Incident response process
Request a QRadar SOAR demo Watch a demo (2:58)
Pattern of overlapping divided circles
Defining your incident response process

When responding to an incident, time is critical. You need to make the right decisions, based on the right data, with the right decision makers, all in the right order. Having a well-defined and efficient process is critical. Automating as much of that process as possible reduces time and improves analyst effectiveness.  

A well-defined incident response (IR) requires planning, skills, coordination and automation to ensure a timely and accurate response. NIST (link resides outside and SANS (link resides outside have IR guidelines that have withstood the tests of time. NIST outlines a well-defined IR process as having these phases:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication and Recovery
  • Post-Incident Activity

IBM Security® QRadar® SOAR playbooks provide the ability to define an IR process based on a simple hierarchy of phases, tasks and actions. When a case gets created in QRadar SOAR, a playbook defines the phases, tasks and actions needed to respond.

How it works
Planning Create policies, IR process (sequence of tasks) actions, incident documentation, communication, team identification, tools, access to the tools, and training

QRadar SOAR Playbook Designer makes it easy to build a standard incident response process or set of tasks. Playbook tasks provide analysts guidance on how to complete each task and the order to perform the tasks. Decision points allows the process to be dynamic and branch to include additional tasks or skip unnecessary tasks. During an incident, additional tasks can be manually added by an analyst.

The Qradar SOAR Breach Response module provides analysts with breach-specific tasks, covering over 180 global privacy regulations, to help you meet reporting requirements and avoid hefty fines.

Tasks define actions, and actions can run automation—through integrations—with other tools to accelerate the response process. QRadar SOAR can integrate with more than 300 security solutions. You can simply start by defining the set of tasks and the order of task execution, then automate the most commonly executed actions first.

Discovery and identification  Identify alerts or incidents that need to be investigated further

Automated threat detection and threat hunting provides alerts that need to be reviewed by an analyst. Sending those alerts to QRadar SOAR creates a case and initiates the incident response (IR) process.

Tasks assist the security team to analyze the infected system and analyze network traffic for lateral movement.

Playbooks help create the right set of tasks, which may vary based on the type of incident or source. QRadar SOAR allows you to create playbooks for different types of attacks; the playbooks contain logic to trigger different tasks based on attributes of the attack.

The earlier a SOAR case gets created, the more the automation can help to save time. Tasks can guide new analysts and build case documentation. The archive function can help clean up old cases or false positives, keeping the system clean, but allowing a permanent record that you can always retrieve.

Enrichment and validation Collect details on the alert and validate alerts as true incidents

In this phase, an analyst needs to research and determine if the alert is real. Task guidance can use actions to automatically collect the details from multiple, connected tools, gathering all relevant information. The information is added to case data tables, and this starts the incident documentation process.

Enrichment can be as simple as going to an LDAP directory to add the laptop owner to the case or gather all the pertinent details from the alert source (for example, SIEM, EDR, cloud and more). By automating enrichment with playbook actions, analysts can focus on reviewing and confirming the incident or marking it as a false positive.

If any data was lost, completing the breach response questionnaire with the number of affected individuals and their geographies can help determine applicable regulations and the associated response times and reporting tasks.


Browse the IBM App Exchange for enrichment and validation integrations
Containment and remediation Contain the attack and prevent further damage

Time is of the essence during an attack, and automating actions saves time and reduces the learning curve for new analysts.  With over 300 integrations and support for open standards, automating containment actions is the first priority. Once an analyst confirms the incident, actions can run automatically or manually by an analyst. Actions in this phase can take a system offline or stop a process from executing.  Integrations with EDR tools, such as QRadar EDR or Cybereason, can also take an employee's laptop offline.

For IT systems, such as a payroll or human resources, automations can look up system IT and business owners in an asset management tool such as ServiceNow or SAP. Automations can send an email to the owners to tell them the system is infected, and add the owners to the case data table with comments that the owners were notified through email or Slack.

Playbooks can be dynamic, so in the event of a high valued target, such as an executive laptop, time may be critical and playbooks can execute containment actions while the analyst continues to work tasks during the Enrichment and Validate phase. After the details of the attack are confirmed, actions can automate updates to a firewall blocklist by using an EDR integration, which helps prevent lateral movement or reentry, saving analysts time.

Browse the IBM App Exchange for containment, response and recovery integrations
Recovery and communication Remove any malicious code or entry points and restore the affected systems, test and then bring affected systems back online

During this phase, security teams can facilitate the remaining recovery actions and communicate incident resolution across the team. Analysts can automate actions to create and track requests to IT to reimage machines or restore from backups.

Bidirectional integrations with tools such as ServiceNow allow analysts to create a ticket from QRadar SOAR and monitor progress. ServiceNow can update the case when the ServiceNow ticket is completed. You can also automate actions that request your EDR solution such as QRadar EDR, Carbon Black or SentinelOne, to bring the system back online.

Lessons learned
Reporting summarizes the documentation for each response and action taken. An incident report will summarize for the review to ensure all the proper documentation is part of the case. In the case of a data breach, a review of applicable regulations helps to keep organizations in compliance with the associated reporting timelines.

Analysts review the phases and document any issues that need to be updated to improve incident response in the future. This is when an analyst would document and recommend improvements such as changing the frequency of backups or review the manual tasks added to the case that should be added to the playbook for future incidents.

Reporting helps with understanding where the incident response process can be improved. Security teams can use the QRadar SOAR platform to “Generate Incident Report”. From here, analysts can generate a report on a single incident or on multiple incidents. They can use a standard template to format the report or customize it to meet specific needs.


Learn how to generate an incident report
Case studies Avoiding new cyberthreats with new approaches to security

“With IBM, we now have an accurate 24-hour view of the world in real time. We can see every endpoint, every system. And that’s made our cross-team collaboration much more efficient," says Robert Oh, Chief Operating Officer, DDI.

Keeping cyberthreats at bay 24x7 with automation and analytics

“For an SOC to be effective, the ability to prioritize our response to the most pressing security risks is nearly as important as detection. The QRadar solution... has made our team far more effective at addressing the threat landscape," says Umair Shakil, Head of Security Operations Center Unit, Askari Bank.

Powering an SOC that delivers trusted security services

“Our Netox Trust cybersecurity services provide visibility into [customers'] unknowns, and our playbooks help them respond when an attack happens," says Marita Harju, Senior Manager, Cyber Security, Netox Oy.

Take the next step

Schedule an in-depth demo with one of our experts or estimate your solution cost with our price calculator.

Request a demo of QRadar SOAR Estimate your QRadar SOAR cost