BMC Helix Multi-Cloud Broker provides out-of-the-box mappings and application level configurations so you can create incidents in BMC Helix ITSM from IBM QRadar Security Information and Event Management (SIEM) to address such security challenges. To establish integration with IBM QRadar SIEM, you configure the following connectors, flows, and connector targets. You must set up tenant-level configurations.
After you complete the integration, your users can use features, for example, the creation of incidents in BMC Helix ITSM when a QRadar offense is created. Each flow in the list of flows is essentially a feature that you can use. Depending upon your use case, you might have to configure multiple flows. BMC Helix Multi-Cloud Broker logically chains the flows and connector processes to complete the feature.
List of connectors for integration with QRadar SIEM
You must configure the following connectors when setting up integration with QRadar SIEM. These connectors are integration points for the respective applications. For instance, to send the data from BMC Helix Multi-Cloud Broker to QRadar SIEM, you must configure a flow from the Multi-Cloud connector to the IBM QRadar connector.
ITSM
Configuration
If you are integrating BMC Helix Multi-Cloud Broker with an on-premises instance of ITSM, enter the following values:
| |
|---|
| Select the site that you created for Remedy. |
| Enter the name of your on-premises AR System server. |
| Enter the port number for your on-premises AR System server. |
- Account
Add a ITSM user account that has permissions to view business service requests and permissions to update incidents, change, or problem requests.
Multi-Cloud
- Configuration
While activating BMC Helix Multi-Cloud Broker, BMC configures the Multi-Cloud connector. Do not modify the default Multi-Cloud connector configuration.
Account
BMC sets up the account for the Multi-Cloud connector.
Click 
to re-authenticate after you have changed the password for your tenant administrator user account in BMC Helix Innovation Studio.
For information about changing the user password, see Creating or modifying People data.
IBM QRadar
Configuration
| |
|---|
| Enter a name for the connector configuration. |
| Enter a description for the configuration. |
| |
| |
| Enter the URL of QRadar SIEM server. |
- Account
- Add the account of a QRadar SIEM user who can view and update offenses
SMTP Email
Configuration
To send email notifications for errors, specify values for the following fields:
| |
|---|
| Enter a name for the connector configuration. |
| Select the appropriate site for your email server. |
| Select the type of connection for your email server. |
- Account
Add an email account to be used for sending error notifications.
List of flows for integration with QRadar SIEM
When enabling the integration with QRadar SIEM, configure the flows the enable the functionality. For example, to create an incident in BMC Helix ITSM from QRadar SIEM, you must configure the Create Incident from IBM QRadar Offense flow.
Create Incident from IBM QRadar Offense
Trigger
Do not specify any trigger conditions.
Field Mapping
BMC Helix Multi-Cloud Broker fields | |
|---|
| |
| |
| |
Status
Note: The value of this field is set to New. | |
| |
| |
Incident Type
Note: The value of this field is set to Infrastructure Event. | |
Vendor
Note: The value of this field is set to QRadar. | |
| |
Create Security Incident from IBM QRadar Offense
Trigger
Ensure that status is set to open.
Field Mapping
BMC Helix Multi-Cloud Broker fields | |
|---|
| |
| |
| |
Status
Note: The value of this field is set to New. | |
| |
| |
Incident Type
Note: The value of this field is set to Security Incident. | |
Reported Source
Note: The value of this field is set to Other. | |
Vendor
Note: The value of this field is set to QRadar. | |
| |
Webhook Condition Parameter
Note: The value of this field is set to Remedy. | |
Multi-Cloud Worklog to IBM QRadar Offense Note
Trigger
Do not change the out-of-the-box webhook trigger condition.
Field Mapping
| BMC Helix Multi-Cloud Broker fields |
|---|
| |
| CommentText Note: To change the Note text, you can add conditional mapping in the flow. |
Sync IBM QRadar Offense
Trigger
Do not specify any trigger conditions.
Field Mapping
BMC Helix Multi-Cloud Broker fields | |
|---|
| |
Vendor
Note: The value of this field is set to QRadar. | |
| |
Vendor Ticket Properties
Note: Retain the out-of-the-box mappings | |
Close IBM QRadar Offense
Trigger
| |
|---|
Condition is
Note: In this field, retain the webhook condition. | |
| |
| |
Field Mapping
BMC Helix Multi-Cloud Broker fields | |
|---|
| |
| The status is set to Closed. |
Create Incident Activity Note
TriggerField | Value |
|---|
Shared with Vendor | True |
Field MappingDo not change the following out-of-the-box field mappings.
Field | Value |
|---|
post_type | comment#vendor |
ticketNumber | Incident Number |
Attachment Object 1.name | Attachment 1 filename |
Attachment Object 1.content | Attachment 1 |
Attachment Object 2.name | Attachment 2 filename |
Attachment Object 2.content | Attachment 2 |
Attachment Object 3.name | Attachment 3 filename |
Attachment Object 3.content | Attachment 3 |
NoteYou can change the out-of-the-box field mapping for the text field. Default value is set to Notes.However, BMC recommends that you retain the existing mapping.
Create Incident Activity Note with Author (Remedy 9.1.06 or later)
Field Mapping
Do not change the following out-of-the-box field mappings.
| |
|---|
| |
| |
| |
| |
Attachment Object 1.content | |
| |
Attachment Object 2.content | |
| |
Attachment Object 3.content | |
Note
You can change the out-of-the-box field mapping for the text field. Default value is set to Notes.
However, BMC recommends that you retain the existing mapping.
By default, the Create Incident Activity Note flow is used. Instead of the default flow, if you want to use the Create Incident Activity Note with Author flow, you must make changes to the flow.
For more information about using the flow, see Updating flows.
Send Error Notification flow
Field Mapping
| |
|---|
| Enter the email account that will receive the error notification. |
| |
From
Note: The value of this field is set to Integration Service. | |
Note
You can change the following out-of-the-box field mappings:
However, BMC recommends that you retain the existing mappings.
List of connector targets for integration with QRadar SIEM
When a ticket is brokered from any vendor to BMC Helix ITSM, the ticket data first comes in BMC Helix Multi-Cloud Broker before being sent to BMC Helix ITSM. To send the data from BMC Helix Multi-Cloud Broker to BMC Helix ITSM, you must configure the BMC Helix Multi-Cloud Broker ITSM connector target and set it in the Connector Process ITSM.
MCSM ITSM
For the MCSM ITSM connector target, define the connection configuration and profile required by the connector process.