Troubleshooting
Problem
Offenses in QRadar are not escalated to IBM Security QRadar SOAR or Cloud Pak for Security because of a problem with the steps outlined in Configuring access to the inbound destinations.
Symptom
Offenses are not escalated and cases are not created.
Cause
If the three rules are not present in QRadar or not enabled, the plug-in does not function as expected.
Environment
Version 5.x of the plug-in with versions of QRadar SIEM and SOAR or CP4S that supports it.
Diagnosing The Problem
There are three rules that are created in QRadar when the IBM QRadar SOAR Plugin 5.x Content Pack is installed. These rules are:
- OffenseCreated
- OffenseModified
- OffenseClosed
If these rules are not present or are not enabled, the plug-in does not function as expected. The following image shows that one of the rules is not enabled.
Disabling the rule OffenseModified means that the rule is not invoked. In turn, it means that the QRadar console does not send a message to SOAR or CP4S' inbound destination. If no message is created for the modified offense, the plug-in is not aware of the modification, and the associated case is not updated or it is not created.
The same logic is true for the other rules, OffenseCreated, and OffenseClosed. If either of these rules are disabled or not present:
- Cases are not be created in the first place.
- Cases are not be closed when the associated offense is closed.
Resolving The Problem
First, check that IBM QRadar SOAR Plugin 5.x Content Pack is installed.
Second, check that the rules created by the installation of the content pack are enabled.
- OffenseCreated
- OffenseModified
- OffenseClosed
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 June 2023
UID
ibm16997907