https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-incident-in-qradar/m-p/598058#M3616 <P>Hi Team,</P> <P>&nbsp;</P> <P><SPAN>We are encountering a connection timeout issue when attempting to create incidents in Cortex XSOAR using a custom QRadar integration. Based on our observations, we suspect this issue is due to low IOPS on XSOAR, as low as 100, despite the IOPS being allocated as unlimited from the VM Console. We believe the low IOPS are causing delays in writing data to storage, which leads to late incident creation.</SPAN><BR /><BR /><SPAN>Environment Details:</SPAN><BR /><BR /><SPAN>Cortex XSOAR Version: [6.12 Build 857430]</SPAN><BR /><SPAN>Host OS: Red Hat Enterprise Linux 8.8 (Ootpa)</SPAN><BR /><SPAN>XSOAR Host Specs:</SPAN><BR /><SPAN>CPU: 16 cores</SPAN><BR /><SPAN>Memory: 128 GB</SPAN><BR /><SPAN>Storage: 2.2 TB SSD</SPAN><BR /><SPAN>Allocated IOPS: Unlimited (as per VM console)</SPAN><BR /><BR /><SPAN>Symptoms:</SPAN><BR /><SPAN>Connection timeout when creating incidents.</SPAN><BR /><SPAN>Incident creation delayed significantly.</SPAN><BR /><BR /><SPAN>Host Utilization (from CLI):</SPAN><BR /><BR /><SPAN>CPU Usage (top):</SPAN><BR /><BR /><SPAN>top - 18:40:08 up 8 min, 1 user, load average: 3.35, 1.94, 0.91</SPAN><BR /><SPAN>Tasks: 390 total, 1 running, 389 sleeping, 0 stopped, 0 zombie</SPAN><BR /><SPAN>%Cpu(s): 5.2 us, 0.9 sy, 0.0 ni, 78.4 id, 15.4 wa, 0.1 hi, 0.1 si, 0.0 st</SPAN><BR /><BR /><SPAN>RAM Usage (free -m):</SPAN><BR /><BR /><SPAN>Mem: 128397 MB total, 112759 MB free, 9416 MB used, 6221 MB buff/cache</SPAN><BR /><BR /><SPAN>Storage Usage (df -h):</SPAN><BR /><BR /><SPAN>Filesystem Size Used Avail Use% Mounted on</SPAN><BR /><SPAN>/dev/mapper/rhel-var 2.0T 499G 1.5T 25% /var</SPAN><BR /><BR /><SPAN>However, XSOAR app reports different numbers:</SPAN><BR /><BR /><SPAN>CPU Usage (XSOAR Console): 96.39%</SPAN><BR /><SPAN>Memory Usage (XSOAR Console): 8.48%</SPAN><BR /><SPAN>Storage Usage (XSOAR Console): 405.099 GB</SPAN><BR /><BR /><SPAN>We are not able to correlate these numbers with what is observed from the CLI. We’ve already checked the IOPS and confirmed it is set to unlimited from the VM console, and storage space seems sufficient.</SPAN><BR /><BR /><SPAN>Request: Could you please help us:</SPAN><BR /><BR /><SPAN>1. Confirm whether the low IOPS could be the root cause of the connection timeout and delayed incident creation.</SPAN><BR /><SPAN>2. Understand why there discrepancy between the host utilization as reported by the XSOAR app and what is seen on the host CLI.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any suggestions and action plan urgently.</SPAN></P> Wed, 18 Sep 2024 00:10:55 GMT assubramania 2024-09-18T00:10:55Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-incident-in-qradar/m-p/598058#M3616 <P>Hi Team,</P> <P>&nbsp;</P> <P><SPAN>We are encountering a connection timeout issue when attempting to create incidents in Cortex XSOAR using a custom QRadar integration. Based on our observations, we suspect this issue is due to low IOPS on XSOAR, as low as 100, despite the IOPS being allocated as unlimited from the VM Console. We believe the low IOPS are causing delays in writing data to storage, which leads to late incident creation.</SPAN><BR /><BR /><SPAN>Environment Details:</SPAN><BR /><BR /><SPAN>Cortex XSOAR Version: [6.12 Build 857430]</SPAN><BR /><SPAN>Host OS: Red Hat Enterprise Linux 8.8 (Ootpa)</SPAN><BR /><SPAN>XSOAR Host Specs:</SPAN><BR /><SPAN>CPU: 16 cores</SPAN><BR /><SPAN>Memory: 128 GB</SPAN><BR /><SPAN>Storage: 2.2 TB SSD</SPAN><BR /><SPAN>Allocated IOPS: Unlimited (as per VM console)</SPAN><BR /><BR /><SPAN>Symptoms:</SPAN><BR /><SPAN>Connection timeout when creating incidents.</SPAN><BR /><SPAN>Incident creation delayed significantly.</SPAN><BR /><BR /><SPAN>Host Utilization (from CLI):</SPAN><BR /><BR /><SPAN>CPU Usage (top):</SPAN><BR /><BR /><SPAN>top - 18:40:08 up 8 min, 1 user, load average: 3.35, 1.94, 0.91</SPAN><BR /><SPAN>Tasks: 390 total, 1 running, 389 sleeping, 0 stopped, 0 zombie</SPAN><BR /><SPAN>%Cpu(s): 5.2 us, 0.9 sy, 0.0 ni, 78.4 id, 15.4 wa, 0.1 hi, 0.1 si, 0.0 st</SPAN><BR /><BR /><SPAN>RAM Usage (free -m):</SPAN><BR /><BR /><SPAN>Mem: 128397 MB total, 112759 MB free, 9416 MB used, 6221 MB buff/cache</SPAN><BR /><BR /><SPAN>Storage Usage (df -h):</SPAN><BR /><BR /><SPAN>Filesystem Size Used Avail Use% Mounted on</SPAN><BR /><SPAN>/dev/mapper/rhel-var 2.0T 499G 1.5T 25% /var</SPAN><BR /><BR /><SPAN>However, XSOAR app reports different numbers:</SPAN><BR /><BR /><SPAN>CPU Usage (XSOAR Console): 96.39%</SPAN><BR /><SPAN>Memory Usage (XSOAR Console): 8.48%</SPAN><BR /><SPAN>Storage Usage (XSOAR Console): 405.099 GB</SPAN><BR /><BR /><SPAN>We are not able to correlate these numbers with what is observed from the CLI. We’ve already checked the IOPS and confirmed it is set to unlimited from the VM console, and storage space seems sufficient.</SPAN><BR /><BR /><SPAN>Request: Could you please help us:</SPAN><BR /><BR /><SPAN>1. Confirm whether the low IOPS could be the root cause of the connection timeout and delayed incident creation.</SPAN><BR /><SPAN>2. Understand why there discrepancy between the host utilization as reported by the XSOAR app and what is seen on the host CLI.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any suggestions and action plan urgently.</SPAN></P> Wed, 18 Sep 2024 00:10:55 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-incident-in-qradar/m-p/598058#M3616 assubramania 2024-09-18T00:10:55Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-incident-in-qradar/m-p/598708#M3638 <P>Hi,</P> <P>&nbsp;</P> <P>In this case the correct assistance would be from your internal VM team so they can confirm the IOPS are as required by our documentation and if not they can implement the required changes.</P> <P>Once that has been cleared, we recommend you create a case to address question 2.</P> Wed, 25 Sep 2024 02:10:24 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-incident-in-qradar/m-p/598708#M3638 Ivetto 2024-09-25T02:10:24Z