Troubleshooting IBM QRadar offense ingestion integration
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Troubleshooting IBM QRadar Offense Ingestion Integration
This guide provides essential troubleshooting tips for the IBM QRadar offense ingestion integration, focusing on common issues and resolutions to ensure a smooth experience for users with the snsi.analyst role.
Show less
Key Features
- Integration Run Records: Monitor scheduled job executions, view logs, errors, and the number of offenses and incidents created.
- SSL Configuration: Ensure valid CA certificates are used when connecting to IBM QRadar cloud instances.
- Profile Management: Properly configure profiles and validate their states for effective integration.
- MID Server Setup: Create a MID server application after configuring the MID server for on-premise installations.
- Timeout Management: Adjust timeout settings to prevent delays in security incident creation.
Key Outcomes
- Efficiently troubleshoot integration issues by checking integration run records and resolving logged errors.
- Maintain proper SSL configurations to avoid connection issues with QRadar instances.
- Ensure profiles are correctly set to enable timely offense ingestion.
- Optimize MID server configurations for seamless integration.
- Reduce delays and improve data completeness in security incidents by adjusting timeout parameters.
This section covers important troubleshooting tips and frequently asked questions related to IBM QRadar offense ingestion.
- Integration run: When a scheduled job starts executing, an integration run record with logs,
errors, and warnings is displayed. The number of offenses pulled and the number of incidents
created in a scheduled job run are also displayed. Users with the sn_si.analyst role can see
if any errors/profiles pulling failed during the integration run. Worknotes in the integration run provide links to the executed subflows. Users with the sn_si.analyst role can check the
sn_event_ingestion_integration_runtable for any errors that have occurred. To troubleshoot any integration issues, you must first check the integration run. Errors are logged as worknotes in the integration run records for every scheduled job run. - SSL issues: When connecting to IBM QRadar cloud instances, ensure that the instance has a valid CA certificate which has not expired. You can import RSA or your own certificates into the platform and ensure that the common name of the certificate matches host name. See https://support.servicenow.com/nav_to.do?uri=%2Fkb_view.do%3Fsys_kb_id%3D55ecefd61bf3774cada243f6fe4bcb44 for details.
- Incomplete profile: While configuring the profile, in the Additional Options (Automate offense updates and closure based on SIR incident status) section, you must click the Finish button to ensure that the profile is moved to Waiting state indicating that it is waiting for ingestion.
- Validate profile: To validate if the integration is working correctly, check the profile states, last pulled date of profile, offense import table, offense to task table records.
- MID server configuration: If you are installing the IBM QRadar application
on-premise, after configuring the MID server, you must create a MID server application. The MID
server application name should be used in integration configurations tile instead of the MID
server name. Note:The default MID serve timeout is 30 seconds. To see instructions on disabling the timeout period, see <link>. Note that this is a system-wide change and may impact other integrations.
- Offense Updates: If you have enabled the sn_sec_qradar.get_offense_updates property and you notice a delay in the creation of security incidents, then disable the property. Do not enable this property when the polling interval is low and the offenses load on QRadar is high as this increases the queue load.
- Missing event, flow data, remote_ip, or users data in a security incident: If you observe that event, flow data, remote_ip, or users data is missing in a security incident, then increase the timeout (seconds) for sn_sec_qradar.sid_ttl parameter. Increasing the duration delays the creation of the security incident until the AQLs complete parsing each offense.
- Timeouts: If you view timeout errors in the application logs,
review and modify the following flow designer actions:
Table 1. Flow designer actions Parameters Action Fetch Sample Offenses
var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 60000);Review and update the duration in milliseconds. Fetch Sample Offenses
var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs);Add a parameter for the executeAction and enter the duration in milliseconds. Fetch Offenses for profile and queue records in polling table
var flow_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.fire_rest_for_offenses', flow_inputs, 180000);Review and update the duration in milliseconds. Wrapper for testing connection REST
var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.test_connection_rest', rest_inputs);Add a parameter for the executeAction and enter the duration in milliseconds. Wrapper for validating API credentials REST
var rest_outputs = sn_fd.FlowAPI.executeAction('sn_sec_qradar.validate_credentials_rest', rest_inputs);Add a parameter for the executeAction and enter the duration in milliseconds. REST step for IBM QRadar Offense updates
var result = sn_fd.FlowAPI.executeAction('sn_sec_qradar.'+restStep, inputs,60000);Review and update the duration in milliseconds.