Synchronization from SOAR to Qradar not working for a new setup environment

Troubleshooting

Problem

For a new Qradar and SOAR integration environment, the synchronization from Qradar to SOAR works fine but the actions from SOAR to Qradar stay in "Pending" state.

Symptom

Check the circuits.log to get the problem details.
In the circuits.log, you might see the following error messages that result the synchronization problem:

ERROR [actions_component] STOMP listener: Error: java.lang.SecurityException: User xxx is not authorized to read from queue://actions.201.qradar_xx_xx

Cause

There are the following possible causes:

1. The API User you configured for Qradar Integration App does not have authorization to access the Qradar related message destinations.

2. The system times of Qradar server and SOARS server do not match.

3. The IP address of the Qradar server is not white-listed if the SOAR organization has IP white-list setup.

Environment

SOAR 40. +

Plug-in 4.0 +

Diagnosing The Problem

Check the circuits.log to get the problem details. Refer to

MustGather: How to retrieve logs and enable debug logging on IBM Security SOAR for QRadar Integration App

about how to get the "circuits.log" from a docker container.

Resolving The Problem

Solution:

For the Cause 1, do the follow the following steps to fix the issue:

a. Log in the SOAR web client with a Master Administrator account.

b. Go to "Customization Settings > Message Destinations".

c. Open the queue "qradar_xx_xx", make sure the API User is in the "Users" field of each queue. If it is not, add it and save.
The qradar_<QRadar destination name modified to fit expected rule name>: Unified message queue for all of the actions processed by IBM QRadar SOAR Plugin 4.0+.

d. SSH to Qradar server to restart the process of the integration app:

- Find the docker container ID of SOAR integration app by command:

docker ps -a

- Enter the docker container by command:

docker exec -ti CONTAINER_ID /bin/bash

- Find the process ID of "run_circuits.py" process by command:

ps aux | grep run_circuits.py

- Kills the process by command:

kill -9 PID

- Wait for 10 seconds, check the process is restarted automatically by command:

ps aux | grep run_circuits.py

For the Cause 2, you can fix the problem follow the following steps:

a. SSH to both Qradar server and SOAR server.

b. Run the command to check the servers system time:

$date

c. If the two servers show different system time, you need to adjust the time to be same. To modify the server's time, run the following command:

$date --set=STRING

d. If you change the SOAR server time, restart Resilient service by command:

$sudo systemctl restart resilient

e. You always need to restart the "run_circuits.py" process from the docker of SOAR integration app on Qradar server. Refer to the step d in the solution for Cause 1.

For the Cause 3, you can follow the following steps to fix the issue:

a. Log in the SOAR web client, and go to "Administrator Settings > Network".

b. Check whether you have permitted IP addresses added on this page.

c. If you do, make sure the Qradar server's IP address is also added here.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Tips