IBM Support

IJ21487: RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • It has been identified that Rules are not being properly loaded
    when the origin user does not exist anymore in the QRadar
    deployment.  This has been observed after Content Managment
    Tool (CMT) imports have been performed as it allows the import
    of data even if a user does not exist.
    False positive/negative Rule firing can be experienced when
    this issue is occurring.
    Messages similar to the following might be visble in
    /var/log/qradar.log when this issue is occurring:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]
    com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil
    itiesException: User "xxxxx@domain.com" does not have required
    capabilities to access catalog "events"
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java:748)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java:694)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java:212)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java:238)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java
    :125)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.jav
    a:59)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.jav
    a:215)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java:89
    )
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java:126)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java:155)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java:420)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java:415)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java:278)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at java.lang.Thread.run(Thread.java:812)
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • To resolve the issue we just need to create the user and then
    restart ecs-ep over the Console and EPs. This will fix it and
    finally we can choose to delete the user and migrate its data to
     a different user(such as admin user).
    

Problem conclusion

  • To resolve the issue we just need to create the user and then
    restart ecs-ep over the Console and EPs. This will fix it and
    finally we can choose to delete the user and migrate its data to
     a different user(such as admin user).
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ21487

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-06

  • Closed date

    2020-07-13

  • Last modified date

    2020-07-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
14 July 2020