IBM QRadar

We have developed a bash script which will check offense details using Rest API with offense id and same has been called in one of the custom event rule.

If we ran script using test option with fixed property value its updating offense notes as expected.

If we configure the script with network event property, value is getting passed to script but API request throwing an error as mentioned below

{"http_response":{"code":404,"message":"We could not find the resource you requested."},"code":1002,"description":"No offense was found for the provided offense_id.","details":{},"message":"Offense not found for offense_id: 136"}

Here issue is not with script, if its then it will throw an error while testing with fixed property value. So we are suspecting issue in passing offense ID using network event property from custom rule to custom script.

You really need to provide an example of a curl that does not work in this forum post for us to understand why the error occurs.

Questions I have:

1. Is there an example you can provide of the API call?
2. What is the offense retention set to on the Console?
3. If you use a GET for /api/siem/offenses?filter=status%3Dopen and filter for a known offenseID, does it provide results?
4. What is the age of the offense ID you are attempting to query? The default offense retention period is 30 days for inactive offenses.
5. What version of QRadar is installed on your Console?

Most likely you are trying to execute the Custom Action from the Event/Flow/Common Rule - at which time the Offense ID is not known.

If you want to execute a Custom Action when an Offense is created, you need to have an Offense Rule which will trigger when a new Offense is created and an Event Rule which will catch that event, extract the Offense ID and trigger the Custom Action.

Hi Jonthan,

Thanks for your response. Below are details as you required.

1.Script which I'm using and the curl command:

offenseid=$1

token="xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"

qip="20.85.219.70"

cmd1="curl -S -X GET -H 'SEC: $token' -H 'Version:12.0' -H 'Accept: application/json' 'https://$qip/api/siem/offenses/$offenseid' --insecure"

output=$(eval $cmd1)

#echo $output

source=$(echo $output | jq .offense_source | tr -d \")

2.Offense retention is 30 days

3.If execute the above mentioned command manually i'm able to get the results.

4.I have generated the new offenses to to test this, but no luck.

5.Version 7.4.2 Patch1

As I mentioned in the description offense id is getting passed to script as a argument while im using network property. But RestAPI query throwing an error. I printed that command in the test and if run that manually from CLI its providing an result.

I contacted the support and got a response as of now passing offense ID to custom action is not in scope. But I'm surprised that value is getting passed. Only issue is if the value is given by network property then Restapi throwing an error.

Hi Paul,

We are using common event rule which will trigger based on the audit event offense created and we have a CEP which will extract the of offense ID from the payload of audit event. Same CEP being used in Cusotm Actions's network property. As I mentioned offense ID value is getting passed to to Custom Action. The issue is its throwing an error while using that value in RestAPI query which is part of my script.

The error you show is saying that the requested offense does not exist.

• Check that the data you are passing (when called as a Custom Action) is a valid integer
• Check that the Offense ID actually exists
• Look for race conditions (Has the Offense actually been created at the time you are requesting information about it?)
• Check the Auth token you are using has access to that Offense

I'm using bash script where there wont any data type for the variables.

I have printed the curl command which I'm executing inside the script and manually executed that command from CLI its working(just copy paste and run)

If I pass the same offense ID using fixed property value to custom action, its working as expected.

OK - so you need to check the other items I listed