How To
Summary
What information does IBM support require to assist troubleshooting a problem related to the IBM QRadar Security SOAR application?
Objective
Problems with the IBM QRadar Security SOAR application, such as, problems relating to automatic escalation of IBM QRadar offenses to IBM Security SOAR incidents require additional debugging and troubleshooting. This document will assist you with getting the right information to IBM support.
Steps
To engage IBM support the following information is required.
Access the container
SSH into the container running the IBM Resilient application from your IBM QRadar instance as detailed in How to retrieve logs and enable debug logging on IBM Resilient for QRadar Integration App choosing one of the following approaches:
docker exec -ti <container-id> /bin/bash
/opt/qradar/support/qapp_utils_730.py connect <app-id>
/opt/qradar/support/recon connect <app-id> (v7.3.2 and later)
Connectivity tests
Run the following commands from the container providing the output to IBM support:
curl –v –k https://resilient.domain.com:443
curl –v –k https://resilient.domain.com:65001
curl –v –k https://resilient.domain.com:65001
Replace https://resilient.domain.com with the name of your Resilient instance.
Enable debug logging
Enable debug logging in the application as detailed in How to retrieve logs and enable debug logging on IBM Resilient for QRadar Integration App.
Reproduce the problem
Now debug logging is enabled, reproduce the problem and soon after, gather the logs.
Gathering logs
The application logs can be gathered using information in How to retrieve logs and enable debug logging on IBM Resilient for QRadar Integration App.
IBM support also requires the IBM Resilient logs for the same time as detailed in MustGather: Collecting logs for IBM Security SOAR.
IBM QRadar on Cloud (QRoC) customers
Customers using QRoC are not able to supply logs or perform connectivity tests. These actions will be carried out by IBM support.
Collect information that is obtainable from the IBM QRadar console, points 4, 5, 6, 7, 8, 9, 10 and 11.
Please provide you console ID, for example, console-xxxxx.
IBM QRadar on premises customers
Provide all the information.
IBM Resilient SaaS customers
Provide all information aside from the IBM Resilient logs.
Memory issues
IBM support may request memory data to be gathered to record how much memory the container is using.
while true; do docker stats --no-stream | grep <CONTAINER-ID> | awk -v date="$(date +%R:%S/%F)" '{print $0, date}'; sleep 5; done >> /<PATH>/stats_date.txt
Information to provide IBM support
- Output from connectivity tests
- Logs from the application with debug enabled
- Logs from IBM Resilient
- Is IBM Resilient MSSP used and configured in the application (Mulitple Organization Support)?
- Offense ID
- Get the JSON of the offense ID detailed in How to use the QRadar REST API with the IBM Resilient application, "How to get the details of an offense"
- Screen shots of the offense
- The escalated Resilient incident ID if applicable
- Console ID for QRoC
- IBM QRadar and application versions (QRadar console -> Admin page -> Extension Management)
- The escalation template in use
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations->QRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16173757