Hi,
From the app.log I can see that you were able to manually escalate an offense so it has worked at some point
2024-05-23 21:37:28,794 [Thread-19591 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.get_escalate_button_data
2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] endpoint is config.escalate_to_resilient
2024-05-23 21:37:32,944 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] Querying for offense: 67
2024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-2 into DB
2024-05-23 21:37:33,081 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last):
File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address
c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",
sqlite3.IntegrityError: FOREIGN KEY constraint failed
2024-05-23 21:37:33,166 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Failed to insert offense - ip_address pair 67-1 into DB
2024-05-23 21:37:33,167 [Thread-19592 (process_request_thread)] [ERROR] [APP_ID:1202] [NOT:0000003000] Traceback (most recent call last):
File "/opt/app-root/app/apis/datastorage.py", line 310, in add_ip_address
c.execute("""INSERT INTO offense_ip_address (offense_id, ip_address_id, source) VALUES (?, ?, ?)""",
sqlite3.IntegrityError: FOREIGN KEY constraint failed
2024-05-23 21:37:33,416 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] find_qradar_incident: 67 not found
2024-05-23 21:37:35,934 [Thread-19592 (process_request_thread)] [INFO] [APP_ID:1202] [NOT:0000006000] QRadarAPIClient.create_offense_note(): Successfully created note [{'note_text': 'Manual escalation of offense to SOAR initiated\\x03', 'create_time': 1716471455898, 'id': 151, 'username': 'API_user: admin'}] for offense [67].
In circuits.log, which writes out automatic escalations, I see no ingestion of messages. The console has a direct connection to SOAR which is setup using https://www.ibm.com/docs/en/qradar-common?topic=configuration-configuring-access-inbound-destinations
If this has been setup correctly have you also installed the content pack (https://exchange.xforce.ibmcloud.com/hub/extension/87a10624d6c194e198a540e54bcf00b3)?If you haven't then the three rules created by the content pack will not exist. The console will not then sends messages to the SOAR inbound destination over TCP/65000 and the plug-in is not aware of offenses that have been created, updated or closed.
------------------------------
BEN WILLIAMS
------------------------------
Original Message:
Sent: Wed May 29, 2024 01:53 AM
From: 界佑 陳
Subject: QRadar SOAR Plugin App can not Automatic Escalation
I need to be able to Automatic Escalation cases cases through the soar plugin, and correspond to different event templates based on different sources of offenses.
Now even basic settings cannot automatically upgrade cases.
Want to know how to troubleshoot a problem?
simulated situation
1.Trigger "login failed" rule, create offense and send email notification (qradar@demo.com.tw)
2.SOAR Plugin can automatically upgrade to the "SOC_SYSTEM" template based on the offenses source.
3.Inbound Inbox on SOAR
4.Incidents on SOAR
On SIEM View SOAR Plugin App Log:
There are no new change logs
tail -f /store/docker/volumes/qapp-1202/log/circuits.log
tail -f /store/docker/volumes/qapp-1202/log/app.log
===========================================================
The current QRadar SIEM & QRadar Apphost environment is as follows
1.AIO + AppHost :
QRadar SIEM v7.5 up8 7.5.0 UpdatePackage 8 (Build 20240302192142) with interim fix IF02 applied
- Install IBM QRadar SOAR Plugin 5.4.0
2.SOAR + Apphost :
IBM Security QRadar SOAR version: 51.0.0.1.27
================================================================
------------------------------
界佑 陳
------------------------------