Problems with the Integration "QRadar v3" - Mirroring not working and qradar-reset-last-run command not working

aguida79 · ‎12-15-2022

Hi everyone,

Anybody having problems with the Integration 'QRadar v3'?

In particular, I found two things that are not working:

- First, Offenses created in QRadar are not being creating Incidents on Cortex XSOAR.

I configured the integration for 'Mirror Offense', to create Incidents based on created Offenses on QRadar (screenshot attached), and the connection is working. You can see on the Playground that there are Offenses on QRadar (screenshot attached), but no Incidents were created on Cortex XSOAR after I configured the Integration, and I generated new Offenses after Enable Integration too without any luck.

- Second, the command !qradar-reset-last-run is not working (reading the documentation, the command don't use any parameters), getting this error: 'Context data is missing keys: mirrored_offenses_queried or mirrored_offenses_finished' (screenshot attached).

For the first problem, I put the Integration in Debug log mode, and review the docker logs, but I didn't found anything about the reason of why Offenses are not creating Incidents in Cortex XSOAR.

Anybody with the same problems? Anybody can give me a piece of advice of how can I troubleshoot that kind of things?

Thanks in advance for your help.

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

chrking · ‎12-15-2022

If you try running the mirror manually with the debug commands listed here https://xsoar.pan.dev/docs/integrations/mirroring_integration#debugging like get-modified-remote-data do you get any useful output?

Do you have offenses newer than your configured First fetch timestamp parameter?

aguida79 · ‎12-16-2022

Hi @chrking , thanks for your answer.

I ran the get-modified-remote-data, but I obtained an error for the QRadar integration (attached screenshot):

skip update. error: Failed to execute get-modified-remote-data command.
Error:
'lastUpdate'

What I really don't understand is that even the get-modified-remote-data debug command for Crowdstrike Integration (which is working, is mirroring the incidents of Crowdstrike as Incidents in Cortex XSOAR) is giving me an error (screenshot attached).

Maybe this is related to the command qradar-reset-last-run failing too? The strange thing is that the integration is working, what is not working is the mirroring.

My first fetch timestamp parameter is 30 days, and I have new Offenses from yesterday and from today, and nothing was mirrored.

Thanks for your help.

aguida79 · ‎12-16-2022

Now (I don't know why), but the command qradar-reset-last-run is working (screenshot attached), but still the Offenses of QRadar are not being mirroring with Incidents in Cortex XSOAR. After the execution of the command, I generated a new Offense, and nothing happen.

Thanks for your help.

aguida79 · ‎12-16-2022

And now is working the Mirroring, and I really don't know what changed (screenshot attached).

The only thing that I changed on the QRadar server side, is that I changed the timezone of the server, from UTC to GMT-3 (Argentina time zone), the same time zone that Cortex SOAR server has. Maybe that was the problem?

Any opinions?

Unlock your full community experience!

Problems with the Integration "QRadar v3" - Mirroring not working and qradar-reset-last-run command not working

Problems with the Integration "QRadar v3" - Mirroring not working and qradar-reset-last-run command not working

Show your appreciation!