IBM QRadar

Hello again Benjamin.

Depending on the version you are using (not stated, but important), if I recall correctly there are bits of this functionality that are broken with regards AD and/or LDAP integration, or are no longer actively supported.

I know this is both difficult and frustrating to set up if you do not control the AD/LDAP end as you need to see logs from both ends to work out why it is failing.

The approach taken previously is working from the bottom upwards, to determine what in the stack is failing. 

Bottom = Be sure that the traffic is leaving and arriving on the SIEM (i.e. there are no firewall rules blocking traffic). Network traffic passes?
Middle = Test the connection to to the LDAP destination from a generic Linux host, to be sure you know which end is likely to be broken (not the SIEM). A common tool for that is "ldapsearch" - a search engine should guide. Is LDAP operating as expected? If yes, then points to the SIEM end.
Top = Working side-by-side with the LDAP admin to go through the logs, determine the step it fails and go from there. What is in qradar.error? 

I can't find the article that explains what is supported for AD/LDAP, but I know support has changed in recent versions.

A forum search came up with this from March 2019 that may guide:
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=e04a830e-b942-4b33-9e0d-190f7d1d4031&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer

Hello again Benjamin.

Depending on the version you are using (not stated, but important), if I recall correctly there are bits of this functionality that are broken with regards AD and/or LDAP integration, or are no longer actively supported.

I know this is both difficult and frustrating to set up if you do not control the AD/LDAP end as you need to see logs from both ends to work out why it is failing.

The approach taken previously is working from the bottom upwards, to determine what in the stack is failing. 

Bottom = Be sure that the traffic is leaving and arriving on the SIEM (i.e. there are no firewall rules blocking traffic). Network traffic passes?
Middle = Test the connection to to the LDAP destination from a generic Linux host, to be sure you know which end is likely to be broken (not the SIEM). A common tool for that is "ldapsearch" - a search engine should guide. Is LDAP operating as expected? If yes, then points to the SIEM end.
Top = Working side-by-side with the LDAP admin to go through the logs, determine the step it fails and go from there. What is in qradar.error? 

I can't find the article that explains what is supported for AD/LDAP, but I know support has changed in recent versions.

A forum search came up with this from March 2019 that may guide:
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=e04a830e-b942-4b33-9e0d-190f7d1d4031&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer