IBM Support

IJ05914: OFFENSE API DOES NOT RETURN EXPECTED OFFENSES WHEN USING "ID" AND "INACTIVE" FIELD IF OFFENSE ACTIVE_CODE IS 'DORMANT'

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that the Offense API does not return all
    expected offenses when using "id" and "inactive" field when the
    offense active_code is set as "dormant" in the database for the
    Offense.
    
    Example:
    QRadar database shows -
    qradar=# select count(*) from offense;
    count
    -------
      1515
    (1 row)
    
    qradar=# select count(*) from offense where active_code=1;
    count
    -------
         0
    (1 row)
    
    qradar=# select count(*) from offense where active_code=2;
    count
    -------
       148
    (1 row)
    
    qradar=# select count(*) from offense where active_code=3;
    count
    -------
      1367
    (1 row)
    
    
    API shows:
    status = open returns 149
    status = closed returns 1366
    status="OPEN" and inactive=true returns 1
    status="OPEN" and inactive=false returns 0
    
    Using inactive = false gives incorrect results.
    The active code value in the User Interface can be 1 (active /
    status open), 2 (dormant, ie. status open but inactive) or 3
    (inactive / status closed).
    In the API you have status = OPEN, CLOSED, HIDDEN etc. and
    inactive = true / false
    

Local fix

  • 1) Do not use the "inactive" attribute
    2) Use the "status" attribute to filter closed or non-closed
    offenses.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Patch
    1 and 7.3.2 Patch 6.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Patch
    1 and 7.3.2 Patch 6.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ05914

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    726

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-20

  • Closed date

    2019-12-09

  • Last modified date

    2020-01-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 January 2020