Problems with the Integration "QRadar v3" - Mirroring not working and qradar-reset-last-run command not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems with the Integration "QRadar v3" - Mirroring not working and qradar-reset-last-run command not working

L1 Bithead
Hi everyone,
 
Anybody having problems with the Integration 'QRadar v3'?
 
In particular, I found two things that are not working:
 
- First, Offenses created in QRadar are not being creating Incidents on Cortex XSOAR.
I configured the integration for 'Mirror Offense', to create Incidents based on created Offenses on QRadar (screenshot attached), and the connection is working. You can see on the Playground that there are Offenses on QRadar (screenshot attached), but no Incidents were created on Cortex XSOAR after I configured the Integration, and I generated new Offenses after Enable Integration too without any luck.

 

- Second, the command !qradar-reset-last-run is not working (reading the documentation, the command don't use any parameters), getting this error: 'Context data is missing keys: mirrored_offenses_queried or mirrored_offenses_finished' (screenshot attached).

 

For the first problem, I put the Integration in Debug log mode, and review the docker logs, but I didn't found anything about the reason of why Offenses are not creating Incidents in Cortex XSOAR.
 
Anybody with the same problems? Anybody can give me a piece of advice of how can I troubleshoot that kind of things?
Thanks in advance for your help. 


Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
4 REPLIES 4

L3 Networker

If you try running the mirror manually with the debug commands listed here https://xsoar.pan.dev/docs/integrations/mirroring_integration#debugging like get-modified-remote-data do you get any useful output?

 

Do you have offenses newer than your configured First fetch timestamp parameter?

Hi @chrking , thanks for your answer.

 

I ran the get-modified-remote-data, but I obtained an error for the QRadar integration (attached screenshot):

skip update. error: Failed to execute get-modified-remote-data command.
Error:
'lastUpdate'

What I really don't understand is that even the get-modified-remote-data debug command for Crowdstrike Integration (which is working, is mirroring the incidents of Crowdstrike as Incidents in Cortex XSOAR) is giving me an error (screenshot attached).

Maybe this is related to the command  qradar-reset-last-run failing too? The strange thing is that the integration is working, what is not working is the mirroring.

 

My first fetch timestamp parameter is 30 days, and I have new Offenses from yesterday and from today, and nothing was mirrored.

 

Thanks for your help.

 

 

L1 Bithead

Now (I don't know why), but the command qradar-reset-last-run is working (screenshot attached), but still the Offenses of QRadar are not being mirroring with Incidents in Cortex XSOAR. After the execution of the command, I generated a new Offense, and nothing happen.

 

Thanks for your help.

L1 Bithead

And now is working the Mirroring, and I really don't know what changed (screenshot attached).

 

The only thing that I changed on the QRadar server side, is that I changed the timezone of the server, from UTC to GMT-3 (Argentina time zone), the same time zone that Cortex SOAR server has. Maybe that was the problem?

 

Any opinions?

 

 

  • 4529 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!