Creating incidents from IBM QRadar SIEM offenses via BMC Helix iPaaS, powered by Jitterbit

As an administrator, you can integrate BMC Helix ITSM with IBM QRadar Security Information and Event Management (SIEM) to create BMC Helix ITSM incidents from IBM QRadar offenses. The integration helps your agents to track and remediate security threats to your organization.

BMC Helix Multi-Cloud Broker along with BMC Helix iPaaS provides an out-of-the-box integration template to integrate BMC Helix ITSM and IBM QRadar SIEM. You configure the integration in BMC Helix Multi-Cloud Broker and deploy the template to your BMC Helix iPaaS environment.

Reference of integration between BMC Helix ITSM and IBM QRadar SIEM by using BMC Helix iPaaS

The following image gives an overview of the capabilities that this integration supports:

This integration provides the following capabilities:

Use case	IBM QRadar SIEM to BMC Helix ITSM	BMC Helix ITSM to IBM QRadar SIEM
Create tickets	Creates an incident in BMC Helix ITSM from an offense generated in IBM QRadar	Not applicable
Synchronize statuses	Not applicable	Closes an offense when the corresponding incident is closed
Synchronize comments	Not applicable	Shares an activity note from an incident to an offense

IBM QRadar to BMC Helix ITSM data flow

The following image gives an overview of the data flow for creating a BMC Helix ITSM incident from an IBM QRadar offense:

BMC Helix ITSM to IBM QRadar data flow

The following image gives an overview of the data flow for updating an IBM QRadar offense from a BMC Helix ITSM incident:

Before you begin

You require the following items to successfully set up and use this integration:

Required versions	BMC Helix ITSM version 20.08 and later
Authentication and permissions	Administrator access to the IBM QRadar account Administrator access for BMC Helix Innovation Studio, BMC Helix Multi-Cloud Broker, and BMC Helix ITSM users to run this integration
Subscription	A valid BMC Helix iPaaS, powered by Jitterbit subscription

Task 1: To configure the integration

Log in to BMC Helix Innovation Studio.
On Workspace, click Multi-Cloud Broker.
To launch BMC Helix Multi-Cloud Broker, click Visit Deployed Application.
Tip

You can access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/helix/index.html#/com.bmc.dsm.mcsm/login and logging in as a tenant administrator.
Click Settings .
Select Start Here > Quick Configuration Guide.
The Quick Configuration Guide page is displayed.
On the Step 1: Choose configuration tab, and perform the following steps:
Important

In Choose configuration, Helix iPaaS (powered by Jitterbit) is selected by default. Do not change this value.
1. Under Security, select IBM Qradar to ITSM Incident.
2. Click Next.

On the Step 2: Perform configurations tab, perform the following steps:

Add an operating organization, if you have not already done so.
Add IBM as the vendor organization, if you have not already done so.

To add vendor metadata for IBM QRadar, click Map vendors, and perform the following steps:

On the Map Vendors page, click Map Vendor.

Complete the fields as described in the following table:

Field	Action
Description	Enter a description for the IBM QRadar vendor metadata.
Ticketing Technology Provider	From the list, select QRadar.
(Optional) Instance Name	If you are using multiple instances of IBM QRadar, enter the instance name that you are using to identify it.
Add Mapping	After you select the ticketing technology provider, click Add Mapping. BMC Helix Multi-Cloud Broker displays the default values in the Instance URL field and the Display Field Mapping section.
InstanceURL	If you have clicked Add Mapping, this field is auto-populated. Update the URL and replace the IBM QRadar server with the correct host name.
Display Field Mapping	By default, the basic IBM QRadar fields are mapped in this section. If you want to map additional fields to display in the BMC Helix ITSM UI, add the relevant mappings by clicking .
Enable Local ITSM Communication	By default, this toggle key is enabled. If you want to use BMC Helix Integration Service as the underlying integration platform, disable this toggle key.

Click Save.

To fetch incidents from BMC Helix ITSM, click Define filter criteria to fetch records from ITSM to Helix Multi-Cloud Broker for incident, and perform the following steps:
1. To select the filter criteria, click Advanced filter.
2. Select the filters from the available fields, and click Next.
  The query filter expression is displayed. By default, the AND qualifier is applied when you select multiple filter criteria.
  Important
  
  Make sure that you add the Broker Vendor Name: QRadar filter, along with any other filters that you want to add.
3. To change the qualifier for your filters, update the query, and then click Save.
  Important
  
  Make sure that you enter a valid query with available fields and values.
4. Click Close.
  When an incident matches the operation and filter that you have selected, the system fetches that incident to BMC Helix Multi-Cloud Broker.
In the Configure QRadar integration section, refer to the configuration steps listed and select the check boxes as you complete each step.
Click Save.

Task 2: To download and import the integration template project file

Download the Create BMC Helix ITSM incident from IBM QRadar offense 2022-10-01 file.
This file contains the BMC Helix iPaaS Cloud Studio project Create BMC Helix ITSM incident from IBM QRadar offense.
Important

Your ability to access product pages on the EPD website is determined by the license your company purchased.
Log in to BMC Helix iPaaS and navigate to Cloud Studio.
Select your organization.
On the projects page, click Import.
Click Browse and then select the Create BMC Helix ITSM incident from IBM QRadar offense.json file you downloaded.
The Project Name and Organization fields are automatically populated. The default project name is displayed. You can change the project name.
From the Environment list, select the environment to which you want to import this integration template, and click Import.
The project opens after the integration template is imported.
To open the project file at a later time, select the environment where the integration templates are available, select the project name, and click View/Edit.

