This documentation supports the 21.05 version of BMC Helix Multi-Cloud Broker.To view an earlier version, select the version from the Product version menu.

Creating BMC Helix ITSM incidents from IBM QRadar SIEM offenses by using BMC Helix iPaaS

As an administrator, you can integrate BMC Helix ITSM with IBM QRadar Security Information and Event Management (SIEM) to create BMC Helix ITSM incidents from IBM QRadar offenses. The integration helps your agents to track and remediate security threats to your organization.

BMC Helix Multi-Cloud Broker, along with BMC Helix iPaaS, powered by Jitterbit, provides an out-of-the-box integration template that you use to integrate BMC Helix ITSM and IBM QRadar SIEM. You configure the integration in BMC Helix Multi-Cloud Broker and deploy the template to your BMC Helix iPaaS environment.

This integration provides the following capabilities:

Use case

Capabilities of the Security feature

Create a ticket

Create an incident in BMC Helix ITSM when an offense is generated in IBM QRadar.

Share comments

Share an activity note from an incident to an offense.

Update the ticket status

Close an offense when the corresponding incident is closed.

The following image gives an overview of the capabilities that this integration supports:

iPaaS_ITSM incident and QRadar offense integration.png

Before you begin

Make sure that you have the following items:

  • Administrator access to the IBM QRadar account.
  • BMC Helix Multi-Cloud Broker and BMC Helix ITSM users should have the administrator permissions to run this integration.
  • From the Electronic Product Distribution site, download the Create_BMC_Helix_ITSM_incident_from_IBM_QRadar_offense.json file to your system.

IBM QRadar to BMC Helix ITSM data flow

Updated_Qradar to ITSM incident creation flow.png

BMC Helix ITSM to IBM QRadar data sync flow

Updated_ITSM to QRadar data sync flow.png

Task 1: To perform configurations in Quick Configuration Guide

  1. Log in to BMC Helix Innovation Studio.
  2. On Workspace, click Multi-Cloud Broker.

  3. To launch BMC Helix Multi-Cloud Broker, click Visit Deployed Application.

    Tip

    You can access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/helix/index.html#/com.bmc.dsm.mcsm/login and logging in as a tenant administrator.

  4. Click Settings Settings icon.png.
  5. Select Start Here > Quick Configuration Guide.
    The Quick Configuration Guide page is displayed.

  6. On the Step 1: Choose configuration tab, perform the following steps:

    Important

    In Choose configurationHelix iPaaS (powered by Jitterbit) is selected by default. Do not change this value.

    1. Under Security, select IBM Qradar to ITSM Incident.
    2. Click Next.
  7. On the Step 2: Perform configurations tab, perform the following steps:
    1. Add an operating organization, if you have not already done so.
    2. Add IBM as the vendor organization, if you have not already done so.
    3. To add vendor metadata for IBM QRadar, click Map vendors, and perform the following steps:
      1. On the Map Vendors page, click Map Vendor.

      2. Complete the fields as described in the following table:

        Field

        Action

        Description

        Enter a description for the IBM QRadar vendor metadata.

        Ticketing Technology Provider

        From the list, select QRadar.

        (Optional) Instance Name

        If you are using multiple instances of IBM QRadar, enter the instance name that you are using to identify it.

        Add Mapping

        After you select the ticketing technology provider, click Add Mapping. BMC Helix Multi-Cloud Broker displays the default values in the Instance URL field and the Display Field Mapping section.

        InstanceURL

        If you have clicked Add Mapping, this field is auto-populated.  Update the URL and replace the IBM QRadar server with the correct host name.

        Display Field Mapping

        By default, the basic IBM QRadar fields are mapped in this section. If you want to map additional fields to display in the BMC Helix ITSM UI, add the relevant mappings by clicking Curly brace_Field mappings.png.

        Enable Local ITSM Communication

        By default, this toggle key is enabled. 

        If you want to use BMC Helix Integration Service as the underlying integration platform, disable this toggle key.

      3. Click Save.
    4. To fetch incidents from BMC Helix ITSM, click Define filter criteria to fetch records from ITSM to Helix Multi-Cloud Broker for incident, and perform the following steps:
      1. From the Select trigger event for incident list, select the Updated operation.
      2. In the Warning dialog box as shown in the following image, click Yes:

        21.02_QRadar_Filter Criteria_Warning Dialog Box.png
      3. In Advanced filter, add the following filter:
        Broker Vendor Name: QRadar
      4. Click Save.
        When an incident matches the operation and filter that you have selected, the system fetches that incident to BMC Helix Multi-Cloud Broker.
    5. In the Configure Service Cloud integration section, refer the configuration steps listed and select the check boxes as you complete each step.
    6. Click Save.

Task 2: To download and import the integration template project file

  1. Log in to BMC Helix iPaaS and navigate to Cloud Studio.
  2. Select your organization.
  3. On the projects page, click Import.
  4. Click Browse to navigate to and select the JSON file that you downloaded from the Electronic Product Distribution site.
    The Project Name and Organization fields are automatically populated. The default project name is displayed. You can change the project name.
  5. From the Environment list, select the environment to which you want to import this integration template, and click Import.
    The project opens after the integration template is imported. 
  6. To open the project file at a later time, select the environment where the integration templates are available, select the project name, and click View/Edit.

