Troubleshooting Tip: How to resolve missing offenses issue FortiSOAR ingesting from Qradar
| Description | This article describes ways to resolve the issue of missing offenses associated with a specific domain or tenant during ingestion from QRadar into FortiSOAR. |
| Scope | FortiSOAR. |
| Solution | Sometimes, the QRadar ingestion in FortiSOAR does not ingest all the offenses from QRadar that belong to a specific domain. To narrow it down, use the QRadar Interactive API option and search with the offense id which is missing in FortiSOAR
Filter: id="xxxx"
It will provide the intended result along with the query which can be used directly in a curl command to validate the behavior from outside of QRADAR. Use the same filter in the curl command:
curl -k -X GET -H "SEC: <token>" -H "Version: 24.0" "https://<qradar>/api/siem/offenses?filter=id=xxxx" -H "Range: items=0
If it returns a blank result like [] empty, there may be an issue with token permission. If the token is generated for a specific domain, especially in a multi-tenant setup, this query will return empty output and result in missing offenses due to the filter applied on it.
QRadar's default behavior differs when using a token versus a username: while a user has full permissions, token-based access can apply additional restrictions on filters.
Resolution: Generate a token with Full Admin permission (including all domain access) and use the same while fetching the offenses. |