Configure the ServiceNow Security Operations add-on for IBM QRadar

Configure the ServiceNow Security Operations add-on for IBM QRadar to set basic operations and for mapping ServiceNow incident and event fields to QRadar values. You can also configure proxy server support if needed.

Before you begin

Role required: sn_si.admin

Procedure

  1. Log in to your QRadar instance.
  2. Click the Admin tab.
  3. Navigate to Plug-ins > ServiceNow Integration > Configure ServiceNow Integration.
    QRadar instance configuration
  4. Fill in the fields.
    Table 1. Instance Configuration
    Field Description
    ServiceNow Instance URL The ServiceNow instance you want to send security incidents or events to.
    Username Enter the name of the user who administers the application. This user must have the evt_mgmt_integration, import_transformer, and import_set_loader roles.
    Password Enter a password, if needed.
  5. Scroll to the Security Incident/Offense Mapping section.
    Security incident/offense mapping configuration options
  6. Map fields in the Security Incident [sn_si_incident] table to the associated QRadar values.
  7. To add new security incident field/value mappings, click Add New Mapping.
  8. Scroll to the Security Event/Offense Mapping section.
  9. Security event/offense mapping configuration options
  10. Map fields in the Event [em_event] table to the associated QRadar values.
  11. To add new security event field/value mappings, click Add New Mapping.
  12. Scroll to the Automatic Offense Transmission section.
    Automatic offense transmission configuration options
  13. Fill in the fields the Automatic Offense Transmission section.
    Table 2. Automatic Offense Transmission
    Field Description
    Automatically create incidents for matching offenses Select this option to automatically create ServiceNow security incidents for offenses that match the value in the Incident filter field.
    Incident filter If you selected the Automatically create incidents for matching offenses check box, enter a value that determines which QRadar offenses to use to create ServiceNow security incidents.

    For example, status = OPEN and severity > 5.

    Automatically create events for matching offenses Select this option to automatically create ServiceNow events for offenses that match the value in the Incident filter field.
    Event filter If you selected the Automatically create events for matching offenses check box, enter a value that determines which QRadar offenses to use to create ServiceNow events.

    For example, status = OPEN and severity <= 4.

    Authorized service token Enter a valid QRadar service token to be used for automatic offense transmission. The service token must have been granted access to look up offenses via the REST API.
    Note:

    The incident and event filters must be valid QRadar filters to the Offense API.

    If you defined the Automatic Offense Transmission options, all offenses that meet the defined criteria create the associated records and transmits them to the ServiceNow instance. If you did not define these configuration options, you can create security incidents and/or events manually.

  14. Scroll to the Proxy Configuration (Optional) section.
    Note: If you do not require proxy support, skip this step.
    Proxy configuration, if needed
  15. Fill in the fields the Proxy Configuration section.
    Table 3. Proxy Configuration
    Field Description
    Proxy URL Enter the URL of the proxy server. The server must be an HTTP/HTTPS proxy. Requests to the instance are passed through this URL as a proxy. If a URL is not provided, requests are made directly to the instance.

    This field should also contain help text that shows the correct format of the URL and specifies that this is necessary only if QRadar sits behind a proxy server.

    Proxy username If the proxy server requires authentication, enter a user name to be used for basic authentication.

    This field should also contain help text to describe the purpose of the field.

    Proxy password If the proxy server requires authentication, enter a password to be used for basic authentication.
  16. Click Save.