Case field mapping

IBM® QRadar SOAR Plug-in uses a template to map the fields in an IBM QRadar offense to SOAR case fields.

The list of case fields that you can map are sourced directly from SOAR. The list is automatically updated every time that you access the Case Mapping Template page. Any changes to the case fields in SOAR, including custom fields, are automatically shown on the Case Mapping Template page.

The QRadar offense fields that you can map include all of the normalized offense fields, plus fields that store ID fields that are converted to text values. The syntax to map the offense field to a case field is {{offense.<fieldname>}}.

Tip: To view a complete list of offense fields that you can use, on the Escalation tab, click Build a New Template, and then click Show fields in the message box.

Before you define the mappings, you can use the QRadar interactive API to test the output of the offense fields. For more information about using the Interactive API for Developers, see the REST API documentation on IBM Docs.

On the template form, a red asterisk indicates that it is a required field, so you must specify a mapping. When you map a field, a refresh icon () appears next to it to indicate that the field is updated anytime that the offense is updated. If you do not want the field to refresh, click the refresh icon to lock it. When a field is locked, it is updated only once when the case is created. The locked field is not updated when it changes in QRadar, but you can modify the locked field from within SOAR.