Hi Guys,
I have encountered an issue:
A Sentinel Incident was triggered without any associated event. Consequently, a SOAR case was created for this incident, but with 1 hour delay without any alert event.
Does anyone knows case of this issue?
Solved
Delay in ingesting Sentinel incident having no associated event
+6- Bronze 1
Best answer by Dmitry_Sarakeev
hi @VictorSOAR , please either create a gcp support ticket or enable connector log collection with the most detailed level (info) and try to repro the issue and see if there are errors.
It is unexpected to not have any events in soar's alerts for those sentinel incidents, it should at least have 1 event with most general info.
We have not seen such issues in our test lab, so we need either detailed connector logs or gcp ticket to investigate.
Im checking if we can add some additional information about this configuration in the docs.
Also please check if you are running latest official integration and connector versions.
+9Check the connector -> logs, if any errors, warnings.
Sometimes it could be the sentinel side delay for the records showing up in the API call.
Someone else also reported the same -> https://www.googlecloudcommunity.com/gc/SIEM-Forum/delay-in-case-creation-in-Chronicle-SOAR/m-p/839583#M2458
If the issues still there, please open a GCP support case to check. Another way to validate is to manually call the API to validate if anything in the API return.
+6- Bronze 1
Check the connector -> logs, if any errors, warnings.
Sometimes it could be the sentinel side delay for the records showing up in the API call.
Someone else also reported the same -> https://www.googlecloudcommunity.com/gc/SIEM-Forum/delay-in-case-creation-in-Chronicle-SOAR/m-p/839583#M2458
If the issues still there, please open a GCP support case to check. Another way to validate is to manually call the API to validate if anything in the API return.
Hi @hzmndt ,
Thanks for your response.
Is it possible that SOAR is waiting for Sentinel incident to populate event in the incident. Because, I observed that there was not event when incident was triggered in Sentinel. Also SOAR case has no alert event.
Is there any document available to refer on this?
+9hi @VictorSOAR , please either create a gcp support ticket or enable connector log collection with the most detailed level (info) and try to repro the issue and see if there are errors.
It is unexpected to not have any events in soar's alerts for those sentinel incidents, it should at least have 1 event with most general info.
We have not seen such issues in our test lab, so we need either detailed connector logs or gcp ticket to investigate.
Im checking if we can add some additional information about this configuration in the docs.
Also please check if you are running latest official integration and connector versions.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.