IBM Support

How to Resolve Automated escalation Failures using SOAR Integration Application from QRadar

Troubleshooting


Problem

This technote provides solutions for troubleshooting common errors when automated or manual escalation of offenses using SOAR Application on QRadar are failing.

Symptom

Errors are displayed in the user interface or in the circuits.log on the QRadar container for the Integration application.

Cause

Failures to escalate offenses from QRadar to SOAR (Previously known as Resilient)

Environment

IBM Security SOAR integrated with IBM QRadar using the The IBM Resilient QRadar Integration application from the IBM AppExchange.

Diagnosing The Problem

Enable debug on the QRadar container by updating the line in the app.config:

loginfo=DEBUG
Errors that display in the circuits.log in the container on QRadar may show similar errors to those on the client.log on SOAR side, and the message may contain the field or value that is causing the issue.

ERROR [resilient_helpers] Error Not Found: {"success":false,"title":null,"message":"<value>,"hints":[],"error_code":"generic"}

In addition on the IBM SOAR platform client.log contains the error that occurs during creation of the incident on the IBM SOAR (Resilient) platform.

ERROR [resilient_helpers] Error Not Found: {"success":false,"title":null,"message":"Unable to find object with ID <value>","hints":[],"error_code":"generic"}

In this case <value> contains the offense field which is mapped to the field in the SOAR incident.

Customers should use the technote for collecting logs for QRadar to help troubleshoot the issue:

Resolving The Problem

1 . Error Not Found: Unable to find object with ID

The values in the QRadar offense fields do not match the required fields in SOAR:
In this case the customer was using an English version of QRadar, but using a unicode language for IBM Security SOAR. They needed to switch to English version of SOAR or change the values in their offense fields so the fields map correctly.

ERROR [resilient_helpers] Error Not Found: {"success":false,"title":null,"message":"Unable to find object with ID Medium","hints":[],"error_code":"generic"}

The values of the severity of the offense did not match the values listed in the SOAR severity field due to the difference in character sets between the two systems.

Using the default template does not resolve the issue.
Solution:
Change the default field values in the field, or remap the escalation templates so that fields for multi-value fields contain the same values on both platforms.
2. Rulename is unable to update the Incident
This issue is caused on the SOAR side where a rule is interfering with the creation of the Incident when escalated causing the offense escalation to fail:
Client.log from SOAR reports:
com.co3.web.rest.Co3ExceptionMapperBase - Mapping exception to REST
com.co3.domain.exceptions.Co3IllegalStateException: Rule 'Rulename' is unable to update the Incident 'QRadar ID 269 , Offense name' because: HelperFailException: Text
   at com.co3.actions.ActionAutomationResultProcessor.processFailedResult(ActionAutomationResultProcessor.java:427)
And the app.log on QRadar reports the same problem as well:
SimpleHTTPException: Bad Request:  {"success":false,"title":null,"message":"Rule 'Rulename' is unable to update the Incident 'QRadar ID 6505 , Offense name' because: HelperFailException: Text","hints":[],"error_code":"generic"}
Solution:
Disable the Rule on the SOAR platform to allow the automatic escalation to complete when the Incident is being created.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations->QRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
02 May 2021

UID

ibm16428939

Page Feedback