IBM Security® QRadar® SOAR (security orchestration, automation and response) is built to accelerate and enhance your security operation teams’ incident response processes. Powered by the Unified Analyst Experience (UAX), QRadar SOAR uses automation and intelligence to empower analysts to take quick, decisive action against potential security incidents. With an award-winning Playbook Designer, 300+ integrations, and a powerful Breach Response Module, QRadar SOAR is built to help you scale and optimize your security team.
Unified Analyst Experience (UAX)
The Unified Analyst Experience (UAX) is a powerful technology designed to dramatically increase analyst speed and efficiency across the entire attack timeline. UAX reduces alerts, automates investigation, and unifies workflows. With the combined power of QRadar SOAR and UAX, security analysts can get immediate incident context through automated investigations, check root cause analysis and identify response recommendations. The software correlates, enriches and prioritizes the incident before analysts even begin an investigation.
UAX empowers analysts to better prioritize efforts and automatically triage alerts by using case severity. Case severity is calculated by using threat intelligence, system enrichment rules and machine learning enrichment. With consistent severity explainability and simple visualization, analysts can easily view and filter all associated findings and artifacts that contributed to the case severity score, and then prioritize where to spend their time. This empowers teams with confidence to use UAX’s automated alert triage capabilities.
Before a case is created in QRadar SOAR, the correlation and enrichment capabilities of UAX will analyze alert data across your configured data sources. This occurs before consolidating related alerts into a single case or creating a net-new case. These correlated alerts from your connected data sources are included in the case for your analyst to review, along with the option to investigate further through the federated search capability. In a single view, a security analyst can review all data sources that contributed to the case, as well as the associated indicators of compromise (IoCs) and artifacts, pre-enriched with an automated severity score.
Case management
QRadar SOAR’s sophisticated case management capabilities provide analysts with an accessible view of additional incident context to accelerate and improve their investigation process. Additionally, dashboard visualizations and case reporting help summarize and share key metrics and findings across teams, providing visibility across your organization.
- QRadar SOAR provides analysts the ability to dive deeper in their investigation of a case through artifact visualization. The “Evidence” tab within each case provides relevant findings and artifacts attached to each incident, giving a centralized view of additional context. Analysts can also document additional findings and thoughts in the attachments and notes sections.
- The QRadar SOAR analytics dashboard displays various charts and graphs for viewing statistical information, depending on your access and permission level. Users can customize the dashboard view based on a selection of predefined widgets, such as pivot tables and charts, to better understand MTTD, MTTR, open/closed cases by owner, by type, by duration, by severity, and more.
The ability to generate reports from directly within QRadar SOAR, on either a singular incident or multiple incidents, makes it easy to share information across teams and with leadership to improve visibility and clarity across the incident response process.
Playbooks and automation
Winner of the Red Dot Design Award, QRadar SOAR’s Playbook Designer is a powerful tool built to help your security teams accelerate incident response. With dynamic, low-code functionality, fully automated playbooks can be designed in minutes and without any coding.
Playbook Designer is an intuitive, graphical user interface, purpose-built for automation engineers to create and customize both manual and automatic responses. Playbook Designer provides a library of pre-built tasks, scripts, functions, sub-playbooks and condition points available for immediate use. The user experience offers click-and-drag functionality for adding nodes to the canvas, and the ability to connect those nodes in countless ways to execute your process with your desired logic.
Data Navigator, released in v49.0 of QRadar SOAR, is a low-code function configuration framework available in Playbook Designer. Data Navigator allows function inputs to be configured in seconds and with just a few clicks, without the need to write any code. In previous versions of QRadar SOAR, the method of defining inputs for functions and sub-playbooks required Python and scripting knowledge. With Data Navigator, Playbook Designer now provides dynamic and sub-playbook inputs in an intuitive Playbook Schema menu. For users who still prefer Python for scripting configurations, we still expose Data Navigator in both the fields tab and scripting tab experiences.
Playbook Go-Back, released in v51.0.1.0 in QRadar SOAR, is an enhancement to our looping functionality that enables playbook designers and automation engineers to design flexible, logical flows in your playbooks, allowing the process to jump to any other node based on your defined conditions. Your flow can then re-execute functions and tasks, while intuitively showing you exactly what has been done and tracking related information in the audit trail.
Playbook Progress Visualization, released in v49.0 of QRadar SOAR, introduces a new way to view the progress of a playbook. Security analysts can more easily monitor the progress of a running playbook instance, and see the status of each node as the playbook progresses as the playbook was designed by the SOC engineer. This enables the analyst to make quicker and more reliable decisions about where intervention may be needed to move the case forward or debug an automation.
