Troubleshooting
Problem
When closing an incident in IBM Resilient, the IBM QRadar offense that is associated with the IBM Resilient incident is not completed.
Symptom
When closing an incident in IBM Resilient, the action status from within the IBM Resilient UI might show that the action is "Pending".
When checking the logs within the container that runs the IBM Resilient/QRadar application (What information is required when engaging support for IBM QRadar/Resilient application problems?) The app.log shows that closing reasons are missing from IBM QRadar:
127.0.0.1 [APP_ID/1101][NOT:0000006000][INFO] Closing reasons missing from QRadar: [Unresolved]
Cause
When the offense is closed, a closing reason is provided. If the Resolution of the Incident matches a Closing Reason in IBM QRadar, that reason is used. If the Incident Resolution is not a closing reason in IBM QRadar, then a “Policy Violation” default is used. For this reason, it is advised that you configure the custom Closing Reasons in IBM QRadar and Resolution IDs in IBM Resilient to match.
Diagnosing The Problem
The following image shows that the integration identifies any Resolution ID values in the IBM Resilient platform that do not have a corresponding Closing Reason in IBM QRadar.
Go to the IBM Resilient application within the IBM QRadar console. In the Preferences tab, check close Offense when the Incident closes. Next, click Verify and configure, and you will see an error:
The screen capture shows a red warning message that closing reasons exist in IBM Resilient does not exist in IBM QRadar.
Resolving The Problem
Go to IBM QRadar Console -> Admin -> Custom Offense close Reasons, and make sure all the closing reasons set-up in IBM Resilient are added to IBM QRadar.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 March 2023
UID
ibm16909479