QRadar Network Threat Analytics home page does not show any findings
There are several reasons why the IBM® QRadar® Network Threat Analytics home page might not show any findings.
Improper authorization token permissions
The authentication token must have Admin permissions for the security profile and user role.
To verify that the authentication token has the proper permissions, review the app.log file to look for a message similar to this one:
NBA-1 API connection error checking for trained models: {"http_response": {"code": 403, "message": "Your account is not authorized to access the requested resource"}, "code": 26, "description": "", "details": {}, "message": "User has insufficient capabilities to access this endpoint resource"}
To view the log file, follow these steps:
- Use SSH to log in to the system that hosts the app.
- Type this command to determine the
qapp ID
of the app:/opt/qradar/support/recon ps | grep "Network Threat Analytics"
-
View the log file in one of the following ways:
- From the app host, view the
/store/docker/volumes/<qapp-####>/log/app.log file.
The <qapp-####> variable is the
qapp ID
for QRadar Network Threat Analytics. - From within the app container, view the /opt/app-root/store/log/app.log file.
- From the app host, view the
/store/docker/volumes/<qapp-####>/log/app.log file.
If the log file indicates that the authorization token does not have the proper permissions, you must replace it with an Admin token and restart the baseline process. The best way to replace the token is to reinstall and configure the QRadar Network Threat Analytics app. The baseline process starts automatically when you configure the app to use the authorization token.
Baseline process failed or is incomplete
When QRadar Network Threat Analytics fails to create the network baseline, the home page does not show any findings. The process can fail when you do not have enough flow data in QRadar or when your certificate does not validate.
To determine whether the process failed, review the log file. For more information, see Network baseline creation fails.