> "Enable X-Force Threat Intelligence Feed" becomes disabled and I begin receiving the error "CRE failed to read rules"
> You might check Admin tab > Systems Settings > "Enable X-Force Threat Intelligence Feed" and ensure it is enabled.
This looks like a known issue where a restart of tomcat will perform a check to see if X-Force data can be retrieved. If that fails then QRadar will automatically change that setting to 'No'. After the next deploy, you will see that error if you have any Rules that use any of the X-Force tests.
This behaviour has changed in 7.5.0 UP4 and should no longer cause this problem once you have upgraded.
pfh
------------------------------
Paul Ford-Hutchinson
------------------------------
Original Message:
Sent: Thu March 16, 2023 02:44 PM
From: Joe Chaffin
Subject: CRE failed to read rules
I have noticed recently that after I update an app from the App Exchange that "Enable X-Force Threat Intelligence Feed" becomes disabled and I begin receiving the error "CRE failed to read rules"
You might check Admin tab > Systems Settings > "Enable X-Force Threat Intelligence Feed" and ensure it is enabled.
Original Message:
Sent: 3/16/2023 10:43:00 AM
From: jan julicher
Subject: RE: CRE failed to read rules
Thanks a mil and will let you know the outcome
------------------------------
jan julicher
Original Message:
Sent: Thu March 16, 2023 09:55 AM
From: Karl Jaeger
Subject: CRE failed to read rules
Hi Jan,
we ran into the same problem a few days ago. Pls check your rule changes for the last few days when this notification popped up first time (yesterday?). When you specifiy complex tests inide your rule an dependencies between rules you might run into this CRE problem. The only way to get it solved is
1st disable modified rule or remove rule test change
2nd close correspondent offenses and verify problem is gone
3rd reduce complexity , e.g. time condition and dependency from other rules inside your rule test condition
4th restart CRE and execute full deployment if action 1-3 doesnt help
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Thu March 16, 2023 02:54 AM
From: jan julicher
Subject: CRE failed to read rules
Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me:
Mar 15 11:46:50 127.0.0.1 [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.
------------------------------
jan julicher
------------------------------