Troubleshooting Tip: How to resolve missing offenses issue FortiSOAR ingesting from Qradar

jankit6 · ‎12-31-2025

Description

This article describes ways to resolve the issue of missing offenses associated with a specific domain or tenant during ingestion from QRadar into FortiSOAR.

Scope

FortiSOAR.

Solution

Sometimes, the QRadar ingestion in FortiSOAR does not ingest all the offenses from QRadar that belong to a specific domain. To narrow it down, use the QRadar Interactive API option and search with the offense id which is missing in FortiSOAR

Filter: id="xxxx"

It will provide the intended result along with the query which can be used directly in a curl command to validate the behavior from outside of QRADAR. Use the same filter in the curl command:

curl -k -X GET -H "SEC: <token>" -H "Version: 24.0" "https://<qradar>/api/siem/offenses?filter=id=xxxx" -H "Range: items=0

If it returns a blank result like [] empty, there may be an issue with token permission. If the token is generated for a specific domain, especially in a multi-tenant setup, this query will return empty output and result in missing offenses due to the filter applied on it.

QRadar's default behavior differs when using a token versus a username: while a user has full permissions, token-based access can apply additional restrictions on filters.

Resolution:

Generate a token with Full Admin permission (including all domain access) and use the same while fetching the offenses.

Troubleshooting Tip: How to resolve missing offenses issue FortiSOAR ingesting from Qradar

You are leaving our website