Configuration settings

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read

    • Use this option to modify the IBM QRadar ingestion integration default system properties.

    To modify the system properties, log in as a user with the sn_si.admin role and navigate to IBM QRadar Integration > IBM QRadar Integration Settings.

    Table 1. IBM QRadar Integration Settings
    Property Name Description
    Enforce a limit on number of security incidents that can be created in 24 hour period.

    sn_sec_qradar.max_si_per_day
    Specify the maximum number of security incidents that can be created in 24 hours.
    • Type: integer
    • Default value: 1000
    Enforce a limit on number of offenses that can be aggregated to a single incident.

    sn_sec_qradar.max_aggregation_per_si
    The offense aggregation limit for a security incident. For example, if there are 102 offenses, the first 100 offense are aggregated to security incident_1 and the remaining 2 to security incident_2.
    • Type: integer
    • Default value: 100
    This property sets the time period of AQL to fetch recent event/flows for a particular offense.

    sn_sec_qradar.on_demand_recent_days_limit
    Specify the number of days to fetch recent events or flows for a particular offense.
    • Type: integer
    • Default value: 7
    This property limits the number of recent events fetched for a particular offense.

    sn_sec_qradar.on_demand_event_limit
    Specify the number of events that are retrieved for an offense. The most recent events are retrieved first based on the event timestamp.
    • Type: integer
    • Default value: 100
    This property limits the number of recent flows fetched for a particular offense.

    sn_sec_qradar.on_demand_flow_limit
    Specify the number of flows that are retrieved for an offense. The most recent flows are retrieved first based on the flow timestamp.
    • Type: integer
    • Default value: 100
    This property sets the timeout value(seconds) for the AQL which fetches recent flows/events for a particular offense.

    sn_sec_qradar.on_demand_timeout
    • Type: integer
    • Default value: 300
    Search IDs timeout(seconds) for records in queue for polling AQLs of an offense.

    sn_sec_qradar.sid_ttl
    The AQL's time out for an offense in the queue before creating a security incident. For example, if there are 90 offenses, the first 50 offenses are processed for AQL data in the first batch, and the remaining 40 offenses in the subsequent batch in the same polling interval.
    • Type: integer
    • Default value: 300

    Threshold to control the number of searches that can be running in IBM QRadar at a time which is triggered by the integration scheduled

    job.sn_sec_qradar.records_threshold_in_que_for_aql
    Specify the number of offenses that you fetch in a single batch in a polling interval.
    • Type: integer
    • Default value: 50

    This is the number of days for integration tables clean up.

    sn_sec_qradar.queue_item_expire
    The following are the integration tables:
    • sn_sec_qradar_events - IBM QRadar Events
    • sn_sec_qradar_flows - IBM QRadar Flows
    • sn_sec_qradar_offense_updates - IBM QRadar Offense Updates
    • sn_sec_qradar_offense_to_task - IBM QRadar Offense to Task
    • Type: integer
    • Default value: 30

    Offense limit per scheduled job runs per profile either in one-time retrieval or on-going ingestion.

    sn_sec_qradar.max_offense_limit_per_run
    Specify the number of offenses that you fetch into the ServiceNow AI Platform in a single retrieval.
    • Type: integer
    • Default value: 1000

    Set this property to activate the Offense Updates feature.

    sn_sec_qradar.get_offense_updates
    Note:
    Enabling this setting may cause a delay in creating a security incident.
    • Type: true| false
    • Default value: false
    Enables adding overlapping interval while fetching offenses from QRadar.

    sn_sec_qradar.allow_overlapping

    		 Option to enable the use of an overlapping time window when fetching offenses from IBM QRadar.

    When enabled, the system includes a small overlap between consecutive polling intervals to ensure that no offenses are missed due to timing delays or ingestion latency.

    • Type: true| false
    • Default value: false
    Logging Level-debug,info,warn,error.

    sn_sec_qradar.logging.verbosity

    		 Logging verbosity level for the QRadar integration.

    Supported values include debug, info, warn, and error.

    • Type: Character
    • Default value: debug
    Time in minutes to be added as overlap interval.

    sn_sec_qradar.overlapping_time

    		 Number of minutes to be added as an overlap interval when fetching offenses from IBM QRadar.
    • Type: integer
    • Default value: 30
    Number of rules that will be included in a single cell.

    sn_sec_qradar.rules_batch_size

    		 Specify the maximum number of correlation rules that will be grouped and sent together in a single request to IBM QRadar during offense polling.

    This setting will help control batching behavior and performance. Lower value result in more API calls with smaller payloads, while higher value reduces the number of API calls and increases the size of each request.

    Adjust this value based on QRadar performance and API limits.

    • Type: integer
    • Default value: 50
    Fetch ADE Rules

    sn_sec_qradar.fetch_ade_rules

    		 Option to ingest ADE Rules in IBM QRadar Rules list.

    Fetch ADE Rules will fetch Anomaly Rules created in IBM QRadar.

    • Type: true| false
    • Default value: false

    Any modified integration settings will be applied during the next polling interval as defined in the profile.