Notifications

15 views

Description

'ServiceNow Security Operations add-on for IBM QRadar' to transmit offenses from IMB QRadar to event management in ServiceNow. How to extend the JSON that is being mapped to "additional_info" field but it is not available in the filed mapping. 

Refer below screenshot of event Field Mapping in Qradar :

Release or Environment

All

Resolution

The Additional Information is being populated based on the mapping given for the Security Incident Offense Mapping in the QRadar console for the Configuration section of the QRadar add-on app.
More fields can be added in the Security Incident Offense Mapping and existing fields can be deleted from the Mapping as well. If any changes are done to this mapping, the "Additional Information" JSON payload changes in the record of the Events Table(em_event).

If we override or change the mapping, all the fields which are existing before in the "Security Incident Offense Mapping" and are still present in the mapping will still be part of the Additional Information. So additional_information in Events Table(em_event) is a combination of all the mapping fields in the "Security Incident Offense Mapping in the QRadar console".

If you check JSON data in em_event for "additional_information" column you can find all the mapping filed names as a key.

Refer below screenshot of event Field Mapping in Qradar :

 

 

Article Information

Last Updated:2020-03-28 02:13:52
Published:2020-03-28