Reference for integration between BMC Helix ITSM and IBM QRadar by using BMC Helix Integration Service

List of connectors for integration with QRadar SIEM

You must configure the following connectors when setting up integration with QRadar SIEM. These connectors are integration points for the respective applications. For instance, to send the data from BMC Helix Multi-Cloud Brokerto QRadar SIEM, you must configure a flow from the Multi-Cloud connector to the IBM QRadar connector.

ITSM

• Configuration
  If you are integrating BMC Helix Multi-Cloud Broker with an on-premises instance of BMC Helix ITSM, enter the following values:

  Field	Value
  Site	Select the site that you created for Remedy.
  AR server	Enter the name of your on-premises AR System server.
  AR server port	Enter the port number for your on-premises AR System server.

• Account
  Add a BMC Helix ITSM user account that has permission to view business service requests and permissions to update incidents, change, or problem requests.

Multi-Cloud 

• Configuration
  While activating BMC Helix Multi-Cloud Broker, BMC configures the Multi-Cloud connector. Do not modify the default Multi-Cloud connector configuration.

• Account
  BMC sets up the account for the Multi-Cloud connector.
  Click to re-authenticate after you have changed the password for your tenant administrator user account in BMC Helix Multi-Cloud Broker.
  For information about changing the user password, see Creating or modifying People data.

IBM QRadar

• Configuration

  Field	Value
  Name	Enter a name for the connector configuration.
  Description	Enter a description for the configuration.
  Site	Select Cloud.
  Number of instances	Keep the default value.
  QRadar Server URL	Enter the URL of QRadar SIEM server.

• Account
  • Add the account of a QRadar SIEM user who can view and update offenses.

SMTP Email

• Configuration
  To send email notifications for errors, specify values for the following fields:

  Field	Value
  Name	Enter a name for the connector configuration.
  Site	Select the appropriate site for your email server.
  Connection type	Select the type of connection for your email server.

• Account
  Add an email account to be used for sending error notifications.

List of flows for integration with QRadar SIEM

When enabling the integration with QRadar SIEM, configure the flows the enable the functionality. For example, to create an incident in BMC Helix ITSM from QRadar SIEM, you must configure the Create Incident from IBM QRadar Offense flow.

Create Incident from IBM QRadar Offense

• Trigger

  Do not specify any trigger conditions.

• Field Mapping

  BMC Helix Multi-Cloud Broker fields	QRadar SIEM fields
  Summary	Description
  Priority	Severity
  Description	Description Magnitude
  Status Important: The value of this field is set to New.	NA
  Urgency	Severity
  Impact	Severity
  Incident Type Important: The value of this field is set to Infrastructure Event.	NA
  Vendor Important: The value of this field is set to QRadar.	NA
  Vendor Ticket Id	Offense Id

Create Security Incident from IBM QRadar Offense

• Trigger

  Ensure that the status is set to open.

• Field Mapping

  BMC Helix Multi-Cloud Broker fields	QRadar SIEM fields
  Summary	Description
  Priority	Severity
  Description	Description
  Status Important: The value of this field is set to New.	NA
  Urgency	Severity
  Impact	Severity
  Incident Type Important: The value of this field is set to Security Incident.	NA
  Reported Source Important: The value of this field is set to Other.	NA
  Vendor Important: The value of this field is set to QRadar.	NA
  Vendor Ticket Id	Offense Id
  Webhook Condition Parameter Important: The value of this field is set to Remedy.	NA

Multi-Cloud Worklog to IBM QRadar Offense Note

• Trigger

  Do not change the out-of-the-box webhook trigger condition.

• Field Mapping

  QRadar SIEM fields	BMC Helix Multi-Cloud Broker fields
  Offense Id	associatedGUID
  Note Text	CommentText Important: To change the Note text, you can add conditional mapping in the flow.

Sync IBM QRadar Offense

• Trigger

  Do not specify any trigger conditions.

• Field Mapping

  BMC Helix Multi-Cloud Broker fields	QRadar SIEM fields
  Status	Status
  Vendor Important: The value of this field is set to QRadar.	NA
  Vendor Ticket Id	Offense Id
  Vendor Ticket Properties Important: Retain the out-of-the-box mappings	NA

Close IBM QRadar Offense

• Trigger

  Field	Value
  Condition is Important: In this field, retain the webhook condition.	NA
  Include All Fields is	True
  Source ID contains	QRadar

• Field Mapping

  BMC Helix Multi-Cloud Broker fields	QRadar SIEM fields
  Vendor Ticket Id	Offense ID
  Not applicable	The status is set to Closed.

Create Incident Activity Note

• Trigger

  Field	Value
  Shared with Vendor	True

• Field Mapping

  Do not change the following out-of-the-box field mappings.

  Field	Value
  post_type	comment#vendor
  ticketNumber	Incident Number
  Attachment Object 1.name	Attachment 1 filename
  Attachment Object 1.content	Attachment 1
  Attachment Object 2.name	Attachment 2 filename
  Attachment Object 2.content	Attachment 2
  Attachment Object 3.name	Attachment 3 filename
  Attachment Object 3.content	Attachment 3

  Warning

  Important

  You can change the out-of-the-box field mapping for the text field. The default value is set to Notes.

  However, BMC recommends that you retain the existing mapping.

Create Incident Activity Note with Author (Remedy 9.1.06 or later)

• Trigger

  Field	Value
  Shared with Vendor	True

• Field Mapping

  Do not change the following out-of-the-box field mappings.

  Field	Value
  post_type	comment#vendor
  ticketNumber	Incident Number
  Author	Full name
  Attachment Object 1.name	Attachment 1 filename
  Attachment Object 1.content	Attachment 1
  Attachment Object 2.name	Attachment 2 filename
  Attachment Object 2.content	Attachment 2
  Attachment Object 3.name	Attachment 3 filename
  Attachment Object 3.content	Attachment 3

  Warning

  Important

  You can change the out-of-the-box field mapping for the text field. By default, the value is set to Notes.

  However, BMC recommends that you retain the existing mapping.

By default, the Create Incident Activity Note flow is used. Instead of the default flow, if you want to use the Create Incident Activity Note with Author flow, you must make changes to the flow.

For more information about using the flow, see Updating flows.

Send Error Notification flow

• Trigger

  Field	Value
  Flow Target	Multi-Cloud

• Field Mapping

  Field	Value
  To	Enter the email account that will receive the error notification.
  Subject	Flow Title
  From Important: The value of this field is set to Integration Service.	NA

  Warning

  Important

  You can change the following out-of-the-box field mappings:

  • Subject
  • From

  However, BMC recommends that you retain the existing mappings.
  

List of connector targets for integration with QRadar SIEM

When a ticket is brokered from any vendor to BMC Helix ITSM, the ticket data first comes in BMC Helix Multi-Cloud Brokerbefore being sent to BMC Helix ITSM. To send the data from BMC Helix Multi-Cloud Brokerto BMC Helix ITSM, you must configure the BMC Helix Multi-Cloud BrokerITSM connector target and set it in the Connector Process ITSM.

MCSM ITSM

For the MCSM ITSM connector target, define the connection configuration and profile required by the connector process.