IBM Support

QRadar SOAR: offense_source values not correct with QRadar Plugin-in v5.0.0

Troubleshooting


Problem

In v5.0.0 templates that were configured to send offense.source IP addresses to incident fields such as incident.name do not show the correct IP address.

Symptom

If your templates in the v5.0.0 plug-in are configured in such as way to add offense.offense_source to incident.name when the incident is created, the value in this field is not the IP addess expected.
"name": "QRadar ID {{offense.id}} , {{offense.description}} - {{offense.offense_source}}",
The IP address is replaced by a number that starts with "-" such as "-1062729210." The value changes depending on the value in the offense.
incident

Cause

Previous versions of the plug-in called the QRadar API as opposed to reading messages added to the inbound destination on SOAR, by the QRadar console server. The format of the data is different in messages added to SOAR's inbound destination by QRadar, which is why the values are different in the incident.

Environment

v5.0.0 of the QRadar SOAR plug-in

Diagnosing The Problem

  1. Do the incidents of escalated offenses show values that do not match the actual offense source IP, like those described?
  2. Check your template to see whether you are mapping offense.source to an incident field
     

Resolving The Problem

Currently, there is no work-around but we are working on a fix for QRadar.
If you wish to roll back to v4.1.0, here are the steps you can follow.
  1. Download the logs
  2. Open the zip file and check that your configuration and templates are present
  3. If you are missing templates, ensure you download the template from the list of templates under the heading Template Files
  4. Uninstall the plug-in v5.0.0
  5. Install the plug-in v4.1.0 using extension management
  6. Follow the documented steps to install and configure the plug-in
  7. Upload your templates and configure the escalation workflow
  8. Check that incidents are created with the correct values

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 May 2023

UID

ibm16991201

Page Feedback