Configuring QRadar Use Case Manager

The Use Case Explorer uses QID records and DSM event-mapping information to help determine rule coverage by log source type. The Use Case Explorer loads automatically, but you can refresh the settings at any time. If required, configure a proxy connection, app performance related to offenses, and tuning findings.

1. On the Admin tab, click QRadar Use Case Manager > Configuration.
2. To sync with the data in QRadar®, click Sync QID Records. This process might take approximately 30 minutes to complete. You can still use the app while the records are syncing, but the data you work with might not be accurate.
3. To manually refresh event mappings, click Sync DSM event mappings.
   When you install the app for the first time, it automatically syncs after installation. If you upgrade to QRadar Use Case Manager 2.0.0 or later, you don't need to sync.
4. To back up your MITRE mappings (custom and IBM default), click Export MITRE mappings. You can then import this backup file later on the Use Case Explorer page.
   Only the custom mappings are imported from the file.
5. If you're upgrading to QRadar Use Case Manager 3.1.0 or later, you might see a section that is called Report on migration from MITRE v6.3 to vx.x. This report appears if there were MITRE mappings in the previous version of the app that are now deprecated with the support for MITRE v8.1 or later. All custom mappings that were created in previous versions of the app are automatically migrated to the new version. Mappings to techniques that are now deprecated or don't exist under a particular tactic are deleted and included in the migration report. Consider creating new mappings to these rules.
   When you've noted the mappings that are affected, you can click Clear migration report to permanently remove the report notification. Nonadministrative users can see the report migration notification on the Use Case Explorer page.
6. To configure a proxy server, expand the Proxy configuration section and enter the following information for your proxy server:
   • Protocol
   • Address or hostname
   • Port
   • Username
   • Password
7. To configure offense contributions, expand the Performance configuration section, modify the following options, and then click Submit.

   Offense contribution

   The default is enabled. When this option is disabled, the following features are disabled:

   • Inactive reports in Use Case Explorer are disabled, including the access point to the 'Tune inactive rules' card on the Tuning home page.
   • Rule offense contribution trend on the Active Rules page is not visible.
   • Event count column on the Active Rules page report table is removed.

   Offense contribution in days

   The default is 90 days. This setting takes effect only when the Offense contribution option is enabled. The rule offense contribution trend and event count trend charts on the Active Rules page are visible, but you can see only the data for the past (number of) days. Data that is already stored in the database is not cleared when you change the number of days. Only new data is affected by an update to this setting.

8. If you experience unexpected performance problems that are caused by generating the tuning findings, such as a long time to load QRadar Use Case Manager or the app stops responding, complete the following steps:
   1. Disable individual tuning findings in the Tuning findings configuration section.
   2. Set the number of reference set elements that trigger a finding if the number is exceeded. The default is 5000.
   3. Click Submit and then refresh the Tuning Finding report or restart the app to implement the updated changes.
9. Click Submit and then close the Settings page.