Troubleshooting IBM QRadar SOAR Plug-in app

The following information can help you identify and resolve common problems in the IBM® QRadar® SOAR Plug-in app.

You can also download configuration files and log files to your local computer. For more information, see Downloading log and configuration files.

Automatic escalations are not working as expected

QRadar offenses are not automatically escalated to SOAR.

The app.log and circuits.log files show messages similar to this one that indicate an authentication problem.

User <API KEY> is unauthorized to access <resource>
The following issues can cause this problem.
Issue Solution

The API Key is locked or expired.

To resolve this issue, log in to SOAR and regenerate the API Key secret or create a new key. For more information, see the An app using an API key cannot connect to IBM Security QRadar SOAR technote.

The IP address is banned in SOAR.

For more information about how to resolve this issue, see the How to solve the integration app failure with expired API key technote.

The API Key for the MSSP was not pushed to the SOAR child organizations.
To resolve this issue, follow these steps:
  1. Log in to SOAR.
  2. In the configuration organization, go to the Administrator Settings > Users tab.
  3. Make sure that the API key for the QRadar SOAR Plug-in app is assigned to the child organizations.
  4. Go to the Administrator Settings > Configuration Push menu, and click Push Configuration.
To verify the system status, follow these steps:
  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  3. On the Status tab, click Test connection.
  4. Wait a few seconds for the test to complete, and then click Refresh status.

Internal server error appears when you try to verify the app configuration

You configure the QRadar SOAR Plug-in app, but when you click Verify and Configure, the app fails and shows Internal Server Error.

This problem occurs because the getcert.sh script cannot run in QRadar.

To resolve this issue, copy the CA certificates to the QRadar Console. For more information, see Configuring access to the inbound destinations.

QRadar Console shows a timeout error

The following message appears in the QRadar Console browser window:
Error: Call to escalateURL has timed out

This problem can occur when the SOAR API call takes longer to complete than the QRadar Console timeout period.

To resolve this issue, increase the SOAR timeout value from the default value of 30 seconds. Increasing this value allows more time for the SOAR API call to complete.
Note: In some cases, this message appears in the QRadar interface, even though the API call completes successfully. You cannot change the timeout value for the QRadar interface.

Cannot find the case in SOAR

The QRadar SOAR Plug-in app creates a case, but you see the following error message when you try to view the case in SOAR. 
Error: Unable to find object with ID xxxxx

Verify that you are logged in to the same SOAR organization as what is configured in the QRadar SOAR Plug-in app.

To view the organization that is configured in the app, follow these steps:
  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.

    You can see the organization on the Access tab, in the Organization Name field.

Error message indicates that domains cannot be scripted

A window appears with the following error message: 'QRadarDomain' object is not scriptable.

To resolve this problem, remap the QRadar domains and SOAR child organizations. For more information, see Configuring the QRadar SOAR Plug-in app.

Installation issues in air gapped environments

Issues with installations and upgrades in air gapped environments might be caused by configuration issues.

After you upgrade, ensure that you provide all of the required configuration information. For more information, see Configuration.

If the docker container logs contain this message, you can ignore it as the application container is eventually built.
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection 
broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f624e6a3080>, 
'Connection to pypi.org timed out. (connect timeout=15)')': /simple/argparse/

QRadar SOAR Plug-in connection status is Conflict

The SOAR Connection Status shows the status of the last connection test for the SOAR inbound destination from IBM QRadar.

If the connection shows a Conflict status, ensure that the access to the inbound destination is configured correctly. For more information, see Configuring access to the inbound destinations.

After you configure the inbound destination, follow these steps to reestablish the connection to the inbound destination.
  1. In the IBM QRadar SOAR Plugin configuration, click the Status tab.
  2. Click Action > Delete connection.
  3. On the Access tab, click Save.

App continues to monitor an older inbound message queue

After you reconfigure the QRadar SOAR Plug-in app to connect to a new instance of IBM Security SOAR Platform or SOAR for IBM Cloud Pak® for Security, the app continues to process messages from the inbound message queue from previous configuration.

To resolve this issue, follow these steps to clear the old message queue configuration.
  1. On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.
  2. On the Status tab, click Action, and then click Delete Connection.
  3. On the Access tab, click Verify and configure, and then click Save.

Offense escalation takes longer than usual

When QRadar generates a higher volume of offenses, it might take longer than usual for the offenses to be escalated to SOAR.

This problem may be caused when the maximum number of execution threads are in use. To avoid this problem, increase the number of execution threads that are available. For more information, see Configuring the QRadar SOAR Plug-in app.

Bad gateway error when you verify the configuration

If you receive a Bad Gateway error when you verify the app configuration, confirm that the SOAR API Key is up to date.

If you are connecting the app to a SOAR for IBM Cloud Pak for Security instance, confirm that the API Key is still valid and that it allows permissions to the right organizations. You might need to create a new API key and push the configuration changes.

For more information about the API Key permissions, see Minimum system requirements.

Performance is not near real-time

You may experience delays creating new offenses.

There are several factors which may cause delays:
  • Network disconnects between QRadar and SOAR.
  • High performance demands in either QRadar or SOAR.
  • Large bursts of messages that are processed at the same time.

This problem might also be caused when the number of execution threads within the plug-in are unable to simultaneously handle the high number of offense updates. To avoid this problem, you can increase the number of execution threads that are available. For more information, see Configuring the QRadar SOAR Plug-in app.

If this condition persists, open a Support ticket to have an IBM Support analyst review your environment.