Skip to content

ibm_qradar: handle missing rules during offense enrichment#19444

Merged
efd6 merged 1 commit into
elastic:mainfrom
efd6:s7263-ibm_qradar
Jun 9, 2026
Merged

ibm_qradar: handle missing rules during offense enrichment#19444
efd6 merged 1 commit into
elastic:mainfrom
efd6:s7263-ibm_qradar

Conversation

@efd6

@efd6 efd6 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

ibm_qradar: handle missing rules during offense enrichment

The CEL program assumes every rule ID referenced by an offense exists
in the rules dictionary built from /api/analytics/rules. Anomaly
detection rules (ADE rules) live at a separate QRadar endpoint and
are not returned by the bulk rules endpoint. When an offense
references one of these rules, the dictionary lookup fails with
"no such key", causing the agent to go DEGRADED.

Guard the lookup with an existence check and pass through a minimal
rule object with the available fields when the rule is not in the
dictionary. Add a system test case with a rule ID absent from the
mock rules response.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jun 8, 2026
@efd6 efd6 added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:ibm_qradar IBM QRadar labels Jun 8, 2026
@efd6 efd6 force-pushed the s7263-ibm_qradar branch from dcda252 to e516aa7 Compare June 8, 2026 22:05
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jun 8, 2026

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review June 8, 2026 22:46
@efd6 efd6 requested review from a team as code owners June 8, 2026 22:46
@infra-vault-gh-plugin-prod

infra-vault-gh-plugin-prod Bot commented Jun 8, 2026

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6
ibm_qradar: handle missing rules during offense enrichment
a7f8d03 
The CEL program assumes every rule ID referenced by an offense exists
in the rules dictionary built from /api/analytics/rules. Anomaly
detection rules (ADE rules) live at a separate QRadar endpoint and
are not returned by the bulk rules endpoint. When an offense
references one of these rules, the dictionary lookup fails with
"no such key", causing the agent to go DEGRADED.

Guard the lookup with an existence check and pass through a minimal
rule object with the available fields when the rule is not in the
dictionary. Add a system test case with a rule ID absent from the
mock rules response.
@efd6 efd6 force-pushed the s7263-ibm_qradar branch from e516aa7 to a7f8d03 Compare June 8, 2026 22:52
@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jun 8, 2026

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@elasticmachine

elasticmachine commented Jun 8, 2026

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 merged commit 6e50c16 into elastic:main Jun 9, 2026
9 checks passed
@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jun 9, 2026

Copy link
Copy Markdown

Package ibm_qradar - 1.1.1 containing this change is available at https://epr.elastic.co/package/ibm_qradar/1.1.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue Integration:ibm_qradar IBM QRadar Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@efd6 @elasticmachine @kcreddy