Multiple QRadar Offense Ingestion Integrations Offense ID collision
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2023 01:08 PM
Hello!
I am looking for the Business Rule or Table constraint that is stopping SIRs to be created when the Offense ID is not unique. I have a situation where 2 of my N number of QRoC integrations have Offense numbering sequences are overlapping causing a race condition where the first offense imported gets an SIR created and the next does not.
There is a comment on each of the integration runs in the sn_sec_qradar_offense_import table that states " Row transform ignored by onBefore script", however looking at the onBefore the transform script doe not appear to have any logic that stops the creation of the task:
(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {
/* ignore variable is used to control the errors and daily limit */
if (gs.nil(source.profile))
ignore = true;
/**
* Make Sure we have 'INTEGRATION_RECORD_ID' property set to actual integration Record for the Integration.
* This will be used to automatically resolve integration implementation of various scripts like Limiter.
*/
var properties = new IBMQRadarProperties();
var transformEventImpl = new sn_sec_qradar.IBMQRadarTransform(properties);
var ret = transformEventImpl.transform(source, target);
if (gs.nil(ret))
ignore = true;
})(source, map, log, target);
The Offense ID should not be a unique identifier and duplicates need to be allowed as we have several QRadar instances.
The WebService also does not seem to play a role in stopping the creating of another SIR with an offense ID that exists.
Interestingly, there is a sn_sec_qradar_field_collision_mapping table which is empty and I can not find any documentation on.
Any and all assistance is greatly appreciated...
-Andrew
0 REPLIES 0
