List of cases

The Cases page displays the cases that you have permission to view. The Cases page provides an overview of cases, but you can determine which information is shown by selecting the columns.

Go to the list of cases page by selecting Menu > My applications > Case Management, as shown in the following graphic.

The surrounding text describes this graphic, which is a snap shot of the user interface.

To control the information that is displayed in the case list, click Customize columns on the right, and then check the columns that you want to view, and clear columns that you want to hide. You can also drag the columns to reorganize the information.

You can change the layout from a table view to a kanban card view by clicking the Switch view icon. Click the settings icon to change the columns shown on the card. You can also expand or collapse any lane and scroll down or across to see more cases. Expand or collapse the Extra information section on a case to view more details. From the actions menu, you can take actions on a case. The Filters menu provides the ability to filter.
Note: Changes that you make to columns or filters apply to both the table and kanban card view.

Automated severity

To help you prioritize the most critical cases, the QRadar platform automatically assigns a severity to cases, known as Automated severity. The Automated severity is calculated based on correlation done by the QRadar platform correlation engine.
Note: Cases created by external apps do not have an automated severity assigned because they do not go through the QRadar platform correlation engine.
The automated severity assigned to cases is one of Critical, High, Medium, Low, Benign. The following cases list shows examples of cases with automated severity assigned.
example of automated severities

Automated case severity is based on a sum of the severities of its enriched artifacts and findings. When determining a case severity, each unique artifact and finding is counted only once.

As artifacts or findings are enriched with context, their severity is calculated based on the information provided by enrichment and threat intelligence services. The results of enrichment and threat intelligence services are weighted, based on performance over time. This weighting helps to prioritize if there are different severities from different sources for the same artifact.

The automated severity of a case is the total of the severities of each of its unique artifacts, where the artifacts are those that are associated with each of the findings in the case. A high number of findings can increase the severity of a case, even if the findings individually have low severities, because they could have different artifacts whose severity scores, when combined, reach the threshold for a higher severity. The automated severity is based on a numeric score calculated from a range of -10 to 10 where:
  • 10 is Critical.
  • 7 to 9 is High.
  • 4 to 6 is Medium
  • 1 to 3 is Low.
  • Any value from 0 to -10 is Benign.

The correlation process is completed at the same time as enrichment. Findings are correlated during the correlation process, and their cumulative severity is determined.

Together, these combined factors are used to determine the automated severity of a case. The automated case severity can change if new alerts or findings are automatically correlated to the case, or if you run a new investigation.

Finding severity

The QRadar platform enriches artifacts and findings with context and other information, which helps to determine the severity of both the artifacts and the findings. Artifacts are used to determine the severity of findings. Multiple artifacts can be associated with one finding, so the severity of the individual artifacts has a cumulative effect on the overall severity of the finding. Also, enrichment rules have their own severity that impacts the severity of the finding it triggers.

The severity of a finding is the total of the severities of each of the unique artifacts associated with the finding.