Troubleshooting
Problem
A QRadar app fails to load with a "SEC: token" error, generic errors, or the UI is blank with no error. Newly configured QRadar on Cloud (QRoC) apps aren't loading, or requesting an Admin token, but do not work after creating a Security Admin token in Self Serve app.
Symptom
Missing tokens can cause different UI errors in different apps. In User Behavior Analytics (UBA), the UI might load with no errors and display as normal until the user tries to edit the rules or see events for specific users. It can display errors such as "An error occurred when loading data", "No SEC header present in the request", or "Failed to retrieve rules". In Use Case Manager (UCM) the UI does not load and reports a "There is no authorized service token available" or "You don't have sufficient permissions to view rules" errors. In other apps, the UI might fail to load, showing either generic error, "403", or a blank screen.
Cause
Certain apps require an Admin:Admin level token to operate and return the error when configured with a Security Admin auth token. When setting up these apps, they ask for the token, but QRoC users can be confused as they do not have permission to create this level of token and must contact support. The Authorized Service token that can be created by using The QRadar RESTful API is not sufficient to run these apps.
The following apps require an Admin:Admin level token:
- QRadar Advisor with Watson (Requires admin token in addition to Sec Admin or profile user requests token)
- QRadar Assistant App
- QRadar Deployment Intelligence
- Incident Overview
- Use Case Manager
- IBM QRadar DNS Analyzer
- QRadar Operations
- IOC Tracker
- Threat Intelligence
- User Behavior Analytics
- Forwarding from Splunk
- Resilient Systems (SOAR) (QRoC Ready)
- Recorded Future
- Cloud Visibility
- Event and Flow Exporter
- IBM QRadar SOAR plug-in
- Network Threat Analytics
Diagnosing The Problem
Check the app logs for related errors.
- Collect your app logs by using either the CLI or QRadar UI.
- Navigate to the app logs file. If you have multiple apps installed, you can identify the app by using the APP NAME in the directory name. The paths vary from app to app, but generally follow the following naming convention:
/app-framework/console/qapp-[APP ID]-[APP NAME]/store/docker/volumes/qapp-[APP ID]/log/app.log
/app-framework/console/qapp-[APP ID]-[APP NAME]/store/docker/volumes/qapp-[APP ID]/log/app[DATE].log - Search the logs for errors related to "SEC: token".
Result
If you find any errors containing "SEC: token" proceed to Resolving the Problem.
Example error from User Behavior Analytics:[MainThread] [INFO] [APP_ID:2804] [NOT:0000006000] Did not receive 200 when loading reference table "UBA : Rule Data" - 401, No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding" [MainThread] [WARNING] [APP_ID:2804] [NOT:0000004000] Error during bulk loading reference table UBA : Rule Data: {'http_response': {'code': 401, 'message': 'You are unauthorized to access the requested resource.'} , 'code': 18, 'description': '', 'details': {}, 'message': 'No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"'}Example error from Use Case Manager:error: getRuleGroups_impl - Failed to get rule groups: No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding" { message: 'No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"'
Resolving The Problem
NOTE: QRoC users must contact support to have them create and apply the required "Admin:Admin" level token.
Other QRadar users can follow the following procedure.
Before you start
- Log in to the QRadar UI as an admin.
- On the Admin tab, click Authorized Services in the User Management section.
- Confirm an unexpired token does not exist for the app. In the default naming conventions, the token will be named after the app such as "Use Case Manager".
- If the token exists, is not expired, and you have its value saved, it can be reused. If you do not have the value saved, it cannot be reused.
IMPORTANT: Only delete tokens if you confirm they are not used by other apps or services. Expired tokens can be safely deleted. - Create a new token with the Security Profile as Admin and the User Role as Admin and record the token value. We recommend naming the token after the app it is associated with.
Note: The same token can be used across different apps, but the app configuration instructions recommend users create one token per app.
Result
In the procedure, we attempt to attach this new token to the app.
Procedure
- Open the app in the QRadar UI, and confirm it does not display a prompt to enter the saved token. If it does, enter the token and ensure the app works.
- If the UI does not request a token, go to the app settings. Some apps, such as User Behavior Analytics allow the token to be changed, while other apps like Use Case Manager do not.
Token setting for UBA:
Note: The setting states that "A valid authorized service token is currently saved" but in this situation, it is not.
Result
If you cannot identify a setting to add your token to the app, contact support for assistance manually adding it.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 May 2024
UID
ibm16611259