Troubleshooting
Problem
Latest Salesforce protocol packages for 7.3 and 7.4 are now enforced for supported event types only, when unsupported type events are received, the following error stack is displayed in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider21311] com.q1labs.semsources.sources.salesforcerestapi.eventformatter.EventFormatterException: Unsupported event type 'ApiTotalUsage' found.
Cause
As defined in the Salesforce Security documentation for QRadar, only these event types (recorded events) are supported:
- Login History
- Account History
- Case History
- Entitlement History
- Service Contract History
- Contract Line Item History
- Contract History
- Contact History
- Lead History
- Opportunity History
- Solution History
- Salesforce Security Auditing audit trail
Diagnosing The Problem
- ApiTotalUsage: API Total usage events contain details about Platform SOAP API, Platform REST API, and Bulk API requests (for API versions up to and including v30.0).
- OneCommerceUsage: One Commerce Usage events capture information about your Commerce instance. This event type is available in the EventLogFile object in API version 51.0 and later.
- AuraRequest: Aura Request events contain details of requests to Apex methods from Aura and Lightning web components. For example, you can benchmark request time or identify the URI of an unsuccessful request.
Resolving The Problem
1. Use the DSM Editor to map the events manually. Check the next links to know more about support policies in regard to custom field extraction:
QRadar: Regular expression (regex) cases and support policies
QRadar: Log source configuration and performance support policy
QRadar: DSM Editor and custom log source cases and support policies
Or
2. Submit an Enhancement Request to ask these events parsed and mapped by the protocol.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
01 April 2022
UID
ibm16566491