03-08-2022 12:27 AM
Hi,
I succeeded XSOAR integration with Qradar. But I keep getting timeout warnings. I solved this problem by entering parameter "--env=REQUEST_TIME OUT=1500". But I caught that the real problem is in the query. To give an example of this, I enter the first integration query as "status='OPEN' and id > 13061". Then XSOAR automatically changes the query to "id > 13061 and status='OPEN' and id > 13061". No problem so far. The problem is that it doesn't specify the range when throwing this query. When I set the range value to "items=0-10" from the QRadar API interface, the query result comes in 15 seconds. However, when the range value is not entered, the same query takes over 20 minutes. I actually set "Number of offenses to pull per API call (max 50)" to 5 in the first integration setting. I think this value is not enough for the range limit.Can you help me on this issue?
03-08-2022 08:20 AM
Hi Silviu,
We found the cause of the problem. The time is getting longer because sorting is used in the query.
As a result of your guidance, we reached the solution.
Thank you for your support.
03-08-2022 01:06 AM
Hi Sucuncuoglu,
Thanks for posting in our Live Community Discussion board. Assuming you're referring to the QRadar v3 integration. I've made a quick review and in the get_incidents_long_running_execution function I can see we're adding the range properly to the API call:
See line 1561 and 1562 :
range_max = offenses_per_fetch - 1 if offenses_per_fetch else MAXIMUM_OFFENSES_PER_FETCH - 1
range_ = f'items=0-{range_max}'
So I suppose it might be something else that cause this delay. In order to detect what might be gong wrong, would you mind opening a Customer Support Ticket in order to identify what might be the issue?
Thanks,
Silviu
Thanks,
Silviu
03-08-2022 02:41 AM
Hi Silviu,
Thank you for the quick reply.
I opened the case numbered 02119736. The problem couldn't be solved there and they recommended this place.
You guessed it right, we use the Qradar V3 integration.
There is no range in the query to Qradar. It could be caused by line 405.
additional_headers = {'Range': range_} if not offense_id else None
Because the offense_id value is not entered in line 1565. In this case, range becomes None and we query for the whole range.
raw_offenses = client.offenses_list(range_, filter_=filter_fetch_query, sort=ASCENDING_ID_ORDER)
03-08-2022 03:11 AM
Hi Silviu,
I want to correct my mistake, why is the range value None when we do not enter the offense id?
03-08-2022 08:20 AM
Hi Silviu,
We found the cause of the problem. The time is getting longer because sorting is used in the query.
As a result of your guidance, we reached the solution.
Thank you for your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
