QRadar Integration

utente · ‎10-23-2017

Hi All,

I need to connet QRadar SIEM to ServiceNow using the Mid-Server.

Which ports I need to open between QRadar and Mid-Server ?

Regards

Vincenzo

dravvyramlochun · ‎10-24-2017

The MidServer communicates securely on port 443 to the instance and requires no inbound connections. In some cases, it might be necessary to allow this communication through the firewall if the MID Server fails to register on the instance. To determine if the application or a network security restriction is to blame for connection failure, attempt to telnet to the instance on port 443 from the server that is hosting the MID Server application. If this connection fails, then the problem could be a web proxy (since 443 is a https connecton) or a Firewall rule preventing external TCP connections from that host. Contact network security personnel for the proxy information to add to the config.xml file, or request that the Firewall be configured to allow access using one of the following syntaxes:

<source IP> to <any>
<source IP> to <ServiceNow> any established
<source IP> to <instance_name.service-now.com> 443

Additionally, ensure the MID server can connect to install.service-now.com to download and install updates.

as the mid server is configured in your network and the QRadar is also in your network, so you can communicate on any port you wish, even 443 is ok

View solution in original post

dravvyramlochun · ‎10-24-2017

Hello vingenzo

The MidServer communicates securely on port 443 to the instance and requires no inbound connections. In some cases, it might be necessary to allow this communication through the firewall if the MID Server fails to register on the instance. To determine if the application or a network security restriction is to blame for connection failure, attempt to telnet to the instance on port 443 from the server that is hosting the MID Server application. If this connection fails, then the problem could be a web proxy (since 443 is a https connecton) or a Firewall rule preventing external TCP connections from that host. Contact network security personnel for the proxy information to add to the config.xml file, or request that the Firewall be configured to allow access using one of the following syntaxes:

<source IP> to <any>
<source IP> to <ServiceNow> any established
<source IP> to <instance_name.service-now.com> 443

Additionally, ensure the MID server can connect to install.service-now.com to download and install updates.

as the mid server is configured in your network and the QRadar is also in your network, so you can communicate on any port you wish, even 443 is ok

Uzzawal Agrawa1 · ‎03-26-2019

Hi Experts,

I am integrating the QRadar with ServiceNow and there are two below use cases:

- Create incident manually in ServiceNow from Offence by click on a button

- Auto Incident and Events creation by providing the mapping and the trigger condition.

I have done all the configuration, I am able to create manual incidents by click on the button from Qradar but my second use case is not working. Any help, If I am missing any configuration.

Regards

Aswathy2 · ‎06-24-2019

Hi,

I am learning security operations integrations.I could see that there is a plugin available for IBM QRadar - Incident Enrichment i have enabled the plugin in my personal instance.For configuring the integration ,we need API key and API base URL as well. I have got a trail instance for Q Radar as well,but i couldn't find the details from instance.

Could you please help.

Brian Dutill · ‎07-01-2019

We have also been able to implement the push button submission of offenses but not the auto generation of Security Incidents based on the Offense filter in the configuration. Were you able to figure this out since you created this message?