click the settings icon to change the columns shown on the card. You can also expand or collapse any lane and scroll down or across to see more cases. Expand or collapse the Extra information section on a case to view more details. From the actions menu, you can take actions on a case. The Filters menu provides the ability to filter.

Note: Changes that you make to columns or filters apply to both the table and kanban card view.

Automated severity

The QRadar platform automatically assigns a severity to cases, also known as case severity. The Automated severity is calculated based on correlation done by the QRadar platform correlation engine. Case severity is based on a sum of the severities of its enriched artifacts and findings. When determining a case severity, each unique artifact and finding is counted only once.

As artifacts or findings are enriched with context, their severity is calculated based on the information provided by enrichment and threat intelligence services. The results of enrichment and threat intelligence services are weighted, based on performance over time. This weighting helps to prioritize if there are different severities from different sources for the same artifact.

The Automated severity of a case is the total of the severities of each of its unique artifacts, where the artifacts are those that are associated with each of the findings in the case. A high number of findings can increase the severity of a case, even if the findings individually have low severities, because they could have different artifacts whose severity scores, when combined, reach the threshold for a higher severity.

The correlation process is completed at the same time as enrichment. Findings are correlated during the correlation process, and their cumulative severity is determined. A number between -1 and +1 is assigned to this severity and if that number is greater than or equal to .6, QRadar platform creates a case candidate and sends it to Case Management.

Together, these combined factors are used to determine the Automated severity of a case. The case severity can change if new alerts or findings are automatically correlated to the case, or if you run a new investigation.

Finding severity

The QRadar platform enriches artifacts and findings with context and other information, which helps to determine the severity of both the artifacts and the findings. Artifacts are used to determine the severity of findings. Multiple artifacts can be associated with one finding, so the severity of the individual artifacts has a cumulative effect on the overall severity of the finding. Also, enrichment rules have their own severity that impacts the severity of the finding it triggers.

The severity of a finding is the total of the severities of each of the unique artifacts associated with the finding.