情報収集のご依頼（XSOARトラブルシューティング初動対応時）

eyoshida · ‎09-16-2024

To help a smooth support process for our clients,
it is important to have the necessary information at the initial response stage.
Here, we will share the essential information required for the initial response.

お客様へのサポートをスムーズに進めるためには、
初期対応の段階で必要な情報を把握しておくことが重要です。

ここでは、初期対応時にご提供いただきたい、必要情報を共有いたします。

Regarding initial response, Please refer to the "Basic Information" part below.
And please provide the materials ①, ② or ③ when you contact us at initial response.

初動対応におかれましては、下記の"Basic information（基本情報）"に相当します、
"初動対応にてご提供いただきたい資料 ①,②or③" をご提供いただけますと幸いです。

------------------------------------------------------------------------------------------------------------------------

Basic information（基本情報）
① Version and other Information
- XSOAR Version: [ ]
- SaaS or On-premises: [ ]
- Get the screenshots or logs of the error: [ ]
(Please get a whole page screenshot without cutting a part of it and with the English language.)

- Has this happened before? (this <Function> worked before or not.) [ ]
- Did you perform any version updates? (And when) [ ]
- Have you made any other changes in your environment? (And when) [ ]

② SAAS "About" Information
XSOAR8
・If you are currently on XSOAR8 SAAS, please provide the "About" info
(Click on your user name in the lower left of the UI > About > Copy to Clipboard > Paste in this case).


③ On-premises "Debug" Level Log-Bundle
If you are currently in an On-premises environment, please provide a log bundle
If possible provide as clear steps for reproduction as possible

XSOAR6
1. Set Logs to Debug Mode: Settings > About > Troubleshooting > Set Log Level — Debug (if hosted- already set to debug by default)
2. Download the log bundle and add it to the ticket
Create a Log Bundle
  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Create...

XSOAR8
1. Settings & info - settings - system diagnostics
2. At the top right, there is a button to download the log bundle.


Checking Reproducibility
④Video recording and/or screenshots
・If possible, we would appreciate it if you could record a video of the incident as it is occurring.
-- MAC - Quicktime is very easy to use: https://libguides.rowan.edu/c.php?g=248114&p=4711659
-- Windows - XBOX Game Bar, PowerPoint, And other alternatives: https://www.digitaltrends.com/computing/how-to-record-your-computer-screen/#:~:text=If%20you%20want%....
-- Either environment: Zoom, Teams, Webex, etc - just save to a local machine rather than to the cloud for external access and add to the case


Integration related issue
⑤Integration Debug Logs (If the problem is related to integrations)
In Debug mode, the server will run all the commands of this instance with a Debug log level and log the information in the Integration-Instance log.
  https://xsoar.pan.dev/docs/reference/articles/troubleshooting-guide#integration-debug-logs
Starting with version 6.2, it is possible to create logs for an instance of an integration in order to get debug information for a specific instance over a period of time.
There are three options for this parameter:
i.Off
  ii.Debug
iii.Verbose

⑥Attach full screenshots of the integration configurations. (Multiple screenshots of all fields are required).
(We appreciate it if the information you provide is in png or pdf format.)

Performance issue : (Heavy processing in the UI. Login issues temporarily under high load. etc)
⑦Capture HAR file …Network Response
Please find the below document on "How to Generate a HAR File in Chrome, IE, Firefox, and Safari
  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmCtCAK

⑧Capture Console log (Most commonly used Chrome) …Debug Information
In Chrome, go to the webpage in question.
Select the Chrome menu > More Tools > Developer Tools
Select the Networks tab.
Within the Networks tab, select Preserve log option.
Record log by selecting the red circle at the top left of the Networks tab.
Reproduce behavior

Once behavior is reproduced, select the Console tab and right-click on in the console box. "Save as..." name the file as your preference.

⑨* journalctl -since "3 days ago" > customerJournal.log

Audit Logs
⑩Audit logs
Management audit logs
  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Managemen...
To view the audit logs, go to Settings & Info → Management Audit Logs.
To export the management audit logs as a tsv text-based file, click the Export to file button

Audit Trail
  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Audit-...
You can search the audit trail log for user interactions based on free text.
To view an audit trail, navigate to Settings → ADVANCED → Audit Trail.
To export the Audit Trail a csv-based file, click the Export All button

Engines issue
⑪Engines Get Logs
SAAS
XSOAR8
・Settings & info - Settings - Integrations - Engines - Check target Engine - Get Logs

On-premises
XSOAR6
・Settings - Integrations - Engines - Check target Engine - Get Logs

XSOAR8
・Settings & info - Settings - Integrations - Engines - Check target Engine - Get Logs

Issues in fetch Incident
　⑫Fetch in debug mode per this guide:
　　https://xsoar.pan.dev/docs/reference/articles/troubleshooting-guide#fetch-incidents-in-debug-mode

⑬ If the bug is in `Fetch Incidents` functionality: ↓Please check below.
1. Is it an integration/command/fetch that worked but suddenly stopped working? 　[ ]
2. Did you use the OOTB instance or a custom instance? If you used a custom instance, please explain why. [ ]
3. What is the version the instance you are using? [ ]
4. Is the customer on the latest integration Pack version? [ ]
5. Was there a recent upgrade to the integration's version? and can you rollback? [ ]
6. Is the integration you're using deprecated? If so, don't open this bug, we do not support deprecated integrations. [ ]
7. What is the full Product Version of the application you are attempting to connect to? (e.g.: Exchange 2010 SP3)? [ ]

⑭As much data as possible for the missing incidents.　[ ]
+
③Log bundle
⑤ Log level to debug in integration config - capture logs after a missed item
⑥Screenshots of integration configuration

XSOAR UI item display problems

⑮Checkpoints when you have problems with UI display
Example: ・The blank pop-up when you click,
・Job button Task object didn't display in playbook setting screen.
・The following message is displayed and cannot add a SubPlaybook. -> "There are no playbooks that match your search