Troubleshooting IBM QRadar offense ingestion integration

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Troubleshooting IBM QRadar offense ingestion integration

    This guidance helps ServiceNow customers effectively troubleshoot IBM QRadar offense ingestion integration issues. It focuses on identifying common problems, checking integration health, and adjusting configurations to ensure smooth data ingestion and incident creation.

    Show full answer Show less

    Integration Run and Error Monitoring

    • Each scheduled integration job creates an integration run record that logs offenses pulled, incidents created, errors, and warnings.
    • Users with the snsi.analyst role can access these logs and verify errors or failed profile pulls via the integration run records and the sneventingestionintegrationrun table.
    • Worknotes in integration runs provide links to executed subflows for detailed troubleshooting.

    Common Troubleshooting Areas

    • SSL Issues: For IBM QRadar cloud connections, ensure the QRadar instance uses a valid, unexpired CA certificate. Imported certificates must have a common name matching the host name.
    • Incomplete Profiles: When configuring profiles, clicking the Finish button in the Additional Options section is required to move the profile to a Waiting state, indicating readiness for ingestion.
    • Profile Validation: Verify integration health by checking profile states, last pulled timestamps, and records in offense import and offense-to-task tables.
    • MID Server Setup: For on-premise deployments, configure a MID server application and use its name in integration configurations instead of the MID server name. Be aware the default MID server timeout is 30 seconds, which can be adjusted with caution to avoid impacting other integrations.
    • Offense Updates: If delays occur in security incident creation, disable the snsecqradar.getoffenseupdates property. Avoid enabling it during low polling intervals combined with high QRadar offense loads to prevent queue overload.
    • Missing Data in Security Incidents: To resolve absence of event, flow, remoteip, or user data, increase the timeout value for the snsecqradar.sidttl parameter. This allows AQL queries to complete before incident creation.

    Timeouts and Flow Designer Actions

    If timeout errors appear in logs, adjust the timeout durations in Flow Designer actions that invoke QRadar REST APIs. The actions affected include:

    • Fetch Sample Offenses
    • Fetch Offenses for profile and queue records
    • REST wrappers for testing connection and validating API credentials
    • REST step for offense updates

    Modify the executeAction method calls to specify a suitable timeout duration in milliseconds, increasing it as needed to accommodate response times.

    This section covers important troubleshooting tips and frequently asked questions related to IBM QRadar offense ingestion.

    • Integration run: When a scheduled job starts executing, an integration run record with logs, errors, and warnings is displayed. The number of offenses pulled and the number of incidents created in a scheduled job run are also displayed. Users with the sn_si.analyst role can see if any errors/profiles pulling failed during the integration run.
      Worknotes in the integration run provide links to the executed subflows. Users with the sn_si.analyst role can check the sn_event_ingestion_integration_run table for any errors that have occurred. To troubleshoot any integration issues, you must first check the integration run. Errors are logged as worknotes in the integration run records for every scheduled job run.
      IBM QRadar integration run
    • SSL issues: When connecting to IBM QRadar cloud instances, ensure that the instance has a valid CA certificate which has not expired. You can import RSA or your own certificates into the platform and ensure that the common name of the certificate matches host name. See https://support.servicenow.com/nav_to.do?uri=%2Fkb_view.do%3Fsys_kb_id%3D55ecefd61bf3774cada243f6fe4bcb44 for details.
    • Incomplete profile: While configuring the profile, in the Additional Options (Automate offense updates and closure based on SIR incident status) section, you must click the Finish button to ensure that the profile is moved to Waiting state indicating that it is waiting for ingestion.
    • Validate profile: To validate if the integration is working correctly, check the profile states, last pulled date of profile, offense import table, offense to task table records.
    • MID server configuration: If you are installing the IBM QRadar application on-premise, after configuring the MID server, you must create a MID server application. The MID server application name should be used in integration configurations tile instead of the MID server name.
      Note:
      The default MID serve timeout is 30 seconds. To see instructions on disabling the timeout period, see <link>. Note that this is a system-wide change and may impact other integrations.
    • Offense Updates: If you have enabled the sn_sec_qradar.get_offense_updates property and you notice a delay in the creation of security incidents, then disable the property. Do not enable this property when the polling interval is low and the offenses load on QRadar is high as this increases the queue load.
    • Missing event, flow data, remote_ip, or users data in a security incident: If you observe that event, flow data, remote_ip, or users data is missing in a security incident, then increase the timeout (seconds) for sn_sec_qradar.sid_ttl parameter. Increasing the duration delays the creation of the security incident until the AQLs complete parsing each offense.
    • Timeouts: If you view timeout errors in the application logs, review and modify the following flow designer actions:
      Table 1. Flow designer actions
      Parameters Action

      Fetch Sample Offenses

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 60000);      		 Review and update the duration in milliseconds.

      Fetch Sample Offenses

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      Fetch Offenses for profile and queue records in polling table

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 180000);      		 Review and update the duration in milliseconds.

      Wrapper for testing connection REST

      var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.test_connection_rest', rest_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      Wrapper for validating API credentials REST

      var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.validate_credentials_rest', rest_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      REST step for IBM QRadar Offense updates

      var result = sn_fd.FlowAPI.executeAction('sn_sec_qradar.'+restStep, inputs,60000);      		 Review and update the duration in milliseconds.