IBM Security QRadar SOAR

 View Only
  • 1.  Mapping of QRadar Domains and SOAR Organizations : Unable to find soar organization

    Posted Sun January 21, 2024 10:01 AM

    Hi,

    After reinstalling of resilient app in qradar, app unables to list organization. API key has full permission in config and orgs in soar. Any advice would be appreciated.

    Best



    ------------------------------
    Jasmin
    ------------------------------


  • 2.  RE: Mapping of QRadar Domains and SOAR Organizations : Unable to find soar organization

    Posted Wed January 24, 2024 08:12 AM

    Hi Jasmin 

    I have reached out to our QRadar Plugin team for support.

    They should reach out to you.

    Any further details  you can provide would be appreciated

    Regards

    John



    ------------------------------
    John Quirke
    ------------------------------



  • 3.  RE: Mapping of QRadar Domains and SOAR Organizations : Unable to find soar organization

    Posted Wed January 24, 2024 10:39 AM

    Hi Jasmin,

    The organizations are probably not coming up due to the fact that the "internal server error" came up. Did this come up when you clicked on "Verify and Configure" or on "Save"?

    Please double check/confirm the following: 

    • You have checked off "Multiple Organization Support"
    • You have executed a configuration push for your API key
    • Is there any IP banned by SOAR?
    • Is the API key locked or expired?

    If all the above seem to be in place, my suggestion would be to check out the Plugin's app.log for any indication of this Internal Server Error. You can do this from the QRadar console, using the qappmanager to get the app ID for the plugin and then navigating to `/store/docker/volumes/qapp-<plugin app id>/`. From here, you should be able to view the log files.

    Hope this helps!



    ------------------------------
    Priya Sapra
    ------------------------------



  • 4.  RE: Mapping of QRadar Domains and SOAR Organizations : Unable to find soar organization

    Posted Wed February 21, 2024 10:47 AM

    Hi Priya,

    I have double check all the following. There is'nt anything is log. And every integration of soar and siem with app is a pain :(

    2024-02-21 18:42:39,592 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] check_actions_enabled: True
    2024-02-21 18:42:39,593 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Checking that SOAR is configured properly...
    2024-02-21 18:42:39,730 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Check that SOAR destinations configured
    2024-02-21 18:42:39,801 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Check that SOAR action fields configured
    2024-02-21 18:42:39,882 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Check that SOAR actions configured
    2024-02-21 18:42:39,949 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Check automatic actions configured
    2024-02-21 18:42:39,949 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Check manual actions configured
    2024-02-21 18:42:40,122 [Thread-289] [INFO] [APP_ID:1251] [NOT:0000006000] Closing reasons missing from QRadar: []
    2024-02-21 18:42:41,418 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] endpoint is config.admin_screen
    2024-02-21 18:42:41,419 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] admin_screen
    2024-02-21 18:42:41,678 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] Test SOAR Config
    2024-02-21 18:42:41,724 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] Token Test Returned: <Response [200]>
    2024-02-21 18:42:41,783 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] Checking if host is in CP4S
    2024-02-21 18:42:41,974 [Thread-296] [INFO] [APP_ID:1251] [NOT:0000006000] Checking access to the following orgs: ['id=201, name=ConfigOrg, type=configuration, parent_org_id=None, cloud_account_id=None']
    



    ------------------------------
    Jasmin
    ------------------------------



  • 5.  RE: Mapping of QRadar Domains and SOAR Organizations : Unable to find soar organization

    Posted Wed February 21, 2024 04:52 PM

    Hi Jasmin,

    Sorry to hear that you continue to have issues configuring the QRadar SOAR plugin app. Can you confirm the following please? 

    1. Which version of the app are you using?
    2. Seems like you are using MSSP org. Have you assigned your api key to all the child organizations in SOAR and performed configuration push? It will not show the child organizations for mapping if this step is not performed. 

    Also please feel free to open a support ticket if you continue to see the issue and support can work with you on a Webex to address it in a timely manner.

    Thank you
    Dillip



    ------------------------------
    DillipNath
    ------------------------------