topic XSOAR Qradar Integration Set Range Limit in Cortex XSOAR Discussions

XSOAR Qradar Integration Set Range Limit

Sucuncuoglu — Tue, 08 Mar 2022 08:27:09 GMT

Hi,

I succeeded XSOAR integration with Qradar. But I keep getting timeout warnings. I solved this problem by entering parameter "--env=REQUEST_TIME OUT=1500". But I caught that the real problem is in the query. To give an example of this, I enter the first integration query as "status='OPEN' and id > 13061". Then XSOAR automatically changes the query to "id > 13061 and status='OPEN' and id > 13061". No problem so far. The problem is that it doesn't specify the range when throwing this query. When I set the range value to "items=0-10" from the QRadar API interface, the query result comes in 15 seconds. However, when the range value is not entered, the same query takes over 20 minutes. I actually set "Number of offenses to pull per API call (max 50)" to 5 in the first integration setting. I think this value is not enough for the range limit.Can you help me on this issue?

Re: XSOAR Qradar Integration Set Range Limit

SilviuMihailDascalu — Tue, 08 Mar 2022 09:06:07 GMT

Hi Sucuncuoglu,

Thanks for posting in our Live Community Discussion board. Assuming you're referring to the QRadar v3 integration. I've made a quick review and in the get_incidents_long_running_execution function I can see we're adding the range properly to the API call:

See line 1561 and 1562 :

range_max = offenses_per_fetch - 1 if offenses_per_fetch else MAXIMUM_OFFENSES_PER_FETCH - 1
range_ = f'items=0-{range_max}'

So I suppose it might be something else that cause this delay. In order to detect what might be gong wrong, would you mind opening a Customer Support Ticket in order to identify what might be the issue?

Thanks,

Silviu

Thanks,

Silviu

Re: XSOAR Qradar Integration Set Range Limit

Sucuncuoglu — Tue, 08 Mar 2022 10:41:02 GMT

Hi Silviu,

Thank you for the quick reply.
I opened the case numbered 02119736. The problem couldn't be solved there and they recommended this place.
You guessed it right, we use the Qradar V3 integration.
There is no range in the query to Qradar. It could be caused by line 405.

additional_headers = {'Range': range_} if not offense_id else None

Because the offense_id value is not entered in line 1565. In this case, range becomes None and we query for the whole range.
raw_offenses = client.offenses_list(range_, filter_=filter_fetch_query, sort=ASCENDING_ID_ORDER)

Re: XSOAR Qradar Integration Set Range Limit

Sucuncuoglu — Tue, 08 Mar 2022 11:11:36 GMT

Hi Silviu,

I want to correct my mistake, why is the range value None when we do not enter the offense id?

Re: XSOAR Qradar Integration Set Range Limit

Sucuncuoglu — Tue, 08 Mar 2022 16:20:30 GMT

Hi Silviu,

We found the cause of the problem. The time is getting longer because sorting is used in the query.
As a result of your guidance, we reached the solution.

Thank you for your support.