Troubleshooting and Known Limitations

In This Section: Troubleshooting Limitations

Troubleshooting

Authentication Failure

1. Check the network connectivity and verify that all the mentioned dependencies are installed based on the deployment.
2. Use the “ping <server>” command on terminal or command prompt to make sure that the destination server is reachable.
3. Make sure that the details provided for the authentication mechanism are correct.

Adaptive Response Action Failure:

There can be multiple reasons for failure:

• Provided details in the action HTML form are incorrect. For example: The field name provided in the action HTML form might not be present in the event or may be an invalid value of indicator, severity, confidence or product.
• Make sure that the selected server group in the action HTML form is configured in the configuration page of the app and you are able to authenticate to all the servers of that group.

To get more details of the failure, view the checkpoint_upload_ioc_modalert.log file located at $SPLUNK_HOME/var/log/splunk or execute this query: index=cim_modactions sourcetype=modular_alerts:checkpoint_upload_ioc

Missing Record in CSV File:

The app uses KV Store to maintain the indicators and their metadata. When the action is executed, all the records are fetched from KV Store and the csv file is created with that data.

The default maximum size of the result that can be fetched in single query is 50 MB. If the size of the data is larger, create a limits.conf file

[kvstore] # provide value in mb according to the volume of your data max_size_per_result_mb = 100 # provide max number of rows returned per single query max_rows_per_query = 80000

in the $SPLUNK_HOME/etc/system/local directory and save.

For more information, you can refer “[kvstore]” section mentioned here.

Alert Action Terminates after Some Time:

If the alert action is aborted, you can increase the timeout the action.

Create $SPLUNK_HOME/etc/apps/TA-checkpoint_response/local/alert_actions.conf and paste the below contents.

[checkpoint_upload_ioc] # maximum amount of time that the execution of an action is allowed # use d for days, h for hours, m for minutes, s for seconds suffix to define #period of the time maxtime = 10m # specify the timeout for file transfer in seconds param.timeout = 600

Slow Performance Due to Huge Amount of Data:

If there is a large number of indicators, you can increase the amount of indicators processed in a single API call. The default limit is set to 1000 records.

To increase the default limit:

Create: limits.conf

[kvstore] # provide max number of queries that can be run in one batch max_queries_per_batch = 2000 # provide max number of documents that can be saved in one batch max_documents_per_batch_save = 2000

Note - Provide a valid positive integer. Do not provide too large a value as it may result in API call failure.

Limitations

• When the passphrase is added during key generation, password based authentication may not work.
• If a key is installed, the authentication is successful even if an incorrect password is entered.
• For field based inputs, the AR action might not add value of comment field in the csv if the value (field name) of the Comment parameter is comment. We therefore recommend you use another field name.