Task 3: To update the project variables for the integration template

Next to the Environment name, click the ellipsis ... next to the project name and select Project Variables.

Update the project variables as described in the following tables:

BMC Helix iPaaS variables:

Project variable	Action
BHIP_API_NAME	Enter the name for API that is created in the BMC Helix iPaaS API Manager to receive BMC Helix Multi-Cloud Broker or QRadar requests.
BHIP_API_User_Roles	Enter comma-separated values of the organization roles assigned for the BMC Helix iPaaS API. Important: If you do not specify any value, all the organization roles get access to the new API.
BHIP_MCB_API_Profile_User_Name	Enter the user name that should be used while creating the BASIC type of BMC Helix Multi-Cloud Broker API profile.
BHIP_MCB_API_Profile_User_Password	Enter the password that should be used while creating the BASIC type of BMC Helix Multi-Cloud Broker API profile. The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker.
BHIP_Vendor_API_Profile_Type	Do not enter any value for these variables.
BHIP_Vendor_API_Profile_User_Name
BHIP_Vendor_API_Profile_User_Password
BHIP_Vendor_API_Profile_ApiKey_Name
BHIP_Host	Enter the BMC Helix iPaaS instance URL where you want to run this project. Important: Make sure that you do not enter any leading and trailing spaces in the URL.
BHIP_User_Name	Enter the user name for the BMC Helix iPaaS instance. Important: BMC Helix iPaaS login credentials are required to create the API in BMC Helix iPaaS by using RestAPI. This is due to a limitation that BMC Helix iPaaS does not enable access to information about being logged in to BMC Helix iPaaS.
BHIP_User_Password	Enter the password for the BMC Helix iPaaS instance.
Enable_BMC_Helix_To_Vendor_Integration	Enable the creation of QRadar offenses from BMC Helix ITSM incident, and synchronization of updates and comments. By default, this variable is set to true. If you want to disable the synchronization of updates and comments between the incident and offense, set this variable to false.
Enable_Vendor_To_BMC_Helix_Integration	Enable the creation of BMC Helix ITSM incidents from IBM QRadar offenses, synchronization of activity notes between an incident and offense, and closing the offense from the incident. By default, this variable is set to true. If you want to disable the creation of BMC Helix ITSM incidents from IBM QRadar offenses, sharing of activity notes between an incident and offense, and closing the offense from the incident, set this variable to false.

IBM QRadar project variables:

Project variable

Action

QRadar_Host_Url

Enter the IBM QRadar instance URL in the following format:

[http/https]://[host name]:[port]

Important: Make sure that you do not enter any leading and trailing spaces.

QRadar_User_Name

Enter the name of the administrator who has access to the IBM QRadar instance.

QRadar_User_Password

Enter the password of the administrator user who has access to the IBM QRadar instance.

BMC Helix Multi-Cloud Brokerproject variables:

Project variable	Action
MCB_Host	Enter the BMC Helix Multi-Cloud Broker host URL to which IBM QRadar offenses should be synchronized. Important: Make sure that you do not enter any leading and trailing spaces in the URL.
MCB_User_Name	Enter the user name to access BMC Helix Multi-Cloud Broker.
MCB_User_Password	Enter the password for the user name that you have entered.
MCB_Vendor_Name	Enter the name of the Vendor name configured in the BMC Helix Multi-Cloud Broker application.

The following variables are inputs from BMC Helix ITSM. Either enter values for these variables or map appropriate IBM QRadar fields if the data is available:

Project variable	Action
ITSM_Company_Name	Enter the name of the company for which an incident should be created in BMC Helix ITSM; for example, Apex Global.
ITSM_Customer_First_name	Enter the first name of the BMC Helix ITSM customer.
ITSM_Customer_Last_Name	Enter the last name of the BMC Helix ITSM customer.
ITSM_Incident_Type	Enter any of the following incident types for which a corresponding IBM QRadar offense should be created: User Service Restoration User Service Request Infrastructure Restoration Infrastructure Event Security Incident The default value of this variable is User Service Restoration.

Task 4: To deploy and enable the project

Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.

To deploy the project and then enable the integration:

To deploy the project, next to the project name, click the ellipsis ..., and select Deploy Project.
To enable the integration, next to the Enable Integrations operation, under 2.0 Integrations workflow, click the ellipsis ..., and select Run.

The following image shows the steps to deploy the project and enable it by deploying the workflow:

After you enable the integration, when an offense is generated in IBM QRadar, a corresponding incident is created in BMC Helix ITSM. Activity notes added to the BMC Helix ITSM incident are synced with the IBM QRadar offense. The offense is closed when the corresponding incident is closed.

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the debug mode for a longer period of time, perform the following steps:

In BMC Helix iPaaS, select API Manager > My APIs.
Open any of the following APIS:
- BMC_Helix_ITSM_Incident_And_QRadar_Offense_MCB_To_Vendor—This API synchronizes comments and status updates between the BMC Helix ITSM incidents and IBM QRadar offenses.
- BMC_Helix_ITSM_Incident_And_QRadar_Offense_Vendor_To_MCB—This API creates BMC Helix ITSM incidents from IBM QRadar offenses.
Select Enable Debug Mode Until: and set it for the required date and time.
Save and publish the API.