Playbook Instances, released in v51.0 of QRadar SOAR, provides a new tab to the Playbooks dashboard where playbook developers can see a holistic view of all running playbooks within their QRadar SOAR instance. Filtering by playbook status, activation type or object type, as well as more granular time and date filters, allows playbook developers to quickly and reliably determine where they need to intervene to resolve problems at either the case level or with the source playbook.
- Native JSON support, released in v51.0.0.1 of QRadar SOAR, now supports native JSON data in cases. No longer does JSON need to be stored as a cumbersome and nearly unusable string. JSON input data can now be used to populate data tables, incident fields, playbook inputs and more. SOAR also makes it easier to consume JSON information by automatically formatting the data with clear indentation, color coding and collapsibility.
Integrations and SOAR apps
QRadar SOAR provides 300+ integrations to help streamline your incident response orchestration and automation processes.
The IBM App Exchange is a one-stop shop to browse, share and download integrations developed by IBM, third-party vendors and the broader security community. These integrations are designed to enhance and extend the capabilities of IBM Security solutions. To search across the 300+ QRadar SOAR integrations available, simply filter on the “QRadar SOAR” tab.
An emphasis on response content, available for immediate use, has continued to be a big focus for QRadar SOAR. Pre-built playbook content helps to expedite automation development and reduce design time. To support this, QRadar SOAR apps from the IBM App Exchange (both existing and net-new integrations) are being enhanced with sample playbooks within the SOAR integration itself. Today, you can filter on “Content Type” in the IBM App Exchange, and select “Playbooks” to see 60+ SOAR integrations that are outfitted with playbooks. Once the SOAR integration is configured in your system, the associated playbooks will be automatically added to the playbook library.
App Host (formerly known as Edge Gateway) is a Kubernetes-based container deployment environment that hosts app containers. After a SOAR integration is downloaded from the IBM App Exchange, the user will import it into their QRadar SOAR environment, configure the integration and deploy it on an App Host to enable the app for use.
Breach response
QRadar SOAR Breach Response is built to simplify data breach compliance to data breach notification laws after a security incident occurs. It empowers your SOC analysts to take the right steps and collaborate with the right team members to respond to security breaches involving sensitive information, personal data, personally identifiable information (PII) and other types of data. With its integration of SOAR and data breach reporting, Breach Response provides organizations with support for over 200 privacy regulations worldwide, allowing information security teams to integrate privacy reporting tasks into their overall incident response playbooks.
At the heart of QRadar SOAR Breach Response is the global knowledge base. Updated regularly, this database includes data breach notification requirements across the world, such as GDPR and CCPA, as well as industry-specific regulations that have privacy breach reporting requirements, such as HIPAA. An internal team of data privacy professionals manages the global knowledge base and keeps it updated by communicating with regulators, government agencies, privacy professionals from the IBM customer base, and the wider privacy community.
SOAR Breach Response can accelerate response to data breaches by integrating privacy-specific tasks directly into the overall incident playbook. These privacy tasks detail the recommended steps that members of the security operations center (SOC) or privacy team should take to address the relevant reporting requirements.
The ability to generate reports from directly within QRadar SOAR, on either a singular incident or multiple incidents, makes it easy to share breach incident details across teams and with leadership to improve visibility and clarity across the incident response process.
IBM Security QRadar SOAR on Cloud supports your cloud-centric strategy, allowing you to scale and deploy quickly without compromising security, privacy or risk levels. It meets the following industry and global compliance standards:
- ISO 27001, 27017, 27018
- Operating in IBM Cloud SOC2 Type 2 (SSAE 16)
DDI uses IBM Security Radar SOAR to accelerate threat reactions and cut nearly 85% from response times.
Askari Bank builds specific playbooks based on their business use cases to receive automated responses, empowering their analysts to focus their energy where it matters most.
Silverfern IT uses QRadar SOAR to manage the entire security incident lifecycle when a cyberthreat is detected and automate processes as the business aligns its response efforts with predefined use cases.
Explore other IBM products to enhance your company's security.
QRadar SIEM (Cloud-Native SaaS) uses multiple layers of AI and automation to drastically improve the quality of alerts and the efficiency of security analysts.
QRadar Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
Integrate security tools to gain insights into threats across hybrid, multicloud environments.
Proactively manage your security threats with the expertise, skills and people of IBM Security Services.
Speed your security investigations with actionable threat intelligence that integrates with your security tools.
Safeguard sensitive data using automated discovery, classification, monitoring and cognitive analytics.