Known issues
The following issues exist in IBM® QRadar® Network Threat Analytics.
Global view queries fail for nonadmin security profiles
Global view queries automatically fail when a user with a nonadmin security profile tries to run them. Instead, AQL queries run as a fallback.
A nonadmin security profile can use global view queries if they modify the queries. For more information, see Configuring permissions for global view queries.
Network baseline fails to upload to QRadar
This issue applies to IBM QRadar 7.5.0 Update Package 2 or earlier.
If the network baseline status on the QRadar Network Threat Analytics Configuration page shows Unable to sync baseline with QRadar, the issue might be caused by a network parsing error in QRadar. The parsing error occurs when the network hierarchy contains a network name that ends in the characters len.
To determine whether the parsing issue caused the upload failure, look for an HTTP 422 error code with the following error message: Unexpected format found for the field: MODELS in the QRadar Network Threat Analytics app log file.
- From the app host, view the
/store/docker/volumes/<qapp-####>/log/app.log file.
The <qapp-####> variable is the
qapp IDfor QRadar Network Threat Analytics. - From within the app container, view the /opt/app-root/store/log/app.log file.
To work around this issue, update the QRadar network hierarchy so that network names do not end in len. Then, uninstall the QRadar Network Threat Analytics app, and reinstall it.
Dashboard and map view data fails to load
A known issue exists in IBM QRadar 7.5.0 Update Package 5 that can cause geographic lookup failures.
When this issue occurs, the QRadar error logs show a
NullPointerException error during the geographic or location lookup. This issue can
cause query failures and location data to load slowly in the QRadar Network Threat Analytics app.
To work around this issue, you can disable the QRadar caching mechanism.
- Edit the /opt/qradar/conf/spillovercache.properties file.
- Set the LocationUtilsSpillOverCache.spillover.enabled property to False.
- Type this command to restart the QRadar
service.
systemctl restart hostcontext