Transcription
ServiceNow Security Operationsadd-on for IBM QRadar
ServiceNow Security Operations add-on for IBM QRadarWhen QRadar is integrated with Security Incident Response, you can create security incidents and events fromQRadar offenses. The application is configured and operated from within QRadar. Before you can use theServiceNow Security Operations add-on for IBM QRadar, it must be downloaded from the IBM Security AppExchange, and configured.Download and install the ServiceNow Security Operations add-on for IBMQRadarDownload the IBM QRadar application from the IBM Security App Exchange and install the necessary extensions.The installation requires the ServiceNow Helsinki release or higher. You must also activate the following pluginsprior to installation: Security Incident ResponseEvent Management1. Log in to the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub).2. Download the ServiceNow Security Operations add-on for IBM QRadar application.3. Log in to QRadar console as an administrator.4. Navigate to the Admin tab.5. Click the Extensions Management icon.6. Click Add in the Extensions Management window.7. Select the file you downloaded in step 2 and select the Install immediately check box.8. Click Submit.The Extensions Management screen now shows a new ServiceNow record.Configure the ServiceNow Security Operations add-on for IBM QRadarConfigure the ServiceNow Security Operations add-on for IBM QRadar to set basic operations and for mappingServiceNow incident and event fields to QRadar values. You can also configure proxy server support if needed.Role required: sn si.admin1. Log in to your QRadar instance.2. Click the Admin tab.3. Navigate to Plug-ins ServiceNow Integration Configure ServiceNow Integration.4. Fill in the fields.
Table 1: Instance ConfigurationFieldDescriptionServiceNow Instance URLThe ServiceNow instance you want to send securityincidents or event to.UsernameEnter the name of the user who administersthe application. This user must have theevt mgmt integration, import transformer, andimport set loader roles.PasswordEnter a password, if needed.5. Scroll to the Security Incident/Offense Mapping section.6. Map fields in the Security Incident [sn si incident] table to the associated QRadar values.7. To add new security incident field/value mappings, click Add New Mapping.8. Scroll to the Security Event/Offense Mapping section.9.10. Map fields in the Event [em event] table to the associated QRadar values.11. To add new security event field/value mappings, click Add New Mapping.12. Scroll to the Automatic Offense Transmission section.
13. Fill in the fields the Automatic Offense Transmission section.Table 2: Automatic Offense TransmissionFieldDescriptionAutomatically create incidents for matching offensesSelect this option to automatically create ServiceNowsecurity incidents for offenses that match the value inthe Incident filter field.Incident filterIf you selected the Automatically create incidentsfor matching offenses check box, enter a value thatdetermines which QRadar offenses to use to createServiceNow security incidents.For example, status OPEN and severity 5.Automatically create events for matching offensesSelect this option to automatically create ServiceNowevents for offenses that match the value in the Incidentfilter field.Event filterIf you selected the Automatically create eventsfor matching offenses check box, enter a value thatdetermines which QRadar offenses to use to createServiceNow events.For example, status OPEN and severity 4.Authorized service tokenEnter a valid QRadar service token to be used forautomatic offense transmission. The service token musthave been granted access to look up offenses via theREST API.Note:The incident and event filters must be valid QRadar filters to the Offense API.If you defined the Automatic Offense Transmission options, all offenses that meet the defined criteriacreate the associated records and transmits them to the ServiceNow instance. If you did not define theseconfiguration options, you can create security incidents and/or events manually.14. Scroll to the Proxy Configuration (Optional) section.
Note: If you do not require proxy support, skip this step.15. Fill in the fields the Proxy Configuration section.Table 3: Proxy ConfigurationFieldDescriptionProxy URLEnter the URL of the proxy server. The server must bean HTTP/HTTPS proxy. Requests to the instance arepassed through this URL as a proxy. If a URL is notprovided, requests are made directly to the instance.This field should also contain help text that showsthe correct format of the URL and specifes that this isnecessary only if QRadar sits behind a proxy server.Proxy usernameIf the proxy server requires authentication, enter ausername to be used for basic authentication.This field should also contain help text to describe thepurpose of the field.Proxy passwordIf the proxy server requires authentication, enter apassword to be used for basic authentication.16. Click Save.Manually create security incidents and events from QRadar offensesRole required: sn si.adminThe Security Incident Response and Security Incident Response Event Management support plugins must beactivated.1.2.3.4.Log in to your QRadar instance.Click the Offenses tab.Locate and open the alert you want to convert.Open the offense record you want to Navigate to Plug-ins ServiceNow Integration Configure ServiceNowIntegration.
5. Perform one of these procedures. To convert the alert into a security incident and transmit it to ServiceNow, click Create ServiceNow SecurityIncident.To convert the alert into a security event and transmit it to ServiceNow, click Create ServiceNow SecurityEvent.A confirmation box appears.6. Click OK.The Notes section records that the offense was sent to ServiceNow as a security incident or an event.
When QRadar is integrated with Security Incident Response, you can create security incidents and events from QRadar offenses. The application is configured and operated from within QRadar. Before you can use the ServiceNow Security Operations add-on for IBM QRadar, it must be downloaded from the IBM Security App Exchange, and configured.
