IBM Security QRadar SOAR

 View Only
  • 1.  QRadar SOAR Plugin App can not Automatic Escalation

    Posted 20 days ago
    I need to be able to Automatic Escalation cases cases through the soar plugin, and correspond to different event templates based on different sources of offenses.
     
    Now even basic settings cannot automatically upgrade cases.
    Want to know how to troubleshoot a problem?
    simulated situation
    1.Trigger "login failed" rule, create offense and send email notification (qradar@demo.com.tw)
    2.SOAR Plugin can automatically upgrade to the "SOC_SYSTEM" template based on the offenses source.
    3.Inbound Inbox on SOAR
    4.Incidents on SOAR
    On SIEM View SOAR Plugin App Log:
    There are no new change logs
    tail -f /store/docker/volumes/qapp-1202/log/circuits.log 
    tail -f /store/docker/volumes/qapp-1202/log/app.log 
    ===========================================================
    The current QRadar SIEM & QRadar Apphost environment is as follows
    1.AIO + AppHost : 
    QRadar SIEM v7.5 up8 7.5.0 UpdatePackage 8 (Build 20240302192142) with interim fix IF02 applied
    - Install IBM QRadar SOAR Plugin 5.4.0
     
    2.SOAR + Apphost : 
    IBM Security QRadar SOAR version: 51.0.0.1.27
    ================================================================


    ------------------------------
    界佑 陳
    ------------------------------

    Attachment(s)

    log
    app.log   837 KB 1 version
    log
    circuits.log   444 KB 1 version


  • 2.  RE: QRadar SOAR Plugin App can not Automatic Escalation

    Posted 19 days ago

    Hi,

    From the app.log I can see that you were able to manually escalate an offense so it has worked at some point

    2024-05-23 21:37:28,794 [Thread-19591 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.get_escalate_button_data
    2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.escalate_to_resilient
    2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] Querying for offense: 67
    2024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-2 into DB
    2024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last):
      File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address
        c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",
    sqlite3.IntegrityError: FOREIGN KEY constraint failed
    
    2024-05-23 21:37:33,166 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-1 into DB
    2024-05-23 21:37:33,167 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last):
      File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address
        c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",
    sqlite3.IntegrityError: FOREIGN KEY constraint failed
    
    2024-05-23 21:37:33,416 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] find_qradar_incident: 67 not found
    2024-05-23 21:37:35,934 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] QRadarAPIClient.create_offense_note(): Successfully                     created note [{'note_text': 'Manual escalation of offense to SOAR initiated\\x03', 'create_time': 1716471455898, 'id': 151, 'username': 'API_user: admin'}] for offense [67].

    In circuits.log, which writes out automatic escalations, I see no ingestion of messages. The console has a direct connection to SOAR which is setup using https://www.ibm.com/docs/en/qradar-common?topic=configuration-configuring-access-inbound-destinations

    If this has been setup correctly have you also installed the content pack (https://exchange.xforce.ibmcloud.com/hub/extension/87a10624d6c194e198a540e54bcf00b3)?If you haven't then the three rules created by the content pack will not exist. The console will not then sends messages to the SOAR inbound destination over TCP/65000 and the plug-in is not aware of offenses that have been created, updated or closed.



    ------------------------------
    BEN WILLIAMS
    ------------------------------