Automatic escalations

QRadar® administrators can configure a rule to automatically escalate offenses to SOAR. The escalation rules can be based on severity, offense type, or other criteria.

When a new offense is created in QRadar, a message is added to a QRadar SOAR inbound queue that indicates that a potential case candidate was identified.

When escalation rules are configured in the QRadar SOAR Plug-in, automated tasks are run in the background to monitor the queue, and escalate the incoming offense if it matches the escalation conditions.

The following wildcards are supported in the match expression:

Pattern	Meaning
`*`	Matches everything.
`?`	Matches a single character.
`[seq]`	Matches any character in sequence.
`[!seq]`	Matches any character not in sequence.

If an offense matches more than one escalation rule, the first matched rule is used.

An image showing the table in the product interface for defining automatic escalation conditions. Each table row defines a rule that includes the offense field, the expression to match, and the mapping template to use. — Figure 1. Example of automatic escalation conditions

When an offense meets the escalation criteria, the app searches SOAR for an open case that was previously escalated with the same offense ID. If none is found, it creates a new case. In this way, new offenses are automatically and continuously mapped to new SOAR cases.

Important: Automatic escalations occur only for QRadar offenses that are created after the QRadar SOAR Plug-in app is installed.

If Multiple Organization Support is enabled, automatic escalation rules apply to all mapped QRadar domains. The domain information of an offense is used to look for the mapped organization in SOAR. If a mapped organization is not found, the offense is not escalated even if an automatic escalation condition is met.

The field mapping between the offense and the case is defined by a mapping template. The template automatically determines the case type, the assigned groups, and any other case fields. Each case escalation rule can use a different template. For more information about using templates to map fields, see Template mapping.