Question & Answer
Question
How does the IBM QRadar SPAR plug-in decide which offenses to escalate?
Cause
In some cases offenses are not escalated so understanding what conditions the application uses to identify offenses is useful for troubleshooting purposes.
Answer
By default, the poller runs every 120 seconds to look for new offenses that fit the following condition.
v4.x
last_persisted_time > last_good_poll AND status = "OPEN" OR offense_id > last_max_offense_id AND Status = "OPEN."
v3.5x
last_updated_time > last_good_poll AND status = "OPEN" OR offense_id > last_max_offense_id AND Status = "OPEN."
- The last_persisted_time and last_updated_time is a value set in each offense and is updated when the offense changes.
- The last_good_poll is a file that contains the time in seconds past epoch that the last successful poll ran. This file will normally have a value of within 120 seconds.
- The last_max_offense_id is a file that contains the last offense ID that was processed during the last successful poll.
When debug is enabled, the following shows the calls made to the IBM QRadar API that uses the values in last_updated_time and last_good_poll.
2020-06-11 09:05:47,120 INFO [qradar_poll_handler] Last poll: 2020-06-11 09:03:11.000000; Config Change: 2020-06-11 09:01:25.137505, UTC Time; Last max offense ID: 381.
2020-06-11 09:05:47,120 DEBUG [qradar_api_client] QRadarAPIClient.get_offenses(): Requesting retrieval of offense data...
2020-06-11 09:05:47,120 DEBUG [qradar_api_client] QRadarAPIClient._rest(): GET call to api/siem/offenses
2020-06-11 09:05:47,121 DEBUG [qradar_api_client] {'filter': '(last_updated_time>1591866191000 and status = "OPEN") or (id>381 and status = "OPEN")', 'fields': 'id,offense_source,description,categories,assigned_to,status'}
filter=(last_updated_time%3E1591866191000%20and%20status%20%3D%20%22OPEN%22)%20or%20(id%3E381%20and%20status%20%3D%20%22OPEN%22)&fields=id%2Coffense_source%2Cdescription%2Ccategories%2Cassigned_to%2Cstatus
2020-06-11 09:05:47,123 DEBUG [abstract_qpylib] 127.0.0.1 [APP_ID/1052][NOT:0000006000] REST get issued to https://IP ADDRESS/api/siem/offenses?filter=(last_updated_time%3E1591866191000%20and%20status%20%3D%20%22OPEN%22)%20or%20(id%3E381%20and%20status%20%3D%20%22OPEN%22)&fields=id%2Coffense_source%2Cdescription%2Ccategories%2Cassigned_to%2Cstatus None
Offenses returned by the API are checked to see whether they match any of the escalation conditions. If they match, the offenses are escalated to IBM QRadar SOAR using the template the escalation conditions are configured to use.
The last_updated_time and last_good_poll files reside within the /store/ directory inside the container or can be accessed from the IBM QRadar server in /store/docker/volumes/qapp-<APP ID>/.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
30 May 2023
UID
ibm16226392