Security Incident Response form after offense ingestion

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response form after offense ingestion

    After an IBM QRadar offense is ingested into ServiceNow, a corresponding security incident record is created and updated automatically. This integration enables seamless tracking and management of offenses within the Security Incident Response (SIR) application, improving visibility and response efficiency.

    Show full answer Show less

    Key Features

    • Worknotes: Detailed notes related to the triggering offense are posted on the security incident record. Users can navigate directly to the offense or the IBM QRadar dashboard for additional context.
    • Offense Aggregation: Multiple offenses can be aggregated under a single security incident. Worknotes are optionally logged when new offenses are aggregated based on configured criteria.
    • Actions on Offenses: Users can select individual offenses to either create a new security incident (de-aggregating the offense) or delete the offense record directly from the incident form.
    • Offense Updates Tracking: The integration tracks changes in both standard and custom offense fields during each polling interval, showing previous and current values for easy comparison without navigating away from ServiceNow. This feature can be enabled in the IBM QRadar Integration Settings.
    • Recent IBM QRadar Events: Users can fetch and view up to 100 recent events related to the offense directly in ServiceNow. This limit is configurable.
    • Recent IBM QRadar Flows: Leveraging Integration Hub and Flow Designer, users can retrieve and review recent flows associated with offenses. This also supports viewing custom flow fields and is configurable up to 100 flows by default.

    Practical Benefits for ServiceNow Customers

    • Improved incident management by consolidating offense details and updates within a single security incident record.
    • Enhanced visibility into offense evolution through tracked updates and direct links to QRadar offenses and dashboards.
    • Flexibility to manage offenses via creation of new incidents or deletion as appropriate, streamlining workload.
    • Access to recent events and flows related to offenses aids in comprehensive investigation and response.
    • Configurable settings allow customization to fit organizational needs, such as adjusting the number of events or flows displayed and enabling offense update tracking.

    After an IBM QRadar offense has been ingested, a security incident is created and the corresponding updates are made to the security incident record.

    Worknotes

    A worknote is posted with details of the offense that triggered the security incident.
    IBM QRadar: SIR: Worknote

    Click the offense link to navigate to the internal security incident record. The Click here hyperlink takes you to the IBM QRadar dashboard where you can view the offense details.

    If you had selected the Log work note for new offense option in the Offense Aggregation Criteria as described in the Mapping IBM QRadar offense fields to security incident response fields, a worknote is posted when the offense is aggregated.


    IBM QRadar: Internal Offense Record

    Aggregated offenses

    Click Related Lists > Aggregated IBM QRadar offenses to view the offenses aggregated to the security incident. Click the QRadar offense hyperlink to view the offense in the IBM QRadar dashboard.
    IBM QRadar Aggregated Offenses

    Create security incident: Select an offense from the list, click the Actions menu, and click Create security incident. This option creates a security incident for the offense and this offense is de-aggregated from the parent security incident.

    Delete offense record: Select an offense from the list, click the Actions menu, and click Delete. This option deletes the offense record.
    IBM QRadar Aggregated Offenses: Create and Delete

    IBM QRadar offense updates

    This shows the standard and custom offense fields and tracks changes to the offense during every polling interval. This is helpful as you can view any offense updates directly without navigating to the IBM QRadar dashboard. Any changes to the values are displayed in the Previous value and Current value fields.

    To enable the offense updates feature navigate to IBM QRadar Integration > IBM QRadar Integration Settings and enable Set this property to activate the Offense Updates feature. By default, this setting is disabled.


    IBM QRadar Offense Updates

    Recent IBM QRadar events

    Click the Fetch Recent IBM QRadar Events option under the Related Links to view the most recent IBM QRadar events.
    IBM QRadar: Recent Events
    By default, a maximum number of 100 events are displayed. You can modify this default setting in the Configuration settings.
    Note:
    The above image shows the standard event fields associated with the offense. If you have configured and mapped any custom event fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Event Name link.

    IBM QRadar: Recent IBM QRadar Events: List View

    Recent IBM QRadar Flows

    Using the Integration Hub and Flow Designer, several flows, subflows, actions are available with the IBM QRadar integration. When you click the Fetch Recent IBM QRadar Flows option under the Related Links, the most recent flows are retrieved. To view these flows, click Recent IBM QRadar Flows.
    IBM QRadar: Recent Flows
    By default, a maximum number of 100 flows are displayed. You can modify this default setting in the Configuration settings.
    Note:
    The above image shows the standard flow fields associated with the offense. If you have configured and mapped any custom flow fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Flow ID link.