XSOAR Debugging Solutions for Common Problems [Part 1]

In the post below, we have outlined some of the common issues we’ve come across among our XSOAR users.

XSOAR Debugging Solutions for Common Problems [Part 1]
XSOAR Integration

Every platform experiences problems. It’s an unfortunate fact of life. Even the XSOAR engine acts up from time to time. Worse: these errors might not seem overly complex at first, but some have the potential to take up a fair bit of your time in finding solutions.

In the post below, we have outlined some of the common issues we’ve come across among our XSOAR users. These are really the day-to-day problems that a user might face while using the XOSAR cortex engine for security-based activities. Hopefully, these solution snippets can come in handy and save you time when it comes to troubleshooting.

A little bit about us before we get started: Metron Security is a SOAR technology development partner. We’ve built custom applications and integrations for several leading digital security companies including MSSPs (Managed security service provider).

Issue 1 : The XSOAR Engine is disconnected

When this happens, you will probably see an error like the one below:

Solution :

  • Login to VPN and then SSH to Jump Server machine

ssh admin@IPaddress (add password after this)

  • Check the "d1" process:

systemctl status d1

  • Restart the 'd1' process:

sudo systemctl restart d1

  • Monitor engine logs:

sudo tail -f /var/log/demisto/d1.log

This restart will then reset the communication between the engine and the XSOAR server and you should be able to perform your tasks again.

Issue 2 : The XSOAR Engine is connected but the “test” button is not responding

Another common one. You might see something like this (see at the bottom of the image):

The test button is frozen / not responding

Solution:

Same as Issue 1. A restart of the d1 service will typically re-establish the communication.

Issue 3 : The engine is the connector, but the integration timing out

In this case, the warning will probably look something like this:

Solution :

First, follow these two pre-checks before moving to the solution:

  1. Make sure the engine is connected properly.
  2. Check the connectivity to the target host from the server where the XSOAR engine is installed.

If the above prerequisites are satisfied then it means that the engine is connected.

If the engine is connected but you see the error mentioned in the screenshot, it means that you are connected to the server from the engine but not from within the docker image. To make sure you are connected to the docker image on the server, make sure the ping/connection also works from within the docker image. Always set the docker0 to promiscuous mode, and this will resolve the issue.

sudo ip link set docker0 promisc on

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Metron has delivered automation solutions for over 200 security applications along with several hundred custom automation solutions.

Metron Security is an XSOAR technology development partner. For more information contact us at connect@metronlabs.com