QRadar Risk Manager: How do I populate the risk tab's connection graph

Troubleshooting

Problem

When you open Connections in the Risk tab, the Connection graph is blank.

Symptom

Look within /var/log/qradar.log or /var/log/qradar.error for messages referencing simArc issues on your QRM host.

Cause

If you have no data in the simArc directory, then nothing is created for the connections graph. The Connections screen displays simArc data, which is built from the flows and firewall events generated at the event processor.

Diagnosing The Problem

Click Risk tab.
Click Connection.
View Connection Graph.
SSH to the Console as the root user.
SSH to QRM host.
Display the contents of the simArc directory by using the command.
```
  ls /store/ariel/simarc
```

Results Connections Graph is blank, and the simArc directory has no data.

Resolving The Problem

Note: Connections are built only for the default domain. The Connections graph for Multi-tenant is unsupported.

Connections Graph is blank

If you have no data, then nothing is created for the connections graph. The Connections screen displays simArc data, built from the flows and firewall events generated at the event processor. These simArcs connections represent bidirectional flows (local at either src or dst), which are aggregated based on src, dst, protocol destination Port, and allowDeny. The later allowDeny field is true for an arc constructed from a flow, but arcs can also be constructed from firewall events, to indicate a denied connection attempt. If arcs are based on events, the device ID and event count are also appended.

Flows not translating to arcs

If you find that flows are not being translated to arcs, you need to check that the flows are bidirectional and meet the criteria of either originating or destined for the customer network or both - Local to Local (L2L). You need to ensure the flows refer to open ports on known assets.

No Data in the simArc directory

If there is no data in the simArc directory on QRM, the issue is usually related to where the data is being sent. You might need to SSH to the firewall event's event processor and also check the same directory by using the command:

ls /store/ariel/simarc

Check whether there is data in the local simarc directory. If there is no data, then it is not a QRM-related issue. Event Processors /store/ariel/simarc gets copied to QRM's /store/ariel/simarc. If there is data in the QRM simarc directory, uses it to create connection views, and the Connections graph displays results.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQQU","label":"IBM Security QRadar Risk Manager"},"ARM Category":[{"code":"a8m0z000000CbXJAA0","label":"QRadar Vulnerability and Risk Manager->QRadar Risk Manager"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips