From a7f8d0327b21ceb6cb91e74ca160414b01c297b3 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Tue, 9 Jun 2026 07:33:01 +0930
Subject: [PATCH] ibm_qradar: handle missing rules during offense enrichment

The CEL program assumes every rule ID referenced by an offense exists
in the rules dictionary built from /api/analytics/rules. Anomaly
detection rules (ADE rules) live at a separate QRadar endpoint and
are not returned by the bulk rules endpoint. When an offense
references one of these rules, the dictionary lookup fails with
"no such key", causing the agent to go DEGRADED.

Guard the lookup with an existence check and pass through a minimal
rule object with the available fields when the rule is not in the
dictionary. Add a system test case with a rule ID absent from the
mock rules response.
---
 .../ibm_qradar/_dev/deploy/docker/files/config.yml    |  4 ++++
 packages/ibm_qradar/changelog.yml                     |  5 +++++
 .../data_stream/offense/agent/stream/cel.yml.hbs      | 11 +++++++----
 packages/ibm_qradar/manifest.yml                      |  2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/packages/ibm_qradar/_dev/deploy/docker/files/config.yml b/packages/ibm_qradar/_dev/deploy/docker/files/config.yml
index b47ded11814..8f5ea2f08cc 100644
--- a/packages/ibm_qradar/_dev/deploy/docker/files/config.yml
+++ b/packages/ibm_qradar/_dev/deploy/docker/files/config.yml
@@ -23,6 +23,10 @@ rules:
                 {
                   "id": 100408,
                   "type": "CRE_RULE"
+                },
+                {
+                  "id": 187061,
+                  "type": "CRE_RULE"
                 }
               ],
               "event_count": 1,
diff --git a/packages/ibm_qradar/changelog.yml b/packages/ibm_qradar/changelog.yml
index bcafa1b0c37..400944ec862 100644
--- a/packages/ibm_qradar/changelog.yml
+++ b/packages/ibm_qradar/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.1"
+  changes:
+    - description: Handle offense rules not present in the rules dictionary during enrichment.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/19444
 - version: "1.1.0"
   changes:
     - description: Use new `release` field for agentless deployment mode to establish as beta.
diff --git a/packages/ibm_qradar/data_stream/offense/agent/stream/cel.yml.hbs b/packages/ibm_qradar/data_stream/offense/agent/stream/cel.yml.hbs
index c73a6227dd3..58da908a8d2 100644
--- a/packages/ibm_qradar/data_stream/offense/agent/stream/cel.yml.hbs
+++ b/packages/ibm_qradar/data_stream/offense/agent/stream/cel.yml.hbs
@@ -117,10 +117,13 @@ program: |
                 "message": offense.with({
                   ?"rules": (has(offense.rules) && offense.rules != null) ?
                     optional.of(offense.rules.map(rule,
-                      state.rules_dict[string(rule.id)].with({
-                        "rule_type": state.rules_dict[string(rule.id)].type,
-                        "type": rule.type
-                      })
+                      rule.id in state.rules_dict ?
+                        state.rules_dict[rule.id].with({
+                          "rule_type": state.rules_dict[rule.id].type,
+                          "type": rule.type
+                        })
+                      :
+                        {"id": rule.id, "type": rule.type}
                     ))
                   :
                     optional.none()
diff --git a/packages/ibm_qradar/manifest.yml b/packages/ibm_qradar/manifest.yml
index 2f4834d23c3..1adebf34474 100644
--- a/packages/ibm_qradar/manifest.yml
+++ b/packages/ibm_qradar/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: ibm_qradar
 title: IBM QRadar
-version: 1.1.0
+version: 1.1.1
 description: Collect logs from IBM QRadar with Elastic Agent.
 type: integration
 categories: