Security Incident Response form after offense ingestion

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response form after offense ingestion

    After an IBM QRadar offense is ingested into ServiceNow, a security incident record is automatically created and updated with relevant offense details. This integration streamlines the management of security incidents by linking offense data directly into the Security Incident Response module, enabling efficient incident tracking and investigation.

    Show full answer Show less

    Key Features

    • Worknotes: A worknote containing offense details is posted to the security incident record. Users can navigate to the related offense within ServiceNow or directly to the IBM QRadar dashboard for comprehensive offense data.
    • Offense Aggregation: If enabled, offenses can be aggregated and logged as worknotes. Aggregated offenses are accessible via the Related Lists section, with direct links to the IBM QRadar dashboard.
    • Incident Creation and Offense Management: Users can create a new security incident from an offense, which de-aggregates it from a parent incident if applicable. Offenses can also be deleted directly from the list.
    • Offense Updates: Both standard and custom offense fields are tracked and displayed within the security incident record, showing previous and current values for changes during each polling interval. This feature must be enabled in the IBM QRadar Integration Settings.
    • Recent IBM QRadar Events: Users can fetch and view up to 100 recent events related to the offense, with the ability to see custom event fields if configured.
    • Recent IBM QRadar Flows: Using Integration Hub and Flow Designer, users can retrieve and review the most recent flows associated with offenses. Up to 100 flows are displayed by default, including custom flow fields if set up.

    Practical Application for ServiceNow Customers

    This integration enhances incident response by providing a seamless connection between IBM QRadar offense data and ServiceNow’s Security Incident Response. It allows security teams to:

    • Quickly access detailed offense information without leaving the ServiceNow platform.
    • Track offense updates and aggregated offenses directly within incident records.
    • Create new incidents from specific offenses to manage investigations efficiently.
    • View recent security events and flows related to offenses, aiding in comprehensive incident analysis.
    • Customize the integration to include specific offense, event, and flow fields according to organizational needs.

    Enabling offense updates and configuring aggregation criteria provide greater visibility and control over security incidents derived from IBM QRadar offenses, optimizing incident response workflows.

    After an IBM QRadar offense has been ingested, a security incident is created and the corresponding updates are made to the security incident record.

    Worknotes

    A worknote is posted with details of the offense that triggered the security incident.
    IBM QRadar: SIR: Worknote

    Click the offense link to navigate to the internal security incident record. The Click here hyperlink takes you to the IBM QRadar dashboard where you can view the offense details.

    If you had selected the Log work note for new offense option in the Offense Aggregation Criteria as described in the Mapping IBM QRadar offense fields to security incident response fields, a worknote is posted when the offense is aggregated.


    IBM QRadar: Internal Offense Record

    Aggregated offenses

    Click Related Lists > Aggregated IBM QRadar offenses to view the offenses aggregated to the security incident. Click the QRadar offense hyperlink to view the offense in the IBM QRadar dashboard.
    IBM QRadar Aggregated Offenses

    Create security incident: Select an offense from the list, click the Actions menu, and click Create security incident. This option creates a security incident for the offense and this offense is de-aggregated from the parent security incident.

    Delete offense record: Select an offense from the list, click the Actions menu, and click Delete. This option deletes the offense record.
    IBM QRadar Aggregated Offenses: Create and Delete

    IBM QRadar offense updates

    This shows the standard and custom offense fields and tracks changes to the offense during every polling interval. This is helpful as you can view any offense updates directly without navigating to the IBM QRadar dashboard. Any changes to the values are displayed in the Previous value and Current value fields.

    To enable the offense updates feature navigate to IBM QRadar Integration > IBM QRadar Integration Settings and enable Set this property to activate the Offense Updates feature. By default, this setting is disabled.


    IBM QRadar Offense Updates

    Recent IBM QRadar events

    Click the Fetch Recent IBM QRadar Events option under the Related Links to view the most recent IBM QRadar events.
    IBM QRadar: Recent Events
    By default, a maximum number of 100 events are displayed. You can modify this default setting in the Configuration settings.
    Note:
    The above image shows the standard event fields associated with the offense. If you have configured and mapped any custom event fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Event Name link.

    IBM QRadar: Recent IBM QRadar Events: List View

    Recent IBM QRadar Flows

    Using the Integration Hub and Flow Designer, several flows, subflows, actions are available with the IBM QRadar integration. When you click the Fetch Recent IBM QRadar Flows option under the Related Links, the most recent flows are retrieved. To view these flows, click Recent IBM QRadar Flows.
    IBM QRadar: Recent Flows
    By default, a maximum number of 100 flows are displayed. You can modify this default setting in the Configuration settings.
    Note:
    The above image shows the standard flow fields associated with the offense. If you have configured and mapped any custom flow fields (See Mapping IBM QRadar offense fields to security incident response fields), you can view them in the List View by clicking the Flow ID link.