FAQ: TruSTAR for IBM QRadar

Updated 2 months ago by Elvis Hovor

This document explains how to manually install the TruSTAR App for IBM QRadar, update the app, or uninstall it. The document also covers troubleshooting and known issues. 

Manually Installing the TruSTAR Workflow App

  1. Download the latest version of the TruSTAR Workflow App for QRadar at this link
  2. Navigate to the QRadar Admin tab.
  3. Click Extension Management.
  4. Click Add and select the TruSTAR App bundle from the location you downloaded it to. 
  5. Click Install Immediately, then click OK to begin the installation. 

You now see the TruSTAR Workflow App settings on the QRadar Admin page and GUI buttons for TruSTAR actions you can take.  

Updating the App 

  1. Navigate to the Admin Tab
  2. Click Extension Management.
  3. Click Add and select the TruSTAR App bundle application.
  4. Click Install Immediately.
  5. Click OK.

Uninstalling the App

  1. Go to the QRadar Admin Page
  2. Click Extension Management.
  3. Select the TruSTAR App for QRadar application
  4. Click Uninstall.

Troubleshooting

Q. Why don’t I see an offense in TruSTAR reporting?

A. There are two reasons why you may not see an offense:

  • If you configured the Offense Exclusion Filter with specific values and the offense matches one of those values, then that offense will not be submitted to TruSTAR. 
  • If you configured the Event Exclusion Filter and all the events associated with that offense match one of those filters, then the offense will not be submitted to TruSTAR.

Q. Why is the submitted offense missing some events in TruSTAR?

A. If you configured the Event Exclusion Filter and some of the events associated with that offense match one of those filters, then those events will not be submitted to TruSTAR.

Q. Why are some events not being submitted to TruSTAR?

A. If you configured the Event Exclusion Filter and the event matches one of those filters, then that events will not be submitted to TruSTAR.

Q. Can I check the event submission logs? 

A. You can check event submission logs from the QRadar console. Search in the Log Activity Quick Filter using this format:

APP_ID/<app_id of TruSTAR app>  where the <app_id of TruSTAR app> is the TruSTAR application ID. In the graphic below, the APP_ID is 1051.

You can then read through the list to check whether the event has been submitted.

QRadar_FAQ_Figure1

Q. I’m getting the following error message. What should I do now?

QRadar_FAQ_Figure2

A. Work with a QRadar Admin user to execute the following procedure on the QRadar instance where the error occurred. 

Note: Rebuilding configuration file sets stops all processes that collect and process QRadar data so this may affect other applications installed on the affected QRadar instance. 
  1. Go to Admin->Advanced
  2. Click Deploy Full Configuration. This action sends a request to rebuild all configuration file sets. Each QRadar instance contains its own configuration files which then restarts services to ensure that the new configuration is loaded.

Q. How do I locate my TruSTAR log files and configuration files?

The TruSTAR Workflow App for QRadar runs in a Docker container that is alive from the time of the App installation. (QRadar automatically launches this container every time the QRadar main application is restarted.) Your log files and config file are located inside that container in the /store/ directory. However, since you may be running multiple Docker containers, you will need to search for the TruSTAR container by listing all the Docker containers and then searching each container individually.

Listing the Docker Containers
  1. SSH into the QRadar host (your linux user account needs sudo permission).
  2. List the running containers using this command:
sudo docker ps
Searching the Docker Containers

You must search each container to locate the one with the TruSTAR files.

  1. To do this, use this command to open a shell script in the first container:
sudo docker exec -it [container ID] /bin/bash
  1. Navigate to that container's /store/log/ directory and then look for files that contain "trustar" in the filenames.
  2. If the container doesn't have any "trustar" files, you can exit that container and return to the list of containers.
  3. Choose the next container on the list, then repeat the search in that container.
  4. Continue the search procedure until you locate the container with the TruSTAR files.
Make note the name of the Docker container that holds TruSTAR files for future reference.

Q. When I try to save the configuration with my API keys, I see this message ‘Fail: Unable to validate TruSTAR credentials’.

A. To confirm this is an issue, check that you are using valid API keys from TruSTAR for that user profile. Finding Your API Keys

If this is not the issue then it may be related to categorizing the URL https://station.trustar.co as a threat and blocking the URL in your firewall. Please confirm that your URL filtering profile is not preventing any communication with TruSTAR's URL.

Q. My issue isn’t listed here. How do I collect data to work with TruSTAR support?

A. To begin the process of filing a support issue with TruSTAR, first download the App logs using this procedure: 

  1. Click System and License Management in the QRadar Admin Panel.
  2. Select the host on which the TruSTAR App is installed
  3. Click Actions in the top panel and select the Collect Log Files option. This opens the Log File Collection popup window. 
  4. Click Advanced Options
  5. Select these checkboxes:
  • Include Debug Logs
  • Include Application Extension Logs
  • Include Setup Logs (Current Version)
  1. Specify the number of days in the Collect Logs for This Many Days field. 
  2. Click Collect Log Files.
  3. Click Click here to download files. This will download all the log files into a single zip on your local machine.

You can then contact TruSTAR support to create a support case. 

Known Issues

If the submitted event contains certain special characters, the event may not be submitted to TruSTAR. You can view the event submission log to check if an event has been submitted. 


How Did We Do?