Managing and tracking security incidents


With a subscription to , you can automatically create incidents in  from offenses generated in IBM QRadar SIEM. You can then manage these security incidents by filtering and auto assigning them to the security team by using the Ticket Console in . Additionally, you can also manually create security incidents through the Ticket Console and then manage and track these security incidents.

Scenario for automatic incident creation

Scenario

Calbro Services uses  and  () for creating and managing tickets. They also use QRadar SIEM for monitoring security threats in the enterprise data across on-premises and cloud-based environments. The tenant administrator sets up  to integrate  with QRadar SIEM and also sets the required trigger conditions for creating incidents in . Additionally, the  administrator configures settings for managing security incidents. 

QRadar SIEM generates offenses whenever it detects a threat in the environments, servers, or the networks it is monitoring, such as malware injection. Whenever such offenses are generated,  automatically creates incidents in . Calbro Services can then manage and track these incidents as security incidents in . 


Securityincidents_flow_final.png

Before you begin

If you want to manage security incidents that are automatically created from , make sure that your  administrator has installed  and integrated it with . For more information, see Incident creation from IBM QRadar offenses.

If you want to manage the security incidents that are manually created in the Ticket Console, make sure that your  administrator has performed the required configuration settings. For more information, see Configuring-settings-for-managing-security-incidents.

To manually create security incidents

You can manually create security incidents in . For this, while creating an incident from the Ticket Console, on the Incident Create window, from the Incident Type drop-down menu, select the Security Incident option. For more information about creating security incidents, see Creating-an-incident-request.

To filter security incidents

You can filter the security incidents using the My Security Incidents predefined filter. Additionally, the Security Tickets option on the console displays the number of security tickets in the Ticket Console. If you click the Security Tickets option, the filter of Security Incident is applied. If you select either the My Security Incidents pre-defined filter or click the Security Tickets option on the console, the Security Incident option is automatically selected under Filter > Incident Type. For more information, see Navigating-the-ticket-console.

To display the Security Tickets option on the console, the  administrator should configure the required settings. For more information, see Configuring-settings-for-managing-security-incidents.

Automatic assignment of security incidents

If you have not selected an assignee while creating a security incident, if the  administrator has performed the configuration settings, the ticket is automatically assigned to the security team. For more information about ticket assignments, see Assigning tickets.


Instructions for classic interfaces

View instructions for Mid Tier

To manually create security incidents

From the 

Some content is unavailable due to permissions.

console, click Create and select the Security Incident option from the Incident Type menu.
For more information about creating security incidents, see Creating an incident request record by using a template and Creating an incident request record without a template.

To filter security incidents

Select Security Incident from the Incident Type menu.
This option is available on the Incident Basics and Assignment tab when you click More Filters on the

Some content is unavailable due to permissions.

console to display a More Filter Criteria pop-up window. For more information, see Navigating-the-ticket-console.

Automatic assignment of security incidents

If the  administrator has performed the configuration settings and you have not selected an assignee while creating a security incident, the ticket is automatically assigned to the security team.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*