×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 20.08 version of BMC Helix Multi-Cloud Service Management.

To view the documentation for the previous version, select 20.02 from the Product version menu.
BMC Helix Multi-Cloud Service Management 20.08 ... Administering Configuration reference

IBM QRadar Security Information and Event Management (SIEM) integration reference

BMC Helix Multi-Cloud Broker provides out-of-the-box mappings and application level configurations so you can create incidents in ITSM from IBM QRadar Security Information and Event Management (SIEM) to address such security challenges. To establish integration with IBM QRadar SIEM, you configure the following connectors, flows, and connector targets. You must set up tenant-level configurations.

After you complete the integration, your users can use features, for example, the creation of incidents in ITSM when a QRadar offense is created. Each flow in the list of flows is essentially a feature that you can use. Depending upon your use case, you might have to configure multiple flows. BMC Helix Multi-Cloud Broker logically chains the flows and connector processes to complete the feature.

List of connectors for integration with QRadar SIEM

You must configure the following connectors when setting up integration with QRadar SIEM. These connectors are integration points for the respective applications. For instance, to send the data from BMC Helix Multi-Cloud Broker to QRadar SIEM, you must configure a flow from the Multi-Cloud connector to the IBM QRadar connector.

  • Configuration
    If you are integrating BMC Helix Multi-Cloud Broker with an on-premises instance of ITSM, enter the following values:

    FieldValue
    SiteSelect the site that you created for Remedy.
    AR serverEnter the name of your on-premises AR System server.
    AR server portEnter the port number for your on-premises AR System server.
  • Account
    Add a ITSM user account that has permissions to view business service requests and permissions to update incidents, change, or problem requests.


  • Configuration
    While activating BMC Helix Multi-Cloud Broker, BMC configures the Multi-Cloud connector. Do not modify the default Multi-Cloud connector configuration.
  • Account
    BMC sets up the account for the Multi-Cloud connector.
    Click to re-authenticate after you have changed the password for your tenant administrator user account in BMC Helix Innovation Studio.
    For information about changing the user password, see Creating or modifying Person data Open link .


  • Configuration

    FieldValue
    NameEnter a name for the connector configuration.
    DescriptionEnter a description for the configuration.
    SiteSelect Cloud.
    Number of instancesKeep the default value.
    QRadar Server URLEnter the URL of QRadar SIEM server.
  • Account
    • Add the account of a QRadar SIEM user who can view and update offenses


  • Configuration
    To send email notifications for errors, specify values for the following fields:

    FieldValue
    NameEnter a name for the connector configuration.
    SiteSelect the appropriate site for your email server.
    Connection typeSelect the type of connection for your email server.
  • Account
    Add an email account to be used for sending error notifications.

List of flows for integration with QRadar SIEM

When enabling the integration with QRadar SIEM, configure the flows the enable the functionality. For example, to create an incident in ITSM from QRadar SIEM, you must configure the Create Incident from IBM QRadar Offense flow.

  • Trigger

    Do not specify any trigger conditions.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Summary

    Description

    Priority

    Severity

    Description

    • Description

    • Magnitude

    Status
    Note: The value of this field is set to New.

    NA

    Urgency

    Severity

    Impact

    Severity

    Incident Type
    Note: The value of this field is set to Infrastructure Event.

    NA

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id


  • Trigger

    Ensure that status is set to open.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Summary

    Description

    Priority

    Severity

    Description

    Description

    Status
    Note: The value of this field is set to New.

    NA

    Urgency

    Severity

    Impact

    Severity

    Incident Type
    Note: The value of this field is set to Security Incident.

    NA

    Reported Source
    Note: The value of this field is set to Other.

    NA

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id

    Webhook Condition Parameter
    Note: The value of this field is set to Remedy.

    NA


  • Trigger

    Do not change the out-of-the-box webhook trigger condition.

  • Field Mapping

    QRadar SIEM fields

    BMC Helix Multi-Cloud

    Service Management fields

    Offense Id

    associatedGUID

    Note Text

    CommentText

    Note: To change the Note text, you can add conditional mapping in the flow.


  • Trigger

    Do not specify any trigger conditions.

  • Field Mapping

    BMC Helix Multi-Cloud

    Service Management fields

    QRadar SIEM fields

    Status

    Status

    Vendor
    Note: The value of this field is set to QRadar.

    NA

    Vendor Ticket Id

    Offense Id

    Vendor Ticket Properties
    Note: Retain the out-of-the-box mappings

    NA


  • Trigger

    Field

    Value

    Condition is
    Note: In this field, retain the webhook condition.

    NA

    Include All Fields is

    True

    Source ID contains

    QRadar

  • Field Mapping

    BMC Helix Multi-Cloud Broker fields

    QRadar SIEM fields

    Vendor Ticket Id

    Offense ID

    Not applicable

    The status is set to Closed.


  • Trigger

    FieldValue
    Shared with VendorTrue

  • Field Mapping

    Do not change the following out-of-the-box field mappings.

    FieldValue
    post_typecomment#vendor
    ticketNumberIncident Number
    Attachment Object 1.nameAttachment 1 filename
    Attachment Object 1.contentAttachment 1
    Attachment Object 2.nameAttachment 2 filename
    Attachment Object 2.contentAttachment 2
    Attachment Object 3.nameAttachment 3 filename
    Attachment Object 3.contentAttachment 3

    Note

    You can change the out-of-the-box field mapping for the text field. Default value is set to Notes.

    However, BMC recommends that you retain the existing mapping.


  • Trigger

    FieldValue
    Shared with VendorTrue

  • Field Mapping

    Do not change the following out-of-the-box field mappings.

    FieldValue
    post_typecomment#vendor
    ticketNumberIncident Number
    AuthorFull name
    Attachment Object 1.nameAttachment 1 filename
    Attachment Object 1.contentAttachment 1
    Attachment Object 2.nameAttachment 2 filename
    Attachment Object 2.contentAttachment 2
    Attachment Object 3.nameAttachment 3 filename
    Attachment Object 3.contentAttachment 3

    Note

    You can change the out-of-the-box field mapping for the text field. Default value is set to Notes.

    However, BMC recommends that you retain the existing mapping.

By default, the Create Incident Activity Note flow is used. Instead of the default flow, if you want to use the Create Incident Activity Note with Author flow, you must make changes to the flow.

For more information about using the flow, see Updating flows.


  • Trigger

    FieldValue
    Flow Target Multi-Cloud

  • Field Mapping

    FieldValue
    To
    		Enter the email account that will receive the error notification.
    Subject
    		Flow Title
    From
    Note:     The value of this field is set to Integration Service.    		NA

    Note

    You can change the following out-of-the-box field mappings:

    • Subject
    • From

    However, BMC recommends that you retain the existing mappings.


List of connector targets for integration with QRadar SIEM

When a ticket is brokered from any vendor to ITSM, the ticket data first comes in BMC Helix Multi-Cloud Broker before being sent to ITSM. To send the data from BMC Helix Multi-Cloud Broker to ITSM, you must configure the MCSM ITSM connector target and set it in the Connector Process ITSM.

For the MCSM ITSM connector target, define the connection configuration and profile required by the connector process.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Anushree Chavan on Mar 18, 2021
externallink integration_references connector_list flow_list qradar_siem

Comments

Log in or register to comment.

CA Agile Central integration reference
Jira integration reference
© Copyright 2017 - 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.