IBM QRadar SOAR

View Only

Qradar soar app plugin error - soar_incident_id required

Paulius Roslekas posted Tue September 09, 2025 03:18 AM

Hello,

in Qradar SOAR plugin app (OnPrem) logs (app.log, circuits.log) i get an error below, auto and manual offense escalation to SOAR does not work :/. Any idea ?

Same error with:
Apphost version 1.15.5.0-2 and 1.15.6.0-4;
App version 51.0.6.0.20381 and 51.0.7.0.20613;
Qradar Soar plugin: 5.6.0 and 5.6.2

Circuits.log:

2025-09-08 13:10:46,690 [actions_component] [MainThread] INFO Event: <qrp_inbound_EDITED_1553[] (id=None, workflow=None, user=None) 2025-09-08 10:10:46.530000+00:00> Channel: inbound_destinations.qrp_inbound_EDITED_1553
2025-09-08 13:10:46,691 [debugger] [MainThread] DEBUG <qrp_inbound_EDITED_1553[inbound_destinations.qrp_inbound_EDITED_1553] (id=None, workflow=None, user=None) 2025-09-08 10:10:46.530000+00:00>
2025-09-08 13:10:46,691 [debugger] [MainThread] DEBUG <Message_success[stomp] (<Message[stomp] ()>, None )>
2025-09-08 13:10:46,793 [debugger] [MainThread] DEBUG <task[functionworker] (<function inbound_app.__call__.<locals>.inbound_app_decorator.<locals>._invoke_inbound_app at 0x7f007c4bcd60>, <qrp_inbound_EDITED_1553[inbound_destinations.qrp_inbound_EDITED_1553] (id=None, workflow=None, user=None) 2025-09-08 10:10:46.530000+00:00> )>
2025-09-08 13:10:46,896 [actions_component] [MainThread] DEBUG Task: <function inbound_app.__call__.<locals>.inbound_app_decorator.<locals>._invoke_inbound_app at 0x7f007c4bcd60>
2025-09-08 13:10:46,897 [decorators] [Thread-10 (worker)] DEBUG Running _invoke_inbound_app in Thread: Thread-10 (worker)
2025-09-08 13:10:46,909 [pipeline_orchestrator] [Thread-10 (worker)] INFO Pipeline case_create for offense 27886 starting
2025-09-08 13:10:46,909 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Filter starting
2025-09-08 13:10:46,909 [qradar_handler] [Thread-10 (worker)] DEBUG QRadar_Handler._rest(): GET call to api/config/domain_management/domains
2025-09-08 13:10:46,910 [qradar_handler] [Thread-10 (worker)] DEBUG method: 'GET'
full_url: 'api/config/domain_management/domains
headers: {'content-type': 'application/json', 'Version': '19.0', 'SEC': 'EDITED'}
data: None
json_body: None
2025-09-08 13:10:46,963 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "GET /api/config/domain_management/domains HTTP/1.1" 200 None
2025-09-08 13:10:46,966 [qradar_handler] [Thread-10 (worker)] DEBUG QRadar_Handler._rest() call successful. Found [1] results.
2025-09-08 13:10:46,967 [rule_handler] [Thread-10 (worker)] DEBUG Checking if EDITED matches *
2025-09-08 13:10:46,967 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Filter Success
2025-09-08 13:10:46,968 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/qradar_plugin', wd=1, mask=IN_OPEN, cookie=0, name='qradar_plugin'>
2025-09-08 13:10:46,969 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Find_Incident starting
2025-09-08 13:10:46,970 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/qradar_plugin', wd=1, mask=IN_OPEN, cookie=0, name='qradar_plugin'>
2025-09-08 13:10:46,971 [soar_handler] [Thread-10 (worker)] INFO org_id=201 query={'filters': [{'conditions': [{'field_name': 'properties.qradar_id', 'method': 'equals', 'value': '27886'}, {'field_name': 'properties.qradar_destination', 'method': 'equals', 'value': 'EDITED'}]}], 'sorts': [{'field_name': 'create_date', 'type': 'desc'}]}
2025-09-08 13:10:46,972 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/qradar_plugin', wd=1, mask=IN_CLOSE_WRITE, cookie=0, name='qradar_plugin'>
2025-09-08 13:10:46,973 [soar_handler] [Thread-10 (worker)] DEBUG Query to find case in SOAR from QRadar ID: {'filters': [{'conditions': [{'field_name': 'properties.qradar_id', 'method': 'equals', 'value': '27886'}, {'field_name': 'properties.qradar_destination', 'method': 'equals', 'value': 'EDITED'}]}], 'sorts': [{'field_name': 'create_date', 'type': 'desc'}]}
2025-09-08 13:10:47,085 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "POST /rest/orgs/201/incidents/query?return_level=full&handle_format=names HTTP/1.1" 200 2
2025-09-08 13:10:47,088 [soar_handler] [Thread-10 (worker)] INFO Case with qradar_id: 27886 not found in SOAR
2025-09-08 13:10:47,088 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Find_Incident Incomplete Note: Unable to find offense 27886 in org 201
2025-09-08 13:10:47,089 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Transform starting
2025-09-08 13:10:47,120 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Transform Success
2025-09-08 13:10:47,121 [pipeline_orchestrator] [Thread-10 (worker)] INFO Step: Load starting
2025-09-08 13:10:47,121 [load] [Thread-10 (worker)] INFO Processing Starting offense 27886 org 201 action: case_create
2025-09-08 13:10:47,122 [soar_handler] [Thread-10 (worker)] DEBUG Getting case fields
2025-09-08 13:10:47,313 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2025-09-08 13:10:47,325 [soar_handler] [Thread-10 (worker)] DEBUG Using POST to create case: {'discovered_date': 1757326224415, 'start_date': 1757326224415, 'description': {'content': 'EDITED}
2025-09-08 13:10:52,206 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 130
2025-09-08 13:10:52,208 [api] [Thread-10 (worker)] WARNING RetryHTTPException: 'resilient' API Request FAILED:
Response Code: 400
Reason: Unknown Reason. {"success":false,"title":null,"message":"The following fields are required: 'soar_incident_id'","hints":[],"error_code":"generic"} in resilient.co3base.BaseClient.post.<locals>.__post, retrying in 2 seconds...
2025-09-08 13:10:53,408 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name=''>
2025-09-08 13:10:53,409 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/log', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='log'>
2025-09-08 13:10:53,410 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/templates', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='templates'>
2025-09-08 13:10:53,410 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/retry_case_create.db', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='retry_case_create.db'>
2025-09-08 13:10:53,411 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/retry_case_close.db', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='retry_case_close.db'>
2025-09-08 13:10:53,411 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/retry_case_update.db', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='retry_case_update.db'>
2025-09-08 13:10:53,411 [inotify_buffer] [Thread-31] DEBUG in-event <InotifyEvent: src_path=b'/opt/app-root/store/template_form_data', wd=1, mask=IN_ISDIR|IN_OPEN, cookie=0, name='template_form_data'>
2025-09-08 13:10:54,212 [connectionpool] [Thread-10 (worker)] DEBUG Resetting dropped connection: EDITED
2025-09-08 13:10:58,777 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 130
2025-09-08 13:10:58,778 [api] [Thread-10 (worker)] WARNING RetryHTTPException: 'resilient' API Request FAILED:
Response Code: 400
Reason: Unknown Reason. {"success":false,"title":null,"message":"The following fields are required: 'soar_incident_id'","hints":[],"error_code":"generic"} in resilient.co3base.BaseClient.post.<locals>.__post, retrying in 4 seconds...
2025-09-08 13:11:02,784 [connectionpool] [Thread-10 (worker)] DEBUG Resetting dropped connection: EDITED
2025-09-08 13:11:05,992 [connectionpool] [Thread-10 (worker)] DEBUG https://EDITED:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 130
2025-09-08 13:11:05,993 [api] [Thread-10 (worker)] WARNING RetryHTTPException: 'resilient' API Request FAILED:
Response Code: 400

app.log:

2025-09-08 13:53:08,086 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Step: Find_Incident starting
2025-09-08 13:53:08,086 [soar_handler] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] org_id=201 query={'filters': [{'conditions': [{'field_name': 'properties.qradar_id', 'method': 'equals', 'value': '27855'}, {'field_name': 'properties.qradar_destination', 'method': 'equals', 'value': 'EDITED'}]}], 'sorts': [{'field_name': 'create_date', 'type': 'desc'}]}
2025-09-08 13:53:08,086 [soar_handler] [Thread-154 (process_request_thread)] [DEBUG] [APP_ID:1553] Query to find case in SOAR from QRadar ID: {'filters': [{'conditions': [{'field_name': 'properties.qradar_id', 'method': 'equals', 'value': '27855'}, {'field_name': 'properties.qradar_destination', 'method': 'equals', 'value': 'EDITED'}]}], 'sorts': [{'field_name': 'create_date', 'type': 'desc'}]}
2025-09-08 13:53:08,198 [connectionpool] [Thread-154 (process_request_thread)] [DEBUG] [APP_ID:1553] https://EDITED:443 "POST /rest/orgs/201/incidents/query?return_level=full&handle_format=names HTTP/1.1" 200 2
2025-09-08 13:53:08,199 [soar_handler] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Case with qradar_id: 27855 not found in SOAR
2025-09-08 13:53:08,199 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Step: Find_Incident Incomplete Note: Unable to find offense 27855 in org 201
2025-09-08 13:53:08,199 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Pipeline manual_case_find for offense 27855 finishing: complete with status unsuccessful
2025-09-08 13:53:08,199 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Summary for action: manual_case_find message: 27855 offense persisted: 1757328564000 queued: None dequeued: None
2025-09-08 13:53:08,199 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Step: Filter: Success Runtime: 0s
2025-09-08 13:53:08,199 [pipeline_orchestrator] [Thread-154 (process_request_thread)] [INFO] [APP_ID:1553] Step: Find_Incident: Incomplete Runtime: 0s
2025-09-08 13:53:08,199 [log_qpylib] [Thread-154 (process_request_thread)] [DEBUG] [APP_ID:1553] Executing completed!

BEN WILLIAMS posted Wed September 10, 2025 06:38 AM

Hi Paulius,

I see you opened a support case. The technote http://www.ibm.com/support/docview.wss?uid=ibm16603327& is relevant here.

The custom field soar_incident_id is added when you install the Enhanced Data Migration application (https://ibmresilient.github.io/resilient-community-apps/fn_qradar_enhanced_data/README.html).

This field is set as optional by default but it seems it has been changed to be a required field which is why the incident is not created. The suggestion to change it back to optional should work for you. Be aware that it is a function input field so you need to find the field in the EDM functions you have changed and make the changes in the function.

IBM QRadar SOAR

Qradar soar app plugin error - soar_incident_id required

Additional
Resources

Office

Quick Links

IBM QRadar SOAR

Qradar soar app plugin error - soar_incident_id required

Related Content

JIRA Integration

IBM App Updates for March 2025

IBM App Updates for April/May 2025

SOAR Apps: considerations for num_workers and stomp_prefetch_limit

Create a generic enrichement playbook, and apply it on TOR enrichment integration

Additional Resources

Office

Quick Links

Additional
Resources