This documentation supports the 20.08 version of BMC Helix Multi-Cloud Service Management.

To view the documentation for the previous version, select 20.02 from the Product version menu.

Enabling prebuilt integration with IBM QRadar

IBM QRadar Security Information and Event Management (SIEM) analyzes log events and network data, and generates alert information called offenses when it detects threats to a company's infrastructure. You can use BMC Helix Multi-Cloud Service Management to enable the prebuilt integration with QRadar SIEM to remediate and service these threats by using Remedy IT Service Management (ITSM) or BMC Helix IT Service Management (ITSM).

After you enable the integration, incidents are created in Remedy with Smart IT whenever QRadar SIEM offenses are triggered. You can create two types of incidents for QRadar offenses based on the flow you configure. 

  • Security incident
  • Infrastructure Event

However, you can only configure the flow for one of the incident types. For information about the flows, see List of flows and configuration values for integration with QRadar SIEM

The following image displays the Smart IT incident that is created when an offense is triggered. You can view the details of the offense in the Smart IT interface, and also open the offense from the ticket details and activity notes section.


Before you begin

Complete all preconfiguration tasks before you configure QRadar SIEM integration.

To select the integration option for QRadar SIEM

  1. Launch BMC Helix Platform by using the URL provided in the email sent to you from BMC, and log in as an administrator.
  2. From the list of applications, select Workspace > Applications > Multi-Cloud Service Management.
  3. To launch BMC Helix Multi-Cloud Service Management, on the top-right corner of the page, click Visit Deployed Application.

    Tip

    You can access BMC Helix Multi-Cloud Service Management directly by entering the URL https://hostName:portNumber/innovationsuite/index.html#/com.bmc.dsm.mcsm and logging in as a tenant administrator.

  4. To open the configuration page, click Settings.
  5. Select Start Here > Quick Configuration Guide.
    BMC Helix Multi-Cloud Service Management lists the features available to you.

6. Select IBM QRadar to Remedy Incident under Security, and click Done.

The Configuration Links page displays a list of the common configurations, connectors, flows, and connector targets and processes that you need to configure as described in the next tasks. 

To map QRadar SIEM vendor data to Remedy ITSM or Smart IT

Configuring vendor data includes setting up a vendor organization and defining vendor mappings for the technology provider. Vendor mapping ensures that your vendor is notified about changes to the Remedy ITSM fields by sending updates as a comment to the corresponding vendor ticket.

  1. If you have not already done so, to set up the vendor organizations, on the Configuration Links page, click Manage Vendor Organizations. For instructions, see Performing preconfiguration tasks.

  2. To add or update the vendor mapping, on the Configuration Links page, click Map Vendors.
  3. On the Map Vendors screen, click  to open the Map New Vendor page.

  4. Enter a Description that makes it easy for you to identify the vendor metadata configuration.

  5. Select the Ticketing Technology Provider.
    The Ticketing Technology Provider is the application the vendor uses to manage tickets.

    VendorTicketing Technology Provider
    AmazonAWS
    JIRA SoftwareJIRA
    Salesforce Service CloudService Cloud
    CA Agile CentralAgile Central
    Remedy ITSMVendor Remedy ITSM
    JIRA Software Service DeskJIRA Service Desk
    Microsoft Azure DevOpsAzure DevOps
    Azure MonitorAzure Alerts
    IBM QRadarQRadar
    BMC TrueSight Operations ManagementTrueSight Ops Mgmt for PSR
  6. Click Add Mapping.
    By default, the Instance URL, Vendor Field Mapping and Display Field Mapping fields are displayed.

  7. Update the Instance URL with the ticketing technology provider server and port details.
  8. To add or delete mapped field values, click Click { } to open the JSON editor, and modify Display Field Mapping.
    Display field mapping defines how vendor ticket fields map to the fields on the Smart IT console.

  9. (Optional) If you do not want the Remedy ITSM ticket to be automatically resolved when the corresponding ticket is closed by your vendor, clear the Resolve Incident Ticket When Vendor Closes It toggle key .
    By default, 
    BMC Helix Multi-Cloud Service Management resolves the Remedy ITSM ticket when the corresponding ticket is closed by the vendor.

To configure connectors for integrating Remedy ITSM and QRadar SIEM with BMC Helix Multi-Cloud Service Management

For each feature you selected, complete the following procedure for the connectors listed on the Configuration Links page.

  1. To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure connectors in Integration Studio under Required Common Configurations.
    You must configure the connectors listed for each feature, in addition to the connectors listed under Required Common Configuration.

