Troubleshooting IBM QRadar offense ingestion integration

Washington DC Security Management

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Troubleshooting IBM QRadar offense ingestion integration

Release version: Washingtondc

Updated February 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Troubleshooting IBM QRadar Offense Ingestion Integration

This guide provides troubleshooting tips for issues related to IBM QRadar offense ingestion integration. It outlines key procedures for monitoring and resolving integration problems effectively.

Show full answer Show less

Key Features

Integration Run Monitoring: Scheduled job runs create records with logs, errors, and warnings. Users with the snsi.analyst role can review these records for troubleshooting.
SSL Certificate Validation: Ensure valid CA certificates are in place when connecting to IBM QRadar cloud instances to avoid connectivity issues.
Profile Configuration: Complete profile setup by clicking the Finish button in the Additional Options section to move profiles to Waiting state for ingestion.
MID Server Configuration: For on-premise installations, create a MID server application and use its name in integration configurations.
Timeout Adjustments: Modify timeout settings in flow designer actions to prevent timeout errors and ensure smooth data processing.

Key Outcomes

By following these troubleshooting steps, customers can effectively manage integration issues, enhance the performance of offense ingestion, and ensure timely incident creation. Monitoring integration run records, validating profiles, and adjusting timeout settings are crucial practices for maintaining operational efficiency.

This section covers important troubleshooting tips and frequently asked questions related to IBM QRadar offense ingestion.

Integration run: When a scheduled job starts executing, an integration run record with logs, errors, and warnings is displayed. The number of offenses pulled and the number of incidents created in a scheduled job run are also displayed. Users with the sn_si.analyst role can see if any errors/profiles pulling failed during the integration run.
Worknotes in the integration run provide links to the executed subflows. Users with the sn_si.analyst role can check the sn_event_ingestion_integration_run table for any errors that have occurred. To troubleshoot any integration issues, you must first check the integration run. Errors are logged as worknotes in the integration run records for every scheduled job run.
SSL issues: When connecting to IBM QRadar cloud instances, ensure that the instance has a valid CA certificate which has not expired. You can import RSA or your own certificates into the platform and ensure that the common name of the certificate matches host name. See https://support.servicenow.com/nav_to.do?uri=%2Fkb_view.do%3Fsys_kb_id%3D55ecefd61bf3774cada243f6fe4bcb44 for details.
Incomplete profile: While configuring the profile, in the Additional Options (Automate offense updates and closure based on SIR incident status) section, you must click the Finish button to ensure that the profile is moved to Waiting state indicating that it is waiting for ingestion.
Validate profile: To validate if the integration is working correctly, check the profile states, last pulled date of profile, offense import table, offense to task table records.
MID server configuration: If you are installing the IBM QRadar application on-premise, after configuring the MID server, you must create a MID server application. The MID server application name should be used in integration configurations tile instead of the MID server name.
Note:
The default MID serve timeout is 30 seconds. To see instructions on disabling the timeout period, see <link>. Note that this is a system-wide change and may impact other integrations.
Offense Updates: If you have enabled the sn_sec_qradar.get_offense_updates property and you notice a delay in the creation of security incidents, then disable the property. Do not enable this property when the polling interval is low and the offenses load on QRadar is high as this increases the queue load.
Missing event, flow data, remote_ip, or users data in a security incident: If you observe that event, flow data, remote_ip, or users data is missing in a security incident, then increase the timeout (seconds) for sn_sec_qradar.sid_ttl parameter. Increasing the duration delays the creation of the security incident until the AQLs complete parsing each offense.

Timeouts: If you view timeout errors in the application logs, review and modify the following flow designer actions:

Table 1. Flow designer actions
Parameters	Action
Fetch Sample Offenses `var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 60000);`	Review and update the duration in milliseconds.
Fetch Sample Offenses `var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs);`	Add a parameter for the executeAction and enter the duration in milliseconds.
Fetch Offenses for profile and queue records in polling table `var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 180000);`	Review and update the duration in milliseconds.
Wrapper for testing connection REST `var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.test_connection_rest', rest_inputs);`	Add a parameter for the executeAction and enter the duration in milliseconds.
Wrapper for validating API credentials REST `var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.validate_credentials_rest', rest_inputs);`	Add a parameter for the executeAction and enter the duration in milliseconds.
REST step for IBM QRadar Offense updates `var result = sn_fd.FlowAPI.executeAction('sn_sec_qradar.'+restStep, inputs,60000);`	Review and update the duration in milliseconds.