XSOAR Qradar Integration Set Range Limit

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR Qradar Integration Set Range Limit

L1 Bithead

Hi,

I succeeded XSOAR integration with Qradar. But I keep getting timeout warnings. I solved this problem by entering parameter "--env=REQUEST_TIME OUT=1500". But I caught that the real problem is in the query. To give an example of this, I enter the first integration query as "status='OPEN' and id > 13061". Then XSOAR automatically changes the query to "id > 13061 and status='OPEN' and id > 13061". No problem so far. The problem is that it doesn't specify the range when throwing this query. When I set the range value to "items=0-10" from the QRadar API interface, the query result comes in 15 seconds. However, when the range value is not entered, the same query takes over 20 minutes. I actually set "Number of offenses to pull per API call (max 50)" to 5 in the first integration setting. I think this value is not enough for the range limit.Can you help me on this issue?

Safa
1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

Hi Silviu,

We found the cause of the problem. The time is getting longer because sorting is used in the query.
As a result of your guidance, we reached the solution.

Thank you for your support.

Safa

View solution in original post

4 REPLIES 4

L3 Networker

Hi Sucuncuoglu,

 

Thanks for posting in our Live Community Discussion board. Assuming you're referring to the QRadar v3 integration. I've made a quick review and in the get_incidents_long_running_execution function I can see we're adding the range properly to the API call:

See line 1561 and 1562 :

range_max = offenses_per_fetch - 1 if offenses_per_fetch else MAXIMUM_OFFENSES_PER_FETCH - 1
range_ = f'items=0-{range_max}'

So I suppose it might be something else that cause this delay. In order to detect what might be gong wrong, would you mind opening a Customer Support Ticket in order to identify what might be the issue?

 

Thanks,

Silviu

Thanks,

Silviu

Silviu-Mihail Dascalu

L1 Bithead

Hi Silviu,

Thank you for the quick reply.
I opened the case numbered 02119736. The problem couldn't be solved there and they recommended this place.
You guessed it right, we use the Qradar V3 integration.
There is no range in the query to Qradar. It could be caused by line 405.

additional_headers = {'Range': range_} if not offense_id else None

Because the offense_id value is not entered in line 1565. In this case, range becomes None and we query for the whole range.
raw_offenses = client.offenses_list(range_, filter_=filter_fetch_query, sort=ASCENDING_ID_ORDER)

 

Safa

Hi Silviu,

I want to correct my mistake, why is the range value None when we do not enter the offense id?

Safa

L1 Bithead

Hi Silviu,

We found the cause of the problem. The time is getting longer because sorting is used in the query.
As a result of your guidance, we reached the solution.

Thank you for your support.

Safa
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!