Enabling prebuilt integration with IBM QRadar

IBM QRadar Security Information and Event Management (SIEM) analyzes log events and network data, and generates alert information called offenses when it detects threats to a company's infrastructure. You can use BMC Helix Multi-Cloud Broker to enable the prebuilt integration with QRadar SIEM to remediate and service these threats by using Remedy IT Service Management Suite (Remedy ITSM Suite) or BMC Helix ITSM.

After you enable the integration, incidents are created in Smart IT whenever QRadar SIEM offenses are triggered. You can create two types of incidents for QRadar offenses based on the flow you configure. 

• Security incident
• Infrastructure Event

However, you can only configure the flow for one of the incident types. For information about the flows, see List of flows and configuration values for integration with QRadar SIEM

The following image displays the Smart IT incident that is created when an offense is triggered. You can view the details of the offense in the Smart IT interface, and also open the offense from the ticket details and activity notes section.

Before you begin

Complete all preconfiguration tasks before you configure QRadar SIEM integration.

To select the integration option for QRadar SIEM

1. Launch BMC Helix Platform by using the URL provided in the email sent to you from BMC, and log in as an administrator.
2. From the list of applications, select Workspace > Applications > Multi-Cloud Service Management.

3. To launch BMC Helix Multi-Cloud Broker, on the top-right corner of the page, click Visit Deployed Application.

   Tip

   You can access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/innovationsuite/index.html#/com.bmc.dsm.mcsm and logging in as a tenant administrator.

4. To open the configuration page, click Settings.
5. Select Start Here > Quick Configuration Guide.
   BMC Helix Multi-Cloud Broker lists the features available to you.

6. Select IBM QRadar to Remedy Incident under Security, and click Done.

The Configuration Links page displays a list of the common configurations, connectors, flows, and connector targets and processes that you need to configure as described in the next tasks. 

To map QRadar SIEM vendor data to ITSM or Smart IT

Configuring vendor data includes setting up a vendor organization and defining vendor mappings for the technology provider. Vendor mapping ensures that your vendor is notified about changes to the ITSM fields by sending updates as a comment to the corresponding vendor ticket.

1. If you have not already done so, to set up the vendor organizations, on the Configuration Links page, click Manage Vendor Organizations. For instructions, see Performing-preconfiguration-tasks.
2. To add or update the vendor mapping, on the Configuration Links page, click Map Vendors.
3. On the Map Vendors screen, click  to open the Map New Vendor page.
   
4. Enter a Description that makes it easy for you to identify the vendor metadata configuration.

5. Select the Ticketing Technology Provider.
   The Ticketing Technology Provider is the application the vendor uses to manage tickets.

   Vendor	Ticketing Technology Provider
   Amazon	AWS
   JIRA Software	JIRA
   Salesforce Service Cloud	Service Cloud
   CA Agile Central	Agile Central
   ITSM	Vendor ITSM
   JIRA Software Service Desk	JIRA Service Desk
   Microsoft Azure DevOps	Azure DevOps
   Azure Monitor	Azure Alerts
   IBM QRadar	QRadar
   BMC TrueSight Operations Management	TrueSight Ops Mgmt for PSR

6. Click Add Mapping.
   By default, the Instance URL, Vendor Field Mapping and Display Field Mapping fields are displayed.
7. Update the Instance URL with the ticketing technology provider server and port details.

8. To add or delete mapped field values, click Click { } to open the JSON editor, and modify Display Field Mapping.
   Display field mapping defines how vendor ticket fields map to the fields on the Smart IT console.

   

9. (Optional) If you do not want the ITSM ticket to be automatically resolved when the corresponding ticket is closed by your vendor, clear the Resolve Incident Ticket When Vendor Closes It toggle key .
   By default, BMC Helix Multi-Cloud Broker resolves the ITSM ticket when the corresponding ticket is closed by the vendor.

To configure connectors for integrating ITSM and QRadar SIEM with BMC Helix Multi-Cloud Broker

For each feature you selected, complete the following procedure for the connectors listed on the Configuration Links page.

1. To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure connectors in Integration Studio under Required Common Configurations.
   You must configure the connectors listed for each feature, in addition to the connectors listed under Required Common Configuration.
2. To enter field values, select a connector, such as ITSM, and click Configuration.
   You might need to click the arrow on the ribbon in the lower section of the screen to open the Configuration pane.
3. To update the configuration defaults, enter the appropriate field values by referring to the list of connectors at the end of this procedure.
4. To add or update the user account that is used to access the vendor application, click Accounts.

List of connectors and configuration values for integration with QRadar SIEM

To configure flow triggers and field mappings between ITSM, BMC Helix Multi-Cloud Broker, and QRadar SIEM

For each feature you selected, complete this procedure for the flows listed on the Configuration Links page.

1. To navigate to BMC Helix Integration Service, on the Configuration Links page, click Configure flows in Integration Studio under Required Common Configurations.

   You need to configure the flows listed for each feature, in addition to the flows listed under Required Common Configuration.

2. To open the flow template page, on the Catalog tab in Integration Studio, click the flow you want to configure.

   

3. To create a copy of the flow template, click .
   
   
   
4. Select the appropriate accounts for the end-point connectors of the selected flow.
   You specify the connector accounts when configuring connectors.
5. To update the name of the flow that you have copied from the flow template, select My Flow, open the flow that you copied, and update the title.
6. Specify the trigger Conditions and Field mapping, and click OK.
   For more information about trigger conditions and field mappings, see the list of flows at the end of this procedure.
7. Click My Flows and select the flow that you created from the flow template.
8. To verify the target values for the trigger conditions and the field mappings, in the right pane, click Details.

List of flows and configuration values for integration with QRadar SIEM

To define connector targets for QRadar SIEM integration

BMC preconfigures the out-of-the-box connector targets for all BMC Helix Multi-Cloud Broker features. If you want to update the connector configuration or account information, update the connector target for the feature.

1. To navigate to BMC Helix Platform, in the Configuration Links page, click Configure Connector Targets in Innovation Studio under Required Common Configurations.
   You need to configure the connector targets listed for each feature on the Configuration Links page, in addition to the ones listed under Required Common Configuration.
2. Click the connector target you want to configure or click  to configure a new connector target.

3. Enter or update the following values and save the configuration.

   Field	Instructions
   Name	Enter a unique name for the configuration. The name is associated with the process that is related to the connector you are configuring.
   Connector Type	Select the connector type from the list of connectors available to you in BMC Helix Integration Service.
   Configuration	Select a configuration from the list. For example, if you select qradar as the Connector Type, all the configurations that you have made for qradar are displayed in the Configuration list.
   Profile	Select a profile. For example, if you select qradar as the Connector Type, all the profiles that you have created for qradar are displayed in the Configuration list.

List of connector targets for integration with QRadar SIEM

When you complete the configuration for all the components, verify that incidents are created in ITSM from QRadar SIEM.

Related topic

Configuring-BMC-Helix-Multi-Cloud-Service-Management