Troubleshooting IBM QRadar offense ingestion integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Troubleshooting IBM QRadar offense ingestion integration

    This guide provides essential troubleshooting tips and frequently asked questions to help ServiceNow customers effectively manage and resolve issues related to IBM QRadar offense ingestion integration. It focuses on identifying errors during integration runs, addressing SSL and configuration issues, and optimizing performance to ensure smooth ingestion of offenses from IBM QRadar into ServiceNow.

    Show full answer Show less

    Integration Run Monitoring and Error Handling

    • Each scheduled job execution creates an integration run record containing logs, errors, warnings, and counts of offenses pulled and incidents created.
    • Users with the snsi.analyst role can access these records and the sneventingestionintegrationrun table to review errors and troubleshoot failed offense pulls.
    • Worknotes in integration run records provide links to executed subflows, aiding detailed diagnostics.

    Common Troubleshooting Areas

    • SSL Issues: Ensure IBM QRadar cloud instances use valid, non-expired CA certificates. Import RSA or custom certificates into ServiceNow and verify the certificate’s common name matches the host name.
    • Incomplete Profile Configuration: In the Additional Options section, always click the Finish button to move the profile to a Waiting state, indicating readiness for ingestion.
    • Profile Validation: Check profile states, last pulled dates, and records in offense import and offense-to-task tables to confirm integration health.
    • MID Server Configuration: For on-premise setups, create and use a MID server application name (not just the MID server name) in integration configurations. Note the default 30-second MID server timeout and consider system-wide impacts before disabling it.
    • Offense Updates Property: Disable the snsecqradar.getoffenseupdates property if incident creation delays occur, especially under high offense loads or low polling intervals, to reduce queue strain.
    • Missing Data in Security Incidents: Increase the timeout value for the snsecqradar.sidttl parameter to allow sufficient time for AQL parsing, preventing missing event, flow, remote IP, or user data.

    Timeout Errors and Flow Designer Actions

    If timeout errors appear in logs, review and adjust the timeout durations (in milliseconds) for specific Flow Designer actions involved in the integration. Key actions include:

    • Fetching sample offenses
    • Fetching offenses for profiles and polling queue records
    • Testing REST connections
    • Validating API credentials
    • Handling IBM QRadar offense updates

    Modify these actions by adding or updating the timeout parameters in the snfd.FlowAPI.executeAction calls to increase allowed execution time and prevent premature failures.

    This section covers important troubleshooting tips and frequently asked questions related to IBM QRadar offense ingestion.

    • Integration run: When a scheduled job starts executing, an integration run record with logs, errors, and warnings is displayed. The number of offenses pulled and the number of incidents created in a scheduled job run are also displayed. Users with the sn_si.analyst role can see if any errors/profiles pulling failed during the integration run.
      Worknotes in the integration run provide links to the executed subflows. Users with the sn_si.analyst role can check the sn_event_ingestion_integration_run table for any errors that have occurred. To troubleshoot any integration issues, you must first check the integration run. Errors are logged as worknotes in the integration run records for every scheduled job run.
      IBM QRadar integration run
    • SSL issues: When connecting to IBM QRadar cloud instances, ensure that the instance has a valid CA certificate which has not expired. You can import RSA or your own certificates into the platform and ensure that the common name of the certificate matches host name. See https://support.servicenow.com/nav_to.do?uri=%2Fkb_view.do%3Fsys_kb_id%3D55ecefd61bf3774cada243f6fe4bcb44 for details.
    • Incomplete profile: While configuring the profile, in the Additional Options (Automate offense updates and closure based on SIR incident status) section, you must click the Finish button to ensure that the profile is moved to Waiting state indicating that it is waiting for ingestion.
    • Validate profile: To validate if the integration is working correctly, check the profile states, last pulled date of profile, offense import table, offense to task table records.
    • MID server configuration: If you are installing the IBM QRadar application on-premise, after configuring the MID server, you must create a MID server application. The MID server application name should be used in integration configurations tile instead of the MID server name.
      Note:
      The default MID serve timeout is 30 seconds. To see instructions on disabling the timeout period, see <link>. Note that this is a system-wide change and may impact other integrations.
    • Offense Updates: If you have enabled the sn_sec_qradar.get_offense_updates property and you notice a delay in the creation of security incidents, then disable the property. Do not enable this property when the polling interval is low and the offenses load on QRadar is high as this increases the queue load.
    • Missing event, flow data, remote_ip, or users data in a security incident: If you observe that event, flow data, remote_ip, or users data is missing in a security incident, then increase the timeout (seconds) for sn_sec_qradar.sid_ttl parameter. Increasing the duration delays the creation of the security incident until the AQLs complete parsing each offense.
    • Timeouts: If you view timeout errors in the application logs, review and modify the following flow designer actions:
      Table 1. Flow designer actions
      Parameters Action

      Fetch Sample Offenses

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 60000);      		 Review and update the duration in milliseconds.

      Fetch Sample Offenses

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      Fetch Offenses for profile and queue records in polling table

      var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 180000);      		 Review and update the duration in milliseconds.

      Wrapper for testing connection REST

      var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.test_connection_rest', rest_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      Wrapper for validating API credentials REST

      var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.validate_credentials_rest', rest_inputs);      		 Add a parameter for the executeAction and enter the duration in milliseconds.

      REST step for IBM QRadar Offense updates

      var result = sn_fd.FlowAPI.executeAction('sn_sec_qradar.'+restStep, inputs,60000);      		 Review and update the duration in milliseconds.