Security Incident Response form after offense ingestion

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response form after offense ingestion

    This functionality enables ServiceNow customers to manage security incidents created automatically after IBM QRadar offenses are ingested. It provides a centralized way to track offense details, aggregated offenses, updates, and related events directly within the Security Incident Response form, improving incident visibility and management efficiency.

    Show full answer Show less

    Key Features

    • Worknotes: Automatically posts detailed worknotes about the offense that triggered the security incident. Users can navigate to the offense record internally or directly to the IBM QRadar dashboard for more information. If configured, worknotes also post when offenses are aggregated.
    • Aggregated Offenses: Displays aggregated offenses related to a security incident in a dedicated related list. Each offense links back to the QRadar dashboard for detailed review.
    • Incident Creation and Offense Management: Allows users to create a new security incident from a selected offense, which de-aggregates it from the parent incident. Users can also delete offense records directly from the interface.
    • Offense Updates: Tracks and displays changes to standard and custom offense fields during each polling interval without needing to access the QRadar dashboard. This feature is disabled by default and must be enabled in IBM QRadar Integration Settings.
    • Recent IBM QRadar Events: Enables fetching and viewing of up to 100 recent QRadar events within the incident form, with configurable limits in settings.
    • Recent IBM QRadar Flows: Via Integration Hub and Flow Designer, users can retrieve and view recent QRadar flows, with a default display limit of 100 flows, adjustable in configuration.

    Practical Benefits for ServiceNow Customers

    • Streamlines incident investigation by consolidating offense details and updates within the ServiceNow platform.
    • Enhances incident response speed by providing direct links to QRadar offenses and dashboards.
    • Improves tracking and management of aggregated offenses and new incidents derived from QRadar data.
    • Allows configuration flexibility to tailor event and flow retrieval limits to organizational needs.
    • Facilitates better collaboration through automated worknotes and real-time offense updates.

    After an IBM QRadar offense has been ingested, a security incident is created and the corresponding updates are made to the security incident record.

    Worknotes

    A worknote is posted with details of the offense that triggered the security incident.

    Select the offense link to navigate to the internal security incident record. The Click here hyperlink takes you to the IBM QRadar dashboard where you can view the offense details.

    If you had selected the Log work note for new offense option in the Offense Aggregation Criteria as described in the Mapping IBM QRadar offense fields to security incident response fields, a worknote is posted when the offense is aggregated.

    Aggregated offenses

    Select Related Lists > Aggregated IBM QRadar offenses to view the offenses aggregated to the security incident. select the QRadar offense hyperlink to view the offense in the IBM QRadar dashboard.

    Create security incident: Select an offense from the list, select the Actions menu, and select Create security incident. This option creates a security incident for the offense and this offense is de-aggregated from the parent security incident.

    Delete offense record: Select an offense from the list, select the Actions menu, and select Delete. This option deletes the offense record.

    IBM QRadar offense updates

    This shows the standard and custom offense fields and tracks changes to the offense during every polling interval. This is helpful as you can view any offense updates directly without navigating to the IBM QRadar dashboard. Any changes to the values are displayed in the Previous value and Current value fields.

    To enable the offense updates feature navigate to IBM QRadar Integration > IBM QRadar Integration Settings and enable Set this property to activate the Offense Updates feature. By default, this setting is disabled.

    Recent IBM QRadar events

    Select the Fetch Recent IBM QRadar Events option under the Related Links to view the most recent IBM QRadar events. By default, a maximum number of 100 events are displayed. You can modify this default setting in the Configuration settings.

    Recent IBM QRadar Flows

    Using the Integration Hub and Flow Designer, several flows, subflows, actions are available with the IBM QRadar integration. When you select the Fetch Recent IBM QRadar Flows option under the Related Links, the most recent flows are retrieved. To view these flows, select Recent IBM QRadar Flows.

    By default, a maximum number of 100 flows are displayed. You can modify this default setting in the Configuration settings.