These are not errors in the app.log and are not indicative of a problem, they can be ignored.
The app.log has user invoked actions such as manual escalations whilst circuits.log has information about automatic escalations.
You do not specify what the problem is. If you need assistance you might be better off opening a support case so all the plug-in logs can be looked at rather than the snippet you have shared.
Original Message:
Sent: Wed September 04, 2024 03:52 AM
From: Marengo SIRT
Subject: QRadar SOAR Plugin App can not Automatic Escalation
Same issue:
2024-09-04 08:51:56,476 [Thread-2612 (process_request_thread)] [ERROR] [APP_ID:1401] [NOT:0000003000] Failed to insert offense - ip_address pair 10528-15859 into DB
2024-09-04 08:51:56,476 [Thread-2612 (process_request_thread)] [ERROR] [APP_ID:1401] [NOT:0000003000] Traceback (most recent call last):
File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address
c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",
sqlite3.IntegrityError: FOREIGN KEY constraint failed
------------------------------
Marengo SIRT
Original Message:
Sent: Thu May 30, 2024 04:42 AM
From: BEN WILLIAMS
Subject: QRadar SOAR Plugin App can not Automatic Escalation
Hi,
From the app.log I can see that you were able to manually escalate an offense so it has worked at some point
2024-05-23 21:37:28,794 [Thread-19591 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.get_escalate_button_data2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.escalate_to_resilient2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] Querying for offense: 672024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-2 into DB2024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last): File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",sqlite3.IntegrityError: FOREIGN KEY constraint failed2024-05-23 21:37:33,166 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-1 into DB2024-05-23 21:37:33,167 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last): File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",sqlite3.IntegrityError: FOREIGN KEY constraint failed2024-05-23 21:37:33,416 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] find_qradar_incident: 67 not found2024-05-23 21:37:35,934 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] QRadarAPIClient.create_offense_note(): Successfully created note [{'note_text': 'Manual escalation of offense to SOAR initiated\\x03', 'create_time': 1716471455898, 'id': 151, 'username': 'API_user: admin'}] for offense [67].
In circuits.log, which writes out automatic escalations, I see no ingestion of messages. The console has a direct connection to SOAR which is setup using https://www.ibm.com/docs/en/qradar-common?topic=configuration-configuring-access-inbound-destinations
If this has been setup correctly have you also installed the content pack (https://exchange.xforce.ibmcloud.com/hub/extension/87a10624d6c194e198a540e54bcf00b3)?If you haven't then the three rules created by the content pack will not exist. The console will not then sends messages to the SOAR inbound destination over TCP/65000 and the plug-in is not aware of offenses that have been created, updated or closed.
------------------------------
BEN WILLIAMS
Original Message:
Sent: Wed May 29, 2024 01:53 AM
From: 界佑 陳
Subject: QRadar SOAR Plugin App can not Automatic Escalation
I need to be able to Automatic Escalation cases cases through the soar plugin, and correspond to different event templates based on different sources of offenses.
Now even basic settings cannot automatically upgrade cases.
Want to know how to troubleshoot a problem?
simulated situation
1.Trigger "login failed" rule, create offense and send email notification (qradar@demo.com.tw)
2.SOAR Plugin can automatically upgrade to the "SOC_SYSTEM" template based on the offenses source.
3.Inbound Inbox on SOAR
4.Incidents on SOAR
On SIEM View SOAR Plugin App Log:
There are no new change logs
tail -f /store/docker/volumes/qapp-1202/log/circuits.log
tail -f /store/docker/volumes/qapp-1202/log/app.log
===========================================================
The current QRadar SIEM & QRadar Apphost environment is as follows
1.AIO + AppHost :
QRadar SIEM v7.5 up8 7.5.0 UpdatePackage 8 (Build 20240302192142) with interim fix IF02 applied
- Install IBM QRadar SOAR Plugin 5.4.0
2.SOAR + Apphost :
IBM Security QRadar SOAR version: 51.0.0.1.27
================================================================
------------------------------
界佑 陳
------------------------------