IBM QRadar integration configuration settings

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of IBM QRadar Integration Configuration Settings

    This document outlines the configuration settings for the IBM QRadar ingestion integration, enabling users to modify system properties related to security incidents and offenses. Access requires a user with thesnsi.adminrole.

    Show full answer Show less

    Key Features

    • Max Security Incidents per Day: Limits the number of security incidents to 1000 within a 24-hour period.
    • Max Offenses Aggregation: Sets a cap of 100 offenses aggregated to a single incident.
    • On-Demand Recent Days Limit: Specifies 7 days to fetch recent events or flows for offenses.
    • On-Demand Event and Flow Limits: Controls retrieval of 100 recent events and flows for an offense.
    • Timeout Settings: Configures a 300 seconds timeout for AQL fetching recent flows/events.
    • Search IDs Timeout: Sets 300 seconds for AQL records in the queue before a security incident is created.
    • Records Threshold: Limits to 50 offenses fetched in a single batch during polling.
    • Integration Tables Cleanup: Cleans up integration tables after 30 days.
    • Max Offenses Limit per Run: Fetches up to 1000 offenses in a single retrieval.
    • Offense Updates Feature: Activates the Offense Updates feature, potentially delaying security incident creation.

    Key Outcomes

    By configuring these settings, customers can effectively manage the flow of security incidents and offenses, optimize performance during data retrieval, and ensure timely processing of security-related data. Any changes to integration settings will take effect in the next polling interval as defined in the profile.

    Use this option to modify the IBM QRadar ingestion integration default system properties.

    To modify the system properties, log in as a user with the sn_si.admin role and navigate to IBM QRadar Integration > IBM QRadar Integration Settings.

    Table 1. IBM QRadar Integration Settings
    Property Name Description
    Enforce a limit on number of security incidents that can be created in 24 hour period.

    sn_sec_qradar.max_si_per_day
    Specifies the maximum number of security incidents that can be created in 24 hours.
    • Type: integer
    • Default value: 1000
    Enforce a limit on number of offenses that can be aggregated to a single incident.

    sn_sec_qradar.max_aggregation_per_si
    The offense aggregation limit for a security incident. For example, if there are 102 offenses, the first 100 offense are aggregated to security incident_1 and the remaining 2 to security incident_2.
    • Type: integer
    • Default value: 100
    This property sets the time period of AQL to fetch recent event/flows for a particular offense.

    sn_sec_qradar.on_demand_recent_days_limit
    Specifies the number of days to fetch recent events or flows for a particular offense.
    • Type: integer
    • Default value: 7
    This property limits the number of recent events fetched for a particular offense.

    sn_sec_qradar.on_demand_event_limit
    Specifies the number of events that are retrieved for an offense. The most recent events are retrieved first based on the event timestamp.
    • Type: integer
    • Default value: 100
    This property limits the number of recent flows fetched for a particular offense.

    sn_sec_qradar.on_demand_flow_limit
    Specifies the number of flows that are retrieved for an offense. The most recent flows are retrieved first based on the flow timestamp.
    • Type: integer
    • Default value: 100
    This property sets the timeout value(seconds) for the AQL which fetches recent flows/events for a particular offense.

    sn_sec_qradar.on_demand_timeout
    • Type: integer
    • Default value: 300
    Search IDs timeout(seconds) for records in queue for polling AQLs of an offense.

    sn_sec_qradar.sid_ttl
    The AQL's time out for an offense in the queue before creating a security incident. For example, if there are 90 offenses, the first 50 offenses are processed for AQL data in the first batch, and the remaining 40 offenses in the subsequent batch in the same polling interval.
    • Type: integer
    • Default value: 300

    Threshold to control the number of searches that can be running in IBM QRadar at a time which is triggered by the integration scheduled

    job.sn_sec_qradar.records_threshold_in_que_for_aql
    Specifies the number of offenses that you fetch in a single batch in a polling interval.
    • Type: integer
    • Default value: 50

    This is the number of days for integration tables clean up.

    sn_sec_qradar.queue_item_expire
    The following are the integration tables:
    • sn_sec_qradar_events - IBM QRadar Events
    • sn_sec_qradar_flows - IBM QRadar Flows
    • sn_sec_qradar_offense_updates - IBM QRadar Offense Updates
    • sn_sec_qradar_offense_to_task - IBM QRadar Offense to Task
    • Type: integer
    • Default value: 30

    Offense limit per scheduled job runs per profile either in one-time retrieval or on-going ingestion.

    sn_sec_qradar.max_offense_limit_per_run
    Specifies the number of offenses that you fetch into the ServiceNow AI Platform in a single retrieval.
    • Type: integer
    • Default value: 1000

    Set this property to activate the Offense Updates feature.

    sn_sec_qradar.get_offense_updates
    Note:
    Enabling this setting may cause a delay in creating a security incident.
    • Type: true| false
    • Default value: false

    Any modified integration settings will be applied during the next polling interval as defined in the profile.