IBM Support

QRadar: X-Force Threat Intelligence のテストによる " Exception Reading CRE Rules "

Troubleshooting


Problem

管理者は、X-Force Threat Intelligence の条件を含むルールで、Exception Reading CRE Rules を報告しています。

Symptom

このエラー・メッセージは、デフォルトの X-Force ルールに基づいており、ダッシュボードで確認することができます。: 
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][/- -] [-/- -]Exception Reading CRE Rules. The current rule set is incomplete because the following rule(s) failed to load: 1:[ID=117489,NAME="BB:Threats: Suspicious IP Network Traffic",PARENTS=[(ID=117639,NAME="Suspicious Network Traffic to Internal Web Server")]]2:[ID=114839,NAME="BB:BehaviorDefinition: Communication with a Potential Hostile Host (Flows X-Force Categorization)"]3:[ID=117239,NAME="BB:Threats: Suspicious Network Traffic",PARENTS=[(ID=117639,NAME="Suspicious Network Traffic to Internal Web Server")]]4:[ID=114939,NAME="BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Flows X-Force Categorization)"]. This list includes any parent rules which were consequently removed. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
/var/log/qradar.error からのトレース:
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.AQL_Test: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to parse parameters of rule BB:Threats: Suspicious IP Network Traffic
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: XForce_IP_Confidence function: Error during initialization null
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.core.aql.XForce_IP_Confidence.initialize(XForce_IP_Confidence.java:60)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.Utils.initialize(Utils.java:459)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.ariel.ql.parser.SingleArgAdapter.initialize(ScalarFunctionInfo.java:1266)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.ariel.ql.parser.ScalarFunctionPredicate.initialize(ScalarFunctionInfo.java:1368)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.Utils.initialize(Utils.java:459)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.ariel.IndexPredicate.initialize(IndexPredicate.java:234)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.initialize(AbstractCompositePredicate.java:45)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.util.Utils.initialize(Utils.java:459)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.tests.AQL_Test.setParms(AQL_Test.java:71)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java:123)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.CustomRule.<init>(CustomRule.java:224)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(CustomRuleReader.java:1171)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleReader.java:685)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomRuleReader.java:1652)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dispatchEvent(ConfigurationChangeEvent.java:125)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher]    at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchThread.run(SequentialEventDispatcher.java:129)
[ecs-ep.ecs-ep] [d9ec8361-b1eb-43d1-a372-38eb225ce9d2/SequentialEventDispatcher] Caused by: com.q1labs.core.aql.XForceManager$XForceManager$XForceFunctionsNotAvailableException: Client is not currently available, likely due to connection issues. See logs produced by com.q1labs.core.aql.XForceManager for details

 

Cause

X-Force 条件を含むルールを動作させるには、X-Force Threat Intelligence Feedを有効にし、コンソールからアクセスできるようにする必要があります。

Diagnosing The Problem

X-Force Threat Intelligence Feed が有効になっているかどうかを GUI から確認するには、以下の手順に従います。: 
この情報は下記にもあります。
/opt/qradar/conf/nva.conf
X_FORCE_FEED=yes

X-Force Threat Intelligence Feed が有効で、これらのルールの読み込みに失敗する場合、ファイアウォールが接続をブロックしている可能性があります。コンソールが以下のサーバーにアクセスできることを確認してください。: 
Server Contacted Server Description
update.xforce-security.com IP レピュテーションおよび URL データ用の X-Force Threat Intelligence Feed 更新サーバー
license.xforce-security.com X-Force Threat Intelligence ライセンス・サーバー

 

Resolving The Problem

システム設定から X-Force Feedを有効にします。これらのルールでまだ問題があり、ファイアーウォールが接続をブロックしていない場合は、 IBM QRadar サポート へご連絡ください。

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 May 2023

UID

ibm16967177

Page Feedback