Task 3: To update the project variables for the integration template

  1. Click the ellipsis ... next to the project name and select Project Variables.
    21.05_Click Project Variables.png
  2. Update the project variables as described in the following tables:

    • BMC Helix iPaaS variables

      Project variable

      Value

      BHIP_API_NAME

      The default value of this variable is set to BMCHelixITSMIncidentAndQRadarOffense.

      If required, you can change the name.

      BHIP_API_User_Roles

      Specify the organization roles that should have access to the new API. You can add multiple comma separated values. Important: If you do not specify any value, all the organization roles get access to the new API.

      BHIP_MCSM_API_Profile_Username

      Enter the user name that should be used while creating the BASIC type of BMC Helix Multi-Cloud Broker API profile.

      BHIP_MCSM_API_Profile_Password

      The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker.

      Enter the password that should be used while creating the BASIC type of BMC Helix Multi-Cloud Broker API profile.

      BHIP_Vendor_API_Profile_Type

      You do not need to enter any value for these variables.

      BHIP_Vendor_API_Profile_Username

      BHIP_Vendor_API_Profile_Password

      BHIP_Vendor_API_Profile_ApiKey_Name

      BHIP_Host

      Enter the BMC Helix iPaaS instance URL where you want to run this project.

      BHIP_Username

      Enter the user name for the BMC Helix iPaaS instance.

      BHIP_Password

      Enter the password for the BMC Helix iPaaS instance.

      Enable_BMC_Helix_To_Vendor_Integration

      By default, this variable is set to true.

      Important: This variable enables the synchronization of comments between the incident and offense, and updates the offense status to Closed when the incident is closed.

      Enable_Vendor_To_BMC_Helix_Integration

      By default, this variable is set to true.

      Important: This variable enables the creation of BMC Helix ITSM incidents from IBM QRadar offenses, shares activity notes between an incident and offense, and closes the offense from the incident.

    • IBM QRadar project variables

      Project variable

      Value

      QRadar_Host_Url

      Enter the IBM QRadar instance URL in the following format:

      [http/https]://[host name]:[port]

      QRadar_Username

      Enter the name of the administrator who has access to the IBM QRadar instance.

      QRadar_Password

      Enter the password of the administrator user who has access to the IBM QRadar instance.

    • BMC Helix Multi-Cloud Broker project variables

      Project variable

      Value

      MCSM_Host

      Enter the BMC Helix Multi-Cloud Broker host URL to which IBM QRadar offenses should be synchronized.

      MCSM_Username

      Enter the user name that enables users to interact with BMC Helix Multi-Cloud Broker.

      MCSM_Password

      Enter the password for the provided user name.

      MCSM_Vendor_Name

      The default value of this variable is QRadar. You must not change this value.

      The following variables are inputs from BMC Helix ITSM. Either enter values for these variables or map appropriate IBM QRadar fields if the data is available:

      Project variable

      Value

      ITSM_Company_Name

      Enter the name of the company for which an incident should be created in BMC Helix ITSM. For example, Calbro Services.

      ITSM_Customer_First_name

      Enter the first name of the BMC Helix ITSM customer.

      ITSM_Customer_Last_Name

      Enter the last name of the BMC Helix ITSM customer.

      ITSM_Incident_Type

      Enter any of the following incident types that you want to create:

      • User Service Restoration
      • User Service Request
      • Infrastructure Restoration
      • Infrastructure Event
      • Security Incident

Task 4: To deploy and enable the project

  1. To deploy the integration after you update the project variables, on the project page, click the ellipsis ... and select Deploy Project
    21.05_Deploy Project option.png
    Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.
  2. After successfully deploying the integration, on the Workflows tab, select 2.0 Integrations > 2.0 Enable Integration.
  3. Click the ellipsis ...  next to the Enable Integration element and select Deploy > Run.
    21.05_Enable integration steps.png

(Optional) Task 5: To set the API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the debug mode for a longer period of time, perform the following steps:

  1. In BMC Helix iPaaS, select API Manager > My APIs.
  2. Open any of the following APIS:
    • BMC_Helix_ITSM_Incident_And_QRadar_Offense_MCSM_To_Vendor—This API synchronizes comments and status updates between the BMC Helix ITSM incidents and IBM QRadar offenses.
    • BMC_Helix_ITSM_Incident_And_QRadar_Offense_Vendor_To_MCSM—This API creates BMC Helix ITSM incidents from IBM QRadar offenses.
  3. Select Enable Debug Mode Until: and set it for the required date and time.
  4. Save and publish the API.

Related topics

Getting-started-with-BMC-Helix-Multi-Cloud-Broker

Reference-of-integration-between-BMC-Helix-ITSM-and-IBM-QRadar-SIEM-by-using-BMC-Helix-iPaaS

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*