Before you run the integration on your Now Platform® instance, complete these installation and configuration steps so the application properly integrates with the Security Incident Response and Security Operations products on your Now Platform instance.

Before you begin

Role required: sn_si.admin

Procedure

  1. If you have not installed the IBM QRadar application from the ServiceNow Store for the integration, see Install a Security Operations integration and follow the steps to install it.
  2. After you have successfully installed the application, navigate to Integrations > Integrations Configurations and locate the IBM QRadar tile.
  3. To configure the application, click New.
  4. Alternatively, if a Configure button is displayed on a tile, click it to edit an existing configuration.
  5. In the Offense Ingestions Configuration dialog that is displayed, fill in the fields.
    FieldDescription
    Name Name of the IBM QRadar console or the IBM QRadar instance used for the integration.

    Spaces are supported for names, but parentheses are not supported.
    IBM QRadar API Base URL Host URL for your IBM QRadar instance.
    Note: You need to enter only the URL and the port number here. For example, https://ibm-qradar.com:8443. If the port number is 443, it need not be explicitly entered.
    IBM QRadar Dashboard URL The URL for the IBM QRadar dashboard or the console. This URL is used to auto construct the hyperlinks for offenses in the IBM QRadar dashboard.

    Enter only the host URL, for example, https://qradar.com. Do not include the .jsp in the URL, for example, https://qradar.com/console/qradar/jsp/QRadar.jsp is an invalid format.

    Note: If the dashboard URL is not available, enter the IBM QRadar API Base URL here.
    IBM QRadar API Version Version 10 and above are supported.
    IBM QRadar API Authorized Service Token (on premises) The IBM QRadar authorized service token is used for authentication. The authorized service token must have the following minimum user roles: Offenses, Log Activity, and Network Activity along with a user security profile that has no restrictions.
    To generate the authorized service token, follow these steps:
    • In the IBM QRadar console, navigate to the Admin tab and click Authorized Services.
    • If a valid authorized service token exists, check the expiry date and use this token.
    If an authorized service token is not available, follow these steps:
    • In the IBM QRadar, navigate to the Admin tab and click Authorized Service.
    • Click Add Authorized Service and create a token with the user role and security profile. Ensure that you specify an expiry date for a long validity period.
    IBM QRadar API Authorized Service Token (for QRoC) If you are using IBM QRadar on Cloud (QRoC), use the self service application to generate the authorized service token with admin user role and admin security profile for authentication.
    On Premises Deployment Default is disabled.

    If this option is enabled, you must specify a MID Application Name.

    If you are using IBM QRadar on Cloud (QRoC), verify that the check box is cleared.
    MID Application Name Specify a MID Server Application that is set up in your environment. If you do not have a Mid Server Application configured,you must create a new MID Server application for this integration.
    Note: The MID Server Application can be configured only by users with system administrator role.
    Figure 1. Minimum User Roles
    Minimum User Roles
    To create a new MID Server Application, follow these steps:
    • Navigate to MID Server > Applications and click New.
    • Enter a name for the MID Server Application and select a MID Server to be used as the default.
    • Deselect the Included in application ALL check box and click Save.
      IBM QRadar: Configure MID server
    • Click Edit. In the Edit Members page, select all available MID Servers, move them to the MID Servers List, and click Save. Depending on the availability, one of the MID Servers configured with the MID Server Application will be used.
  6. Enter the configuration details and specify the MID Server Application you have created.

    IBM QRadar: configuration tile

    The source that you configure on the IBM QRadar Offense Ingestion Configuration form can be reused for multiple Now Platform profiles as long as each profile ingests offenses.

  7. Click Submit.
    After it is successfully validated and submitted, each IBM QRadar server configuration is saved on the Security Integrations page as a tile. If your saved configuration tiles are not displayed on the Security Integrations page, on the top right corner of the page, from the Show Configurations choice list, click Yes.
    Note: If you encounter some issues with the IBM QRadar domain segmentation feature, contact IBM QRadar Customer Support for assistance.

What to do next

You have successfully installed and configured the application. The next step is to create the profile.