eclecticiq / intelligence-center-app-qradar Goto Github PK

Step 1 to actually download the application is not completed. Users must navigate to releases on github to download the app but this is not obvious.

In the app setup/config page, the required parameter "Host" requires a URI for the EIQ IC which includes the version of the API, in the format (as per our User Guide):

https://<hostname>/api/<version>

For anyone who's unaware of the new API bundled with the EIQ IC, and/or doesn't know what particular version ships with their particular version of the EIQ IC, it's unclear what URI to enter in the "Host" field.

It would be useful to:
a) Include an example in the User Guide of what the URI should look like
b) Include a screenshot or instructions on how to determine the version of the API for the EIQ IC

From IBM team

"They have found some issues, if you have any questions please get in touch."

Description of problem:
In TCs for QRadar Test Connection we do not have pointed out types of Self Signed Certificate file format that we need to use (we use now this two formats .crt and .pem),
and also it is not defined that Certificate needs to be in Chain format.

Please update documentation so that types of Self Signed Certificate file format are clear.

https://stable-tor01-vm-sa-spectre.dev.qradar.ibm.com/console/plugins/1301/app_proxy/test_connection

500 works ok on a VM

Problem per app.log:

2022-05-13 09:27:08,067 [Thread-46] [ERROR] [APP_ID:1301] [NOT:0000003000] Error occured in fetching reference table names Code: 400 Text: HttpRequestError [400]: Request to [https://10.115.113.68:443/api/reference_data/tables](https://10.115.113.68/api/reference_data/tables) resulted in SSLError with message = HTTPSConnectionPool(host='10.115.113.68', port=443): Max retries exceeded with url: /api/reference_data/tables (Caused by SSLError(CertificateError("hostname '10.115.113.68' doesn't match either of '*.dev.qradar.ibm.com', 'dev.qradar.ibm.com'",),)).

So, it looks to me the way the hostname is requested is not correct. There is a method in the SDK to do this, I cannot recall atm which one it is but let me know if you are stuck I ask the SDK team.

Lookup only returns one entity in the case that multiple exist.

This makes the feature unreliable and requires users to check the TIP rather than use the lookup function.

Example here with 2 entities discussing same observable, but lookup only returns a single entity every time.

Currently USER_UNAUTHORIZED is returned for all non 200 statuses

https://github.com/eclecticiq/intelligence-center-app-qradar/search?q=USER_UNAUTHORIZED

This is not helpful for debugging.

We should return the actual errors returned by the EclecticIQ API (in logs and to user in UI)

The URL provided by the system when creating a sighting uses an incorrect path and does not allow users to navigate correctly.

The URL should be updated to use the correct API path.

This URL should be, for example:

https://demo.eiq-platform.com/entity/268c2d67-111f-449d-ac77-f29f5fb88ba5

rather than

https://demo.eiq-platform.com/api/beta/entities/268c2d67-111f-449d-ac77-f29f5fb88ba5

You cannot view/change the feeds without having to enter setup again. We should allow users to change them without having to re-enter the key and Qradar token

The app now only lets you connect if you have a valid certificate installed on your TIP. Please make a options to also allow self signed or other wise "invalid" certificates. This used to be an checkbox in the old app. This is especially useful in a test setup.

Same change as https://github.com/eclecticiq/intelligence-center-app-splunk-ta/issues/19

Same as: https://github.com/eclecticiq/intelligence-center-app-splunk-ta/issues/20#issue-1375629840

Docs on github point to docs portal homepage.

Navigating to QRadar documentation on EclecticIQ docs portal (for example: https://docs.eclecticiq.com/integrations/apps/ibm-qradar/install-and-configure-the-app-on-qradar) has banner that suggests documentation is obsolete and user should visit github documentation.

Circular dependency.

This leaves the user unsure about the required configuration for outgoing feeds in the EclecticIQ Intelligence Center.

a) add the link to the Reference Data Management app as this is in the screenshots

b) RE rules, firing rules on large ref data sets is not advisable without more filtering, I am not sure what users can filter on. Is there an originating IP or network they can add?

https://github.com/eclecticiq/intelligence-center-app-qradar/blob/main/docs/USER-MANUAL.md#step-1-configure-the-outgoing-feeds-you-wish-to-use-with-the-qradar-app

The link to the "EclecticIQ Intelligence Center User Guide" just visits the docs portal homepage.

https://github.com/eclecticiq/intelligence-center-app-qradar/blob/main/docs/USER-MANUAL.md

Step 1 visits a broken link https://www.ibm.com/docs/SS42VS_7.3.2/com.ibm.qradar.doc/b_siem_inst.pdf

After uninstalling the application and reinstalling, the context menu functions no longer work as expected.