This page captures lessons learned and unique scenarios experienced by our PS team working with clients that have QRadar.
Situation: Installed, working QRadar Integration App stops downloading new risklists
Symptoms: Regular API usage drops off; detailed look at logs show risklists have stopped regular downloads. Note: from the user perspective the integration app may look fine, since the reference sets are still there. But they will not be refreshing and it's hard to tell this without looking at the API logs.
Causes: Any QRadar upgrade to v7.3.x -- this platform upgrade causes an issue with our integration app and once it blocks the download, it isn't able to reset nor is there a warning made.
Remediation: Uninstall our QRadar app and do a clean install. Confirm it is working afterwards by checking the API usage logs. Be sure that the Recorded Future QRadar integration app is version 2.1+ (see https://exchange.xforce.ibmcloud.com/hub/extension/678cc5f9402c78072888353d2be45da0)