Every platform experiences problems. It’s an unfortunate fact of life. Even the XSOAR engine acts up from time to time. Worse: these errors might not seem overly complex at first, but some have the potential to take up a fair bit of your time in finding solutions.
In the post below, we have outlined some of the common issues we’ve come across among our XSOAR users. These are really the day to day problems that a user might face while using the XOSAR cortex engine, for security based activities. Hopefully these solution snippets can come handy and save you time when it comes to troubleshooting.
A little bit about us before we get started: Metron Security is a SOAR technology development partner. We’ve built custom applications and integrations for several leading digital security companies including MSSPs (Managed security service provider.
Issue 1 : The XSOAR Engine is disconnected
When this happens, you will probably see an error like the below:
- Login to VPN and then SSH to Jump Server machine
ssh admin@IPaddress (add password after this)
- check the "d1" process:
systemctl status d1
- restart the 'd1' process:
sudo systemctl restart d1
- monitor engine logs:
sudo tail -f /var/log/demisto/d1.log
This restart will then reset the communication between the engine and the XSOAR server and you should be able to perform your tasks again.
Issue 2 : The XSOAR Engine is connected but the “test” button but is not responding
Another common one. You might see something like this (see at the bottom of the image)
Test button is frozen / not responding
Same as Issue 1: a restart of the d1 service will typically re-establish the communication
Issue 3 : The engine is the connector, but the integration timing out
In this case the warning will probably look something like this:
First, follow these two pre-check before moving to the solution below :
- Make sure the Engine is connected properly
- Check the connectivity to the Target host from the server where the XSOAR engine is installed.
If the above prerequisites are satisfied then it means that the engine is connected.
If the engine is connected but you see the error mentioned in the screenshot, it means that you are connected to the server from the engine but not from within the docker image. To make sure you are connected to the docker image on the server, make sure the ping/connection also works from within the docker image. Always set the docker0 to promiscous mode, and this will resolve the issue.
sudo ip link set docker0 promisc on
Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Metron has delivered automation solutions for over 150 security applications along with several hundred custom automation solutions.
Metron Security is an XSOAR technology development partner. For more information contact us at firstname.lastname@example.org