Creating templates manually

In most cases, the templates that are generated by the Case Mapping Template are sufficient. However, you might want to use a more advanced template. You can use the Case Mapping Template to modify an existing template and get it close to what you want, and then download and modify it.

Before you begin

You must know how to write filter expressions that use the Jinja2 template language. To learn more, see Filter expressions.

About this task

The template is rendered as a JSON document. The document is either posted to the SOAR platform to create a new case, or it is converted to a URL with key-value parameters in the SOAR web URL format. For more information, see the Web URL Integration Guide.

1. On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
2. Click the Escalation tab.
3. Optional: Use the Case Mapping Template to modify an existing template.
   1. Select a template from the list and click Modify.

      For more information about using the Case Mapping Template, see Creating templates by using the Case Mapping tool.

4. To download an existing template and manually edit it, follow these steps:
   1. On the QRadar Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
   2. On the Escalation tab, in the Template Files section, select the template that you want to start with and click Download.
   3. Using a text editor application, open the JSON file that you downloaded and edit it.
5. To create a new template from scratch, follow these steps:
   1. Using a text editor, create a new plain text file.
   2. Create the case-mapping template specification by using Jinja2 template language.

      Ensure that variable names and string assignments are enclosed in double quotation marks.

      In the following example, the template is modified to support mapping the Incident Type field to different values based on the offense description.

      {
      "name": "QRadar {{offense.offense_type_name}} - {{offense.offense_source}}, ID:
      {{offense.id}}",
      {# Set incident id from description #}
      {% if "malware" in offense.description %}
      "incident_type_ids": "Malware",
      {% else %}
      "incident_type_ids": "Other",
      {% endif %}
      "confirmed": 0,
      "description" : "{{offense.event_count}} events in {{offense.category_count}} categories:
      {{offense.description}}",
          "discovered_date": {{offense.start_time}},
          "start_date": {{offense.start_time}},
          "severity_code" : {{offense.severity | severity}}
      }
      "type": "IP Address",
      "value": "{{e.sourceip|js}}",
      "description": "Source {{e.sourceip|js}}" } {% if not loop.last %},{% endif %}
          {% endfor %} ]
      }
      FROZEN="incident_type_ids","name","start_date","confirmed","discovered_date"

   3. Save the file with a .json extension.
6. To upload the revised template back into the QRadar SOAR Plug-in app, follow these steps:
   1. On the Escalation tab, in the Template Files section, click Upload a template.
   2. Browse to the file and click Upload.
   3. To test the template, select it in the list, click Modify and then click Test Template.