Troubleshooting
Problem
A nonadmin user in QRadar might see "Offense with id xxxx not found" appear when manually escalate an offense to IBM QRadar SOAR. The incident is not created.
Symptom
The user sees a pop-up in the QRadar console, "Offense with id xxxx not found."
Looking at the plug-in's app.log the following is seen.
2022-06-24 12:26:27,509 [Thread-11698] [ERROR] [APP_ID:1401] [NOT:0000003000] GET api/config/domain_management/domains/0 failed. Endpoint returned [404].
2022-06-24 12:28:13,534 [Thread-11702] [INFO] [APP_ID:1401] [NOT:0000006000] endpoint is config.get_escalate_button_data
Using the QRadar Interactive API, queries to the /domain_management/0 end point fail for nonadmin users but work for users with an admin security profile.
Cause
The user in question is not an admin user and the domain_id of 0 refers to the "default domain." Restrictions in place within QRadar stop a nonadmin user from being able to query "default domain" and "all domains."
Diagnosing The Problem
Using the QRadar Interactive API, try calling the domain_management/0 end point to see whether the HTTP 404 is returned by QRadar like it is in the plug-in's app.log. Run the test as a nonadmin and admin user, are there differences in the response codes. 404 versus 200?
Check your domains within QRadar. Do you have other domains? Can the nonadmin user access the endpoint to query those domains by using the Interactive API?
Resolving The Problem
You can consider creating a domain to be used rather than using "default domain" or "all domains." This way you can provide privileges for nonadmin users to access the domain. The plug-in would not receive an HTTP 404 from QRadar when the user attempts to escalate the offense because that user has privileges to that domain and the incident is created in IBM QRadar SOAR.
If you are unsure as to what to do or what is best for you, engage IBM QRadar support by opening a support case.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 July 2022
UID
ibm16601557