IBM Support

QRadar: Analytics API endpoint responses are blank due to adblockers

Troubleshooting


Problem

Users who attempt to use the QRadar API Analytics endpoint might experience an issue where the response headers and body are blank. This is due to adblocker rules triggering off of the term analytics in the request URL, these API requests cannot complete as expected. Administrators can allowlist the QRadar API to allow these requests to complete.

Symptom

When the /api/analytics portion of the URL is blocked, the response body and response headers of the QRadar API display blank values. For example:

Figure 1: When an ad blocker prevents the API from functioning, fields are displayed with blank values.

Cause

The ad blocker likely has a 3rd party filter list for EasyPrivacy that is enabled. EasyPrivacy and other ad blocking filters might contain a generic block rule for api/analytics. QRadar Support and Development have verified that the EasyPrivacy 3rd party filters for uBlock Origin do contain generic filters that can cause interface issues or block communications. When you view the EasyPrivacy filter list, you can see the contents of the list and the URL flagged by the ad blocker that impacts /api/analytics API calls in QRadar.


Figure 2: EasyPrivacy filter rule that blocks the QRadar Analytics endpoint.

Diagnosing The Problem

To verify this issue, you can view the logs for your ad blocker. If the ad blocker is impacting the API call, it displays the blocked URL in red as a blocked item from a rule.


Figure 3: The logs for the ad blocker can confirm that the API call is being blocked.

Resolving The Problem

To resolve the issue, administrators must allowlist the QRadar API to ensure that these requests can complete without interruption from an ad blocker. Alternately, administrators can review the filters in their ad blocker to verify which filter is causing the URL to be blocked. We have noticed with uBlock Origin that disabling the EasyPrivacy filter also resolves the issue.

For uBlock Origin users with QRadar, you can add a filter to ensure that future API requests to the Console can complete successfully.

Procedure

  1. In any browser, navigate to the QRadar API: https://ConsoleIP/api_doc.
  2. Log in to the QRadar API.
  3. Expand the /analytics API interface.
  4. Select one of the /analytics endpoints, for example /building_blocks or /rules.
  5. Click the Try It Out! button.
  6. Open the logs for your ad blocker and verify the blocking rule.
  7. allowlist the site in your ad blocker.
  8. Optionally, administrators can add a specific rule for the QRadar Console.
  9. In the QRadar API, verify the response body and response header fields contain QRadar data.



    Results
    If data is returned for the Response Body field, the ad blocker has been updated to allow requests to complete in the /analytics API endpoint.


Where do I find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"API","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg22008524

Page Feedback