  2. To enter field values, select a connector, such as Remedy ITSM, and click Configuration.
    You might need to click the arrow on the ribbon in the lower section of the screen to open the Configuration pane.

  3. To update the configuration defaults, enter the appropriate field values by referring to the list of connectors at the end of this procedure.
  4. To add or update the user account that is used to access the vendor application, click Accounts.

List of connectors and configuration values for integration with QRadar SIEM

 ITSM

  • Configuration
    If you are integrating BMC Helix Multi-Cloud Service Management with an on-premises instance of Remedy ITSM, enter the following values:

    FieldValue
    SiteSelect the site that you created for Remedy.
    AR serverEnter the name of your on-premises AR System server.
    AR server portEnter the port number for your on-premises AR System server.
  • Account
    Add a Remedy ITSM user account that has permissions to view business service requests and permissions to update incidents, change, or problem requests.


 Multi-Cloud

  • Configuration
    While activating BMC Helix Multi-Cloud Service Management, BMC configures the Multi-Cloud connector. Do not modify the default Multi-Cloud connector configuration.
  • Account
    BMC sets up the account for the Multi-Cloud connector.
    Click to re-authenticate after you have changed the password for your tenant administrator user account in BMC Helix Innovation Studio.
    For information about changing the user password, see Creating or modifying Person data .


 IBM QRadar
  • Configuration

    FieldValue
    NameEnter a name for the connector configuration.
    DescriptionEnter a description for the configuration.
    SiteSelect Cloud.
    Number of instancesKeep the default value.
    QRadar Server URLEnter the URL of QRadar SIEM server.
  • Account
    • Add the account of a QRadar SIEM user who can view and update offenses.


 SMTP Email

  • Configuration
    To send email notifications for errors, specify values for the following fields:

    FieldValue
    NameEnter a name for the connector configuration.
    SiteSelect the appropriate site for your email server.
    Connection typeSelect the type of connection for your email server.
  • Account
    Add an email account to be used for sending error notifications.

To configure flow triggers and field mappings between Remedy ITSM, BMC Helix Multi-Cloud Service Management, and QRadar SIEM

For each feature you selected, complete this procedure for the flows listed on the Configuration Links page.

  1. To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure flows in Integration Studio under Required Common Configurations.

    You need to configure the flows listed for each feature, in addition to the flows listed under Required Common Configuration.

  2. To open the flow template page, on the Catalog tab in Integration Studio, click the flow you want to configure.

  3. To create a copy of the flow template, click .


  4. Select the appropriate accounts for the end-point connectors of the selected flow.
    You specify the connector accounts when configuring connectors.
  5. To update the name of the flow that you have copied from the flow template, select My Flow, open the flow that you copied, and update the title.
  6. Specify the trigger Conditions and Field mapping, and click OK.
    For more information about trigger conditions and field mappings, see the list of flows at the end of this procedure.

  7. Click My Flows and select the flow that you created from the flow template.
  8. To verify the target values for the trigger conditions and the field mappings, in the right pane, click Details.

List of flows and configuration values for integration with QRadar SIEM

Note

You can configure one of the following flows based on the incident type you want to create for IBM QRadar offenses:

  • Create Incident from IBM QRadar Offense—Creates an incident of type Infrastructure Event.

  • Create Security Incident from IBM QRadar Offense—Creates an incident of type Security. To use this flow, you must have Remedy ITSM and Smart IT version 20.02 or later and you must complete the following configurations in Remedy ITSM and Smart IT:

    • Configuring settings for managing security incidents in the Remedy IT Service Management (Remedy ITSM) documentation.

    • Configuring settings for managing security incidents in the Remedy with Smart IT documentation.


 Create Incident from IBM QRadar Offense

  • Trigger

    Do not specify any trigger conditions.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Summary

    Description

    Priority

    Severity

    Description

    • Description

    • Magnitude

    Status
    Note: The value of this field is set to New.

    NA

    Urgency

    Severity

    Impact

    Severity

    Incident Type
    Note: The value of this field is set to Infrastructure Event.

    NA

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id


 Create Security Incident from IBM QRadar Offense

  • Trigger

    Ensure that status is set to open.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Summary

    Description

    Priority

    Severity

    Description

    Description

    Status
    Note: The value of this field is set to New.

    NA

    Urgency

    Severity

    Impact

    Severity

    Incident Type
    Note: The value of this field is set to Security Incident.

    NA

    Reported Source
    Note: The value of this field is set to Other.

    NA

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id

    Webhook Condition Parameter
    Note: The value of this field is set to Remedy.

    NA


 Multi-Cloud Worklog to IBM QRadar Offense Note

  • Trigger

    Do not change the out-of-the-box webhook trigger condition.

  • Field Mapping

    QRadar SIEM fields

    BMC Helix Multi-Cloud

    Service Management fields

    Offense Id

    associatedGUID

    Note Text

    CommentText

    Note: To change the Note text, you can add conditional mapping in the flow.


 Sync IBM QRadar Offense

  • Trigger

    Do not specify any trigger conditions.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Status

    Status

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id

    Vendor Ticket Properties
    Note: Retain the out-of-the-box mappings

    NA


 Close IBM QRadar Offense

  • Trigger

    Field

    Value

    Condition is
    Note: In this field, retain the webhook condition.

    NA

    Include All Fields is

    True

    Source ID contains

    QRadar

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Vendor Ticket Id

    Offense ID

    Not applicable

    The status is set to Closed.


 Create Incident Activity Note

  • Trigger

    FieldValue
    Shared with VendorTrue
  • Field Mapping

    Do not change the following out-of-the-box field mappings.

    FieldValue
    post_typecomment#vendor
    ticketNumberIncident Number
    Attachment Object 1.nameAttachment 1 filename
    Attachment Object 1.contentAttachment 1
    Attachment Object 2.nameAttachment 2 filename
    Attachment Object 2.contentAttachment 2
    Attachment Object 3.nameAttachment 3 filename
    Attachment Object 3.contentAttachment 3

    Note

    You can change the out-of-the-box field mapping for the text field. Default value is set to Notes.

    However, BMC recommends that you retain the existing mapping.


 Create Incident Activity Note with Author (Remedy 9.1.06 or later)

  • Trigger

    FieldValue
    Shared with VendorTrue
  • Field Mapping

    Do not change the following out-of-the-box field mappings.

    FieldValue
    post_typecomment#vendor
    ticketNumberIncident Number
    AuthorFull name
    Attachment Object 1.nameAttachment 1 filename
    Attachment Object 1.contentAttachment 1
    Attachment Object 2.nameAttachment 2 filename
    Attachment Object 2.contentAttachment 2
    Attachment Object 3.nameAttachment 3 filename
    Attachment Object 3.contentAttachment 3

    Note

    You can change the out-of-the-box field mapping for the text field. Default value is set to Notes.

    However, BMC recommends that you retain the existing mapping.

By default, the Create Incident Activity Note flow is used. Instead of the default flow, if you want to use the Create Incident Activity Note with Author flow, you must make changes to the flow.

For more information about using the flow, see Updating flows.


 Send Error Notification flow

  • Trigger

    FieldValue
    Flow Target Multi-Cloud
  • Field Mapping

    FieldValue
    To
    Enter the email account that will receive the error notification.
    Subject
    Flow Title
    From
    Note:
    The value of this field is set to Integration Service.
    NA

    Note

    You can change the following out-of-the-box field mappings:

    • Subject
    • From

    However, BMC recommends that you retain the existing mappings.

To define connector targets for QRadar SIEM integration

BMC preconfigures the out-of-the-box connector targets for all BMC Helix Multi-Cloud Service Management features. If you want to update the connector configuration or account information, update the connector target for the feature.

Warning

Do not delete the out-of-the-box connector targets.

  1. To navigate to BMC Helix Platform, in the Configuration Links page, click Configure Connector Targets in Innovation Studio under Required Common Configurations.
    You need to configure the connector targets listed for each feature on the Configuration Links page, in addition to the ones listed under Required Common Configuration.
  2. Click the connector target you want to configure or click to configure a new connector target.
  3. Enter or update the following values and save the configuration.

    FieldInstructions
    NameEnter a unique name for the configuration.
    The name is associated with the process that is related to the connector you are configuring.
    Connector Type

    Select the connector type from the list of connectors available to you in BMC Helix Integration Service.

    Configuration

    Select a configuration from the list.

    For example, if you select qradar as the Connector Type, all the configurations that you have made for qradar are displayed in the Configuration list.

    ProfileSelect a profile. For example, if you select qradar as the Connector Type, all the profiles that you have created for qradar are displayed in the Configuration list.

List of connector targets for integration with QRadar SIEM

 MCSM Remedy ITSM

For the MCSM Remedy ITSM connector target, define the connection configuration and profile required by the connector process.


When you complete the configuration for all the components, verify that incidents are created in Remedy ITSM from QRadar SIEM.

Related topic

Configuring BMC Helix Multi-Cloud Service Management




Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Andy Spiers
    Jun 19, 2020 05:59
    1. Anushree Chavan

      Hello Andy,

      Thank you, for pointing this out. We have fixed the link.

      Regards,

      Anushree

      Jun 30, 2020 03:08