IBM Security QRadar

Hello Everyone,

I am trying to get Tunnig app to work. When I try to click Investigate button I get error


I tried manual rules import by using generate-rules-file.sh. This script failed with error "Failed to copy file to the correct location." After some investigation it seems that file failed to copy to container and it is an error from calling Tuning App API.

curl --silent --show-error -X POST -w '\n' "localhost:$APP_PORT_NUM/api/rules_file" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "rules_file=@$temp/$XML_FILE_NAME;type=text/xml"
Anyone have similar problem or an idea what to try.

------------------------------
Djordje Zecevic
------------------------------

Hi Djordje,

Seems you are using 7.3.1 where rule file upload is required, and since it failed you are getting the first error message. Did you try manually uploading the rules file to the app in configuration page (see instructions below from config page)? If that works we can see further why the script to copy the file doesn't work - if you are interested in setting up auto-updates.



------------------------------
Lidija Grahek
------------------------------

Original Message:
Sent: Thu September 12, 2019 08:07 AM
From: Djordje Zecevic
Subject: QRadar Tuning App on AppHost

Hello Everyone,

I am trying to get Tunnig app to work. When I try to click Investigate button I get error

I tried manual rules import by using generate-rules-file.sh. This script failed with error "Failed to copy file to the correct location." After some investigation it seems that file failed to copy to container and it is an error from calling Tuning App API.

curl --silent --show-error -X POST -w '\n' "localhost:$APP_PORT_NUM/api/rules_file" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "rules_file=@$temp/$XML_FILE_NAME;type=text/xml"
Anyone have similar problem or an idea what to try.

------------------------------
Djordje Zecevic
------------------------------

... I just realized there is App Host in the message title, so then you are using 7.3.2? In case of 7.3.2 there is no rule file upload supported, it shouldn't be needed. In the CRE report page, did you see the chart generated and picked from one of the active rules, or did you select a rule from the "add additional rule"? Any details you have would help analyze the problem, you can also send me a message directly. 

------------------------------
Lidija Grahek
------------------------------

Original Message:
Sent: Mon September 16, 2019 09:05 AM
From: Lidija Grahek
Subject: QRadar Tuning App on AppHost

Hi Djordje,

Seems you are using 7.3.1 where rule file upload is required, and since it failed you are getting the first error message. Did you try manually uploading the rules file to the app in configuration page (see instructions below from config page)? If that works we can see further why the script to copy the file doesn't work - if you are interested in setting up auto-updates.

------------------------------
Lidija Grahek

Original Message:
Sent: Thu September 12, 2019 08:07 AM
From: Djordje Zecevic
Subject: QRadar Tuning App on AppHost

Hello Everyone,

I am trying to get Tunnig app to work. When I try to click Investigate button I get error

I tried manual rules import by using generate-rules-file.sh. This script failed with error "Failed to copy file to the correct location." After some investigation it seems that file failed to copy to container and it is an error from calling Tuning App API.

curl --silent --show-error -X POST -w '\n' "localhost:$APP_PORT_NUM/api/rules_file" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "rules_file=@$temp/$XML_FILE_NAME;type=text/xml"
Anyone have similar problem or an idea what to try.

------------------------------
Djordje Zecevic
------------------------------

I received answer via PM:

So based on the screenshot you sent me it seems the app didn't match the rule to the event - it is not related to App Host problem, but the way we are doing the mapping in this version. We should really be disabling Investigate option in this case when Rule Name is blank, with the explanation. We improved the way we map CRE events to rules that generated them in the upcoming version, most likely you will be able to see the rules mapped to the event in this case.

At the end of day, I reinstalled my test Qradar. After this, everything works :).

Best regards,
Djordje

------------------------------
Djordje Zecevic
------------------------------

Original Message:
Sent: Mon September 16, 2019 10:35 AM
From: Lidija Grahek
Subject: QRadar Tuning App on AppHost

... I just realized there is App Host in the message title, so then you are using 7.3.2? In case of 7.3.2 there is no rule file upload supported, it shouldn't be needed. In the CRE report page, did you see the chart generated and picked from one of the active rules, or did you select a rule from the "add additional rule"? Any details you have would help analyze the problem, you can also send me a message directly. 

------------------------------
Lidija Grahek

Original Message:
Sent: Mon September 16, 2019 09:05 AM
From: Lidija Grahek
Subject: QRadar Tuning App on AppHost

Hi Djordje,

Seems you are using 7.3.1 where rule file upload is required, and since it failed you are getting the first error message. Did you try manually uploading the rules file to the app in configuration page (see instructions below from config page)? If that works we can see further why the script to copy the file doesn't work - if you are interested in setting up auto-updates.

------------------------------
Lidija Grahek

Original Message:
Sent: Thu September 12, 2019 08:07 AM
From: Djordje Zecevic
Subject: QRadar Tuning App on AppHost

Hello Everyone,

I am trying to get Tunnig app to work. When I try to click Investigate button I get error

I tried manual rules import by using generate-rules-file.sh. This script failed with error "Failed to copy file to the correct location." After some investigation it seems that file failed to copy to container and it is an error from calling Tuning App API.

curl --silent --show-error -X POST -w '\n' "localhost:$APP_PORT_NUM/api/rules_file" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "rules_file=@$temp/$XML_FILE_NAME;type=text/xml"
Anyone have similar problem or an idea what to try.

------------------------------
Djordje Zecevic
------------------------------

That's great. If you start editing rules that already generated events, specifically change the event name, you may run into the same problem. The next app version will be more robust that way.

------------------------------
Lidija Grahek
------------------------------

Original Message:
Sent: Mon September 23, 2019 08:34 AM
From: Djordje Zecevic
Subject: QRadar Tuning App on AppHost

I received answer via PM:

So based on the screenshot you sent me it seems the app didn't match the rule to the event - it is not related to App Host problem, but the way we are doing the mapping in this version. We should really be disabling Investigate option in this case when Rule Name is blank, with the explanation. We improved the way we map CRE events to rules that generated them in the upcoming version, most likely you will be able to see the rules mapped to the event in this case.

At the end of day, I reinstalled my test Qradar. After this, everything works :).

Best regards,
Djordje

------------------------------
Djordje Zecevic

Original Message:
Sent: Mon September 16, 2019 10:35 AM
From: Lidija Grahek
Subject: QRadar Tuning App on AppHost

... I just realized there is App Host in the message title, so then you are using 7.3.2? In case of 7.3.2 there is no rule file upload supported, it shouldn't be needed. In the CRE report page, did you see the chart generated and picked from one of the active rules, or did you select a rule from the "add additional rule"? Any details you have would help analyze the problem, you can also send me a message directly. 

------------------------------
Lidija Grahek

Original Message:
Sent: Mon September 16, 2019 09:05 AM
From: Lidija Grahek
Subject: QRadar Tuning App on AppHost

Hi Djordje,

Seems you are using 7.3.1 where rule file upload is required, and since it failed you are getting the first error message. Did you try manually uploading the rules file to the app in configuration page (see instructions below from config page)? If that works we can see further why the script to copy the file doesn't work - if you are interested in setting up auto-updates.

------------------------------
Lidija Grahek

Original Message:
Sent: Thu September 12, 2019 08:07 AM
From: Djordje Zecevic
Subject: QRadar Tuning App on AppHost

Hello Everyone,

I am trying to get Tunnig app to work. When I try to click Investigate button I get error

I tried manual rules import by using generate-rules-file.sh. This script failed with error "Failed to copy file to the correct location." After some investigation it seems that file failed to copy to container and it is an error from calling Tuning App API.

curl --silent --show-error -X POST -w '\n' "localhost:$APP_PORT_NUM/api/rules_file" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "rules_file=@$temp/$XML_FILE_NAME;type=text/xml"
Anyone have similar problem or an idea what to try.

------------------------------
Djordje Zecevic
------------------------------