Troubleshooting
Problem
Offenses might not be escalated to incidents or cases as quickly as expected when several offenses are created or updated at the same time.
Symptom
Incidents or cases might not be created as quickly as expected.
Cause
The plug-in escalates offenses based on the offense ID with older offenses escalated first. This logic ensures that incidents are created in ascending numerical order with the oldest offense ID created first ending in the latest.
Diagnosing The Problem
The following plug-in logs show during the current poller process fifteen offenses were updated.
2023-07-10 09:09:03,142 INFO [qradar_poll_handler] Last poll: 2023-07-10 11:54:35.000000; Config Change: 2023-07-03 16:28:59.602058, UTC Time; Last max offense ID: 1000.
2023-07-10 09:09:04,041 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['9999', '8888', '7777', '6666', '5555', '4444', '3333', '2222', '2221', '2220', '2111', '2110', '2000', '1999', '1111']
Thirteen minutes passed while the plug-in was busy processing the fourteen older offenses, which included escalating them or adding artifacts to the associated incident. Finally, the latest offense ID is processed and an incident created.
2023-07-10 09:22:11,700 INFO [qradar_poll_handler] Offense 9999 matched escalation rule number 1.
2023-07-10 09:22:16,138 INFO [resilient_helpers] No existing incident found
2023-07-10 09:22:34,093 INFO [actions_component] Event: <qradar_note_for_qradar_<DESTINATION_NAME>[] (id=20, workflow=None, user=<API KEY>) 2023-07-10 12:22:29.986000> Channel: actions.qradar_<DESTINATION_NAME>
2023-07-10 09:22:37,020 INFO [qradar_api_client] QRadarAPIClient.create_offense_note(): Successfully created note [{'note_text': 'Case created in SOAR: https://<FQDN>#inc*** 'create_time': 1688991757007, '*** 'username': 'API_token: <API_KEY_NAME>'}] for offense [9999].
Resolving The Problem
The perceived delay in escalation of offenses is by design and there is no resolution in v4.
In version 5 of the plug-in, the architecture is different. Instead of using a poller to pull offenses from QRadar, the app now relies on QRadar to push the offense candidates to an internal SOAR queue for case creation. You might see improvements to performance and reliability as a result of this change.
There are pre-requisites you must be aware of before you consider upgrading. Ensure you read the documentation thoroughly -> https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-soar-plug-in-app
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"TS013499534","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 July 2023
UID
ibm17012453