Cortex XSOAR: Common Troubleshooting Tips and Suggestions

In this post we detail a few of the common ways you can troubleshoot issues with your Cortex XSOAR application.

Cortex XSOAR: Common Troubleshooting Tips and Suggestions

In this post we detail a few of the common ways you can troubleshoot issues with your Cortex XSOAR application.

Issues with current version (such as after upgrading your Pack)

When you begin experiencing issues that you hadn't previously seen, it could mean that there is something amiss with your latest pack upgrade (provided you recently changed versions). In this case, choosing to revert to a previous version can often eliminate the issues.

You can do so by taking the following pack in your dashboard:

Installed Content Packs > Pack Name > Version History

Once there, select a previous version from the list and select the "Revert to this version" button.

SSL/TSL and Certificate Validation Error Troubleshooting

Errors with your certificate sometimes arise when a server uses an untrusted certificate or a proxy performing SSL termination.

Note: Typically, most integrations have a setting that allows them to "Trust any certificate" in order to avoid validation errors. You can change the settings with this option to see if the issues persist before performing deeper troubleshooting.

As part of the Cortex XSOAR Troubleshoot Pack, the Certificates Troubleshoot Automation is your main entry point to retrieving and decoding certificates. This can also be used to retrieve, decode, and validate certificates deployed in the Docker containers.

Network Troubleshooting

Cortex XSOAR integrations and automations uses two main types of:

  • Host Based Networking - primarily for integrations using the networking stack of the host machine/server.
  • Docker Based Networking - primarily for integrations written in Python or Powershell.

Host Based Troubleshooting

For both Host and Docker based integrations that use HTTP endpoints, these can also be tested via curl from either the command prompt or within a Docker container.

To do so, log into the server via SSH and run the following command format:

docker run -it --rm demisto/netutils: curl <curl parameters>

Should curl fail within Docker, you can check if the command is having issues by running it directly on the host machine without docker.

Resolving Fetch Incidents

For versions 6.8 and above of Cortex XSOAR, the Fetch History model can be used to view recent fetch results. To access this, select the "history" icon next to the settings for the Integration Instance. This will open a pop-up containing records for the following fields:

  • Pulled At - the date and time stamp the fetch was completed.
  • Duraton - the amount of time it took the fetch to complete.
  • Last Run - the content of the last object run.
  • Message - it will display "Completed" if there were no issues or nothing was pulled. However, if there is an error, it will list the details.
  • Source IDS - when available, this field displays the incident IDs.

General Debugging and Entering into Debug Mode

Python integrations and automation scripts can be run from Cortex XSOAR while in debug mode. This mode can be activated while in the XSOAR CLI.

You can run the command that caused the issue by appending debug-mode=true to the argument.

For example:

!ad-search filter="(cn=Guest)" debug-mode=true

This will display an additional log file that may contain details for your error.

Metron Labs is a Palo Alto Networks XSOAR Development partner. Metron builds certified XSOAR application/integration, publishes it in Cortex Marketplace, and maintains the integration for updrades as well. In addition, Metron designs custom XSOAR playbooks.

If you are considering a XSOAR Development Partner that focuses building a certified XSOAR application and maintaining your XSOAR playbooks, please send a note to