Troubleshooting IBM QRadar SOAR Plug-in app
The following information can help you identify and resolve common problems in the IBM® QRadar® SOAR Plug-in app.
You can also download configuration files and log files to your local computer. For more information, see Downloading log and configuration files.
Automatic escalations are not working as expected
QRadar offenses are not automatically escalated to SOAR.
The app.log and circuits.log files show messages similar to this one that indicate an authentication problem.
User <API KEY> is unauthorized to access <resource>
Issue | Solution |
---|---|
The API Key is locked or expired. |
To resolve this issue, log in to SOAR and regenerate the API Key secret or create a new key. For more information, see the An app using an API key cannot connect to IBM Security QRadar SOAR technote. |
The IP address is banned in SOAR. |
For more information about how to resolve this issue, see the How to solve the integration app failure with expired API key technote. |
The API Key for the MSSP was not pushed to the SOAR child organizations. |
To resolve this issue, follow these steps:
|
- Log in to the QRadar Console as an administrator.
- On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
- On the Status tab, click Test connection.
- Wait a few seconds for the test to complete, and then click Refresh status.
Internal server error appears when you try to verify the app configuration
You configure the QRadar SOAR Plug-in app, but when you click Verify and Configure, the app fails and shows Internal Server Error.
This problem occurs because the getcert.sh script cannot run in QRadar.
To resolve this issue, copy the CA certificates to the QRadar Console. For more information, see Configuring access to the inbound destinations.
QRadar Console shows a timeout error
Error: Call to escalateURL has timed out
This problem can occur when the SOAR API call takes longer to complete than the QRadar Console timeout period.
Cannot find the case in SOAR
Error: Unable to find object with ID xxxxx
Verify that you are logged in to the same SOAR organization as what is configured in the QRadar SOAR Plug-in app.
- Log in to the QRadar Console as an administrator.
- On the Admin tab, in the IBM QRadar SOAR Plugin
section, click Configuration.
You can see the organization on the Access tab, in the Organization Name field.
Error message indicates that domains cannot be scripted
A window appears with the following error message: 'QRadarDomain' object is not scriptable.
To resolve this problem, remap the QRadar domains and SOAR child organizations. For more information, see Configuring the QRadar SOAR Plug-in app.
Installation issues in air gapped environments
Issues with installations and upgrades in air gapped environments might be caused by configuration issues.
After you upgrade, ensure that you provide all of the required configuration information. For more information, see Configuration.
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f624e6a3080>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/argparse/
QRadar SOAR Plug-in connection status is Conflict
The SOAR Connection Status shows the status of the last connection test for the SOAR inbound destination from IBM QRadar.
If the connection shows a Conflict status, ensure that the access to the inbound destination is configured correctly. For more information, see Configuring access to the inbound destinations.
- In the IBM QRadar SOAR Plugin configuration, click the Status tab.
- Click .
- On the Access tab, click Save.
App continues to monitor an older inbound message queue
After you reconfigure the QRadar SOAR Plug-in app to connect to a new instance of IBM Security SOAR Platform or SOAR for IBM Cloud Pak® for Security, the app continues to process messages from the inbound message queue from previous configuration.
- On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
- On the Status tab, click Action, and then click Delete Connection.
- On the Access tab, click Verify and configure, and then click Save.
Offense escalation takes longer than usual
When QRadar generates a higher volume of offenses, it might take longer than usual for the offenses to be escalated to SOAR.
This problem may be caused when the maximum number of execution threads are in use. To avoid this problem, increase the number of execution threads that are available. For more information, see Configuring the QRadar SOAR Plug-in app.
Bad gateway error when you verify the configuration
If you receive a Bad Gateway error when you verify the app configuration, confirm that the SOAR API Key is up to date.
If you are connecting the app to a SOAR for IBM Cloud Pak for Security instance, confirm that the API Key is still valid and that it allows permissions to the right organizations. You might need to create a new API key and push the configuration changes.
For more information about the API Key permissions, see Minimum system requirements.
Performance is not near real-time
You may experience delays creating new offenses.
- Network disconnects between QRadar and SOAR.
- High performance demands in either QRadar or SOAR.
- Large bursts of messages that are processed at the same time.
This problem might also be caused when the number of execution threads within the plug-in are unable to simultaneously handle the high number of offense updates. To avoid this problem, you can increase the number of execution threads that are available. For more information, see Configuring the QRadar SOAR Plug-in app.
If this condition persists, open a Support ticket to have an IBM Support analyst review your environment.