IBM Security QRadar SOAR

 View Only
  • 1.  SOAR can't close Offense and add notes to QRADAR SIEM

    Posted Fri January 20, 2023 09:32 AM
    I have a problem with SOAR communication with Qradar.

    Incident note information cannot be sent to QRADAR from SOAR and offense cannot be closed in qradar.

    The problem also applies to ariel query - you can't download events from Qradar.


    With each attempt in the actions tab, the status is pending and does not change.

    I also have a test version of qradar and everything works perfectly fine there.

    I have deleted all Qradar rules and message destinations in SOAR and click Verify and Configure in QRadar SOAR Plugin. It's still doesn't works.

    ------------------------------
    Przemyslaw Klys
    ------------------------------


  • 2.  RE: SOAR can't close Offense and add notes to QRADAR SIEM

    Posted Mon January 23, 2023 10:26 AM
    Hi Przemysław,

    It's best to open a Support case (https://ibm.com/mysupport) on this issue as they can guide you through the issues. For note and close incident issues, the plugin processes may need to be restarted. I know Support will be able to assist on this.

    The Ariel query should be a separate issue associated with the performance of the query being used and some tuning of that query is possible to assist in better performing queries. 

    Regards,
    Mark

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: SOAR can't close Offense and add notes to QRADAR SIEM

    Posted Tue January 24, 2023 01:55 AM
    We had the same problem. We updated the SOAR Integration in QRadar by downloading the latest version from appexchange.

    ------------------------------
    Ragavendran Lakshminarasimhan
    ------------------------------



  • 4.  RE: SOAR can't close Offense and add notes to QRADAR SIEM

    Posted Wed January 25, 2023 08:22 AM
    The problem was that messages were added to the message destination being used by the plug-in from a rule that the plug-in had not created. I don't know how this situation arose but it is easy to reproduce by creating a rule to send notes added to incidents to the message destination used by the plug-in.

    In this scenario the plug-in will not act on the messages because the wrong rule was used to add the message to the message destination. This mean that notes were not added to the offense. The technote describes what is happening -> https://www.ibm.com/support/pages/node/6235716

    The QRadar message destination name was changed in the plug-in which created a new message destination and four new rules. The previous rules were disabled or better still deleted. The old message destination can also be removed.

    ------------------------------
    BEN WILLIAMS
    ------------------------------