IBM Support

QRadar: Configuring QRadar to generate ServiceNow tickets based on offenses

Question & Answer


Can offenses created by QRadar generate ServiceNow tickets?


Can offenses created by QRadar generate ServiceNow tickets?

If your ticketing system is able to generate tickets based on emails or SNMP traps, it can be integrated with QRadar. The work flow for integrating this is as follows:

Create an Authorized Services Token for your ticketing system for your QRadar Console. To do this, follow the instructions below:

  1. Log in to the QRadar Web User Interface.

  2. Go to the Admin tab > Authorized Services Icon > Add Authorized Service from the menu.

  3. Specify the Service Name (for example, ServiceNow).

  4. Select a User Role from the pull down menu.

  5. Select a Security Profile from the pull down menu.

  6. Enter an Expiration Date for the token.

    Note: By default, the User Role and Security Profile are set as Admin.

This will create an Authentication Token for the ticketing system. Copy the token to Notepad.

Configure an offense rule with an email or SNMP trap response.

The email locale settings along with the SNMP trap settings can be configured by going from the QRadar Web User Interface to the Admin tab > System Settings Icon > Click on the SNMP Settings on the left menu or Scroll down to SNMP Settings.

The email or SNMP trap will contain information such as the offense ID. Refer to the following tech note for more detailed instructions on how to configure SNMP traps.

SNMP trap configuration in QRadar

The ticketing system will then receive the SNMP trap or email, parse it and based on the information included it will create a ticket such as Offense ID.

Could ServiceNow be capable of closing an offense in QRadar?

Offenses can be closed or dismissed using a query string.

Refer to the Managing authorized service section in the QRadar Administration Guide for detailed instructions.

QRadar Administration Guide

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018