Troubleshooting
Problem
When there are configuration problems related to the mapping template in the IBM QRadar plug-in and configuration of IBM QRadar SOAR or Cloud Pak for Security, offenses might not escalate successfully. This document helps you identify and troubleshoot these situations.
Symptom
You might not be able to manually escalate an offense with the error "Failed to generate case. Template format may not be valid" or "Failed to generate incident. Template format may not be valid."
If you are automatically escalating, you do not see this error, but you might find that incidents/cases are not created.
Cause
The error suggests that there is a problem with the mapping template, which is true in most occasions. The problem is that when the template maps offense data and translates it to incident/case data and submits the creation of the incident/case, there is a problem with the JSON payload. IBM QRadar SOAR or Cloud Pak for Security is configured in such away that the payload doesn't fulfill its requirements.
Diagnosing The Problem
Some examples are shown and a description of the problem given. You need to get access to the plug-ins container on your IBM QRadar console or App Host and investigate the app.log for manual escalations, or the circuits.log for automatic escalations.
When manually escalating an offense IBM Security SOAR of Cloud Pak for Security returns an error, "The following fields are required: 'Detected destinations.'" This means that the field, "Detected destinations" must be populated for the incident to be created.
2022-07-11 12:25:30,823 [Thread-478] [INFO] [APP_ID:1606] [NOT:0000006000] endpoint is config.get_escalate_button_data
2022-07-11 12:25:34,484 [Thread-479] [INFO] [APP_ID:1606] [NOT:0000006000] endpoint is config.escalate_to_resilient
2022-07-11 12:25:34,485 [Thread-479] [INFO] [APP_ID:1606] [NOT:0000006000] Querying for offense: 12345
2022-07-11 12:25:35,198 [Thread-479] [INFO] [APP_ID:1606] [NOT:0000006000] No existing incident found
2022-07-11 12:25:35,628 [Thread-479] [ERROR] [APP_ID:1606] [NOT:0000003000] Failed to render incident from template
2022-07-11 12:25:35,628 [Thread-479] [ERROR] [APP_ID:1606] [NOT:0000003000] Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/resilient/co3.py", line 450, in post
response = super(SimpleClient, self).post(uri, payload, co3_context_token, timeout)
File "/usr/local/lib/python3.6/site-packages/resilient/co3base.py", line 366, in post
BasicHTTPException.raise_if_error(response)
File "/usr/local/lib/python3.6/site-packages/resilient/co3base.py", line 64, in raise_if_error
raise BasicHTTPException(response)
resilient.co3base.BasicHTTPException: : {"success":false,"title":null,"message":"The following fields are required: 'Detected destinations'","hints":[],"error_code":"generic"}
Setting "Requirement" to be "Always" on the field means that when the incident is created, this field must be populated. In this case, the mapping template is not configured to populate the incident/case field so the incident creation fails and the offense is not escalated.
More examples, which are along the similar lines.
When trying to create the incident/case a workflow error stopped the creation. Have someone with access to IBM QRadar SOAR or Cloud Pak for Security examine the logs to identify the reason.
resilient.co3base.BasicHTTPException: Bad Request: {"success":false,"title":null,"message":"The requested operation could not be completed because of an error in a workflow. Have your System Administrator check the application log for details.","hints":[],"error_code":"generic"}
In these cases, the mapping template sends an IP address that IBM QRadar SOAR or Cloud Pak for Security cannot accept. In this case, the IP address is malformed.
resilient.co3.SimpleHTTPException: : {"success":false,"title":null,"message":"The specified IP Address is invalid: ['123.123.123.123']","hints":[],"error_code":"generic"}
In this example, no IP address is sent.
resilient.co3base.BasicHTTPException: Bad Request: {"success":false,"title":null,"message":"The specified IP Address is invalid: None","hints":[],"error_code":"generic"}
In this example, a rule is run when the incident/case is created but the rule is written to return "The rule is not able to run" using helper operators in the script editor when an error occurs. The error stops the rule from completing successfully which in turn stops the incident/case from being created and the offense is not escalated.
The error in the example does not explain what the error is. This could be improved in the script that the rule, "Example script" calls.
resilient.co3base.BasicHTTPException: Bad Request: {"success":false,"title":null,"message":"Rule 'Example rule' is unable to update the Incident 'QRadar ID 1234 - virus found' because: HelperFailException: The rule is not able to run.","hints":[],"error_code":"generic"}
Resolving The Problem
An understanding of how IBM QRadar SOAR or Cloud Pak for Security is configured is needed.
- Look at your fields, what is the requirement of the field? Does it need to be set to "Always?" If it does, then ensure the mapping template populates this field.
- If a rule fails, what script is the rule calling? What does the script do? Can you add extra debug to the script by using helper operators?
- If a workflow fails to run on incident creation, look at the workflow and what it does for clues.
- Look at the template and the data that is sent to the incident/case and work out what is missing or what more is required.
- In the case of "The specified IP Address is invalid: None" check the offense JSON using the QRadar API
- Look for offense.offense_source and check if it is null
- The escalation template reads this value and tries to create an IP artifact without an IP address which SOAR does not accept and the case is not created
- Should this value be null? If not, you might want to work with your QRadar administrators to identify why it is or raise a support case
"id": 1234
}
],
"closing_reason_id": 56,
"device_count": 2,
"first_persisted_time": 1652422810000,
"offense_type": 0,
"relevance": 0,
"domain_id": 0,
"offense_source": null,
"local_destination_address_ids": [
432102
For assistance with the mapping template and the JINJA syntax feel free to ask for help in the community -> https://ibm.biz/resilient-community
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 June 2023
UID
ibm16603327