Security Incident Response form after offense ingestion

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response Form After Offense Ingestion

    After an IBM QRadar offense is ingested, a corresponding security incident is created in the system. This process involves posting worknotes that detail the offense and allows users to navigate directly to the internal security incident record or the IBM QRadar dashboard for more information.

    Show full answer Show less

    Key Features

    • Worknotes: Automatically generated when offenses are ingested or aggregated, providing detailed information about the incident.
    • Aggregated Offenses: Users can view offenses related to a security incident through the Related Lists section.
    • Security Incident Creation: Users can create a new security incident directly from an offense using the Actions menu, which de-aggregates the offense from the parent incident.
    • Offense Record Management: Offense records can be deleted from the Actions menu for better incident management.
    • Offense Updates: Tracks changes to standard and custom offense fields for visibility during polling intervals, which can be enabled in integration settings.
    • Recent Events and Flows: Users can fetch the latest IBM QRadar events and flows, with the option to modify the display settings for the number of retrieved items.

    Key Outcomes

    This integration streamlines the management of security incidents and offenses, allowing ServiceNow customers to effectively track, create, and manage security incidents triggered by QRadar offenses. By utilizing the worknotes, offense updates, and event flows, customers can enhance their incident response capabilities and ensure timely actions are taken based on the most current information available.

    After an IBM QRadar offense has been ingested, a security incident is created and the corresponding updates are made to the security incident record.

    Worknotes

    A worknote is posted with details of the offense that triggered the security incident.
    IBM QRadar: SIR: Worknote

    Click the offense link to navigate to the internal security incident record. The Click here hyperlink takes you to the IBM QRadar dashboard where you can view the offense details.

    If you had selected the Log work note for new offense option in the Offense Aggregation Criteria as described in the Mapping IBM QRadar offense fields to security incident response fields, a worknote is posted when the offense is aggregated.


    IBM QRadar: Internal Offense Record

    Aggregated offenses

    Click Related Lists > Aggregated IBM QRadar offenses to view the offenses aggregated to the security incident. Click the QRadar offense hyperlink to view the offense in the IBM QRadar dashboard.
    IBM QRadar Aggregated Offenses

    Create security incident: Select an offense from the list, click the Actions menu, and click Create security incident. This option creates a security incident for the offense and this offense is de-aggregated from the parent security incident.

    Delete offense record: Select an offense from the list, click the Actions menu, and click Delete. This option deletes the offense record.
    IBM QRadar Aggregated Offenses: Create and Delete

    IBM QRadar offense updates

    This shows the standard and custom offense fields and tracks changes to the offense during every polling interval. This is helpful as you can view any offense updates directly without navigating to the IBM QRadar dashboard. Any changes to the values are displayed in the Previous value and Current value fields.

    To enable the offense updates feature navigate to IBM QRadar Integration > IBM QRadar Integration Settings and enable Set this property to activate the Offense Updates feature. By default, this setting is disabled.


    IBM QRadar Offense Updates

    Recent IBM QRadar events

    Click the Fetch Recent IBM QRadar Events option under the Related Links to view the most recent IBM QRadar events.
    IBM QRadar: Recent Events
    By default, a maximum number of 100 events are displayed. You can modify this default setting in the IBM QRadar integration configuration settings.
    Note:
    The above image shows the standard event fields associated with the offense. If you have configured and mapped any custom event fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Event Name link.

    IBM QRadar: Recent IBM QRadar Events: List View

    Recent IBM QRadar Flows

    Using the Integration Hub and Flow Designer, several flows, subflows, actions are available with the IBM QRadar integration. When you click the Fetch Recent IBM QRadar Flows option under the Related Links, the most recent flows are retrieved. To view these flows, click Recent IBM QRadar Flows.
    IBM QRadar: Recent Flows
    By default, a maximum number of 100 flows are displayed. You can modify this default setting in the IBM QRadar integration configuration settings.
    Note:
    The above image shows the standard flow fields associated with the offense. If you have configured and mapped any custom flow fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Flow ID link.