QRadar uses UDP protocol to send log. There is a limitation in QRadar - if event payload is over the length limit, it will be truncated. You may try to increase the limit, but there is still a maximum.
For more information, refer to the following QRadar articles:

• TCP and UDP Syslog Maximum Payload Message Length for QRadar Appliances
• How to increase the maximum TCP payload size for event data

In the QRadar app configuration page there are two different types of token:

• Authentication Token - This token is copied from the Trend Vision One portal.
• Qradar Authentication Token - This is copied from QRadar (Admin tab > User Management > Authorized Services)

In the QRadar portal navigate to Admin tab > Trend Micro Vision One for QRadar (XDR) > Trend Micro Vision One for QRadar (XDR) Settings. When the page is loaded, click Download debug logs on the lower left corner.

The delay phenomenon often shows that the detection time of the event is much earlier than the time sent by the event. Because the processing resources of QRadar are limited, a large amount of data may cause a delay, and the amount of data below the medium level of OAT is very large.
If you do not want to avoid encountering delays, you may choose a high priority risk level.

Below are some causes for this issue:

• There is a network issue. Check if QRadar can connect to Trend Vision One properly.
• The customer does not have any events at all on the Trend Vision One portal.
• The token has expired. Check if the token used in QRadar can access Trend Vision One.

If the logs do not show errors, send test UDP as it may be missing a package; or the destination for sending events may be wrong.

Some IP information, such as endpoint IP, may have been sent to QRadar, which exists in the payload received by QRadar. The reason why the Source IP related fields are not displayed correctly is that the correct DSM mapping is not done.
Source IP is a QRadar system property. We have not found a valid way to overwrite QRadar system properties (like "Source IP") by QRadar app's install or upgrade process - it has to be added mnually. Below are sample regex values for testing:

• Source IP (IP Address | Override):
  Expression: ips\\\":\s\[.*?\\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\\"
  Format String: $1
• Destination IP (IP Address | Override):
  Expression: dst\\".*?value\\":\s\[.*?\\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
  Format String: $1
• Source Port (Port | Override):
  Expression: spt\\".*?value\\":\s(([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{4}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))}
  Format String: $1
• Destination Port (Port | Override):
  Expression: dpt\\".*?value\\":\s(([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{4}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))}
  Format String: $1