Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Get started with the IBM QRadar - Incident Enrichment integration

Log in to subscribe to topics and get notified when content changes.

Get started with the IBM QRadar - Incident Enrichment integration

IBM QRadar is an enterprise security information and event management (SIEM) product that integrates easily with Security Operations. Before you can use the IBM QRadar - Incident Enrichment integration, you must activate the plugin and add the appropriate API Base URL and API Key.

Before you begin

Role required: admin
Important: If you have upgraded your instance from an earlier version, but prior to configuring the Splunk - Incident Enrichment integration, please contact ServiceNow support to manually activate the Core Automation API (com.snc.core.automation.api) plugin before attempting to configure this integration. The configuration will not function properly if this action is not taken.
Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method. If you activate the plugin using the traditional method, the IBM QRadar - Incident Enrichment integration recognizes the installation and the integration card displays the New button. Proceed to step 5.


  1. Access IBM QRadar and obtain the API Base URL and API Key under your IBM QRadar profile.
  2. Navigate to Security Operations > Integrations > Integration Configurations.
    The available security integrations appear as a series of cards.
    IBM QRadar - Incident Enrichment integration card
  3. In the IBM QRadar - Incident Enrichment card, click Install Plugin.
  4. In the Install IBM QRadar - Incident Enrichment dialog box, review the plugin details and click Activate.
  5. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the New button for the integration is available.
  6. Click New.
    IBM QRadar - Incident Enrichment Configuration
  7. Fill in the fields, as needed.
    Field Description
    Name The name of this configuration.
    QRadar API Base URL The base URL you acquired from the IBM QRadar site.
    Link URL [Optional] The Link URL that links to an IBM QRadar instance, when available.
    Version The IBM QRadar version; 5.0 is the default.
    API Key The API key you obtained from the IBM QRadar site.
    Max Rows The maximum number of rows you want to search.
    Earliest Result (days) The earliest results you want to see in number of days.
    Include raw data samples in search results Select this to include samples of raw data in your sightings search results. The amount of data returned depends on your setting in the number of rows of raw data property in Security Incident Response properties.
    MID Server Select Any to use any active MID Server, or select a specific MID Server name.
    Note: Configuring this integration activates workflows. To manage the workflows, navigate to the Workflow Editor.
  8. Click Submit.
    The integration configuration card displays.
  9. When viewing the new configuration card, you can click Configure or Delete to change or delete the configuration, respectively.
  10. To return to the original list of integration configuration cards, select No from the Show Configurations drop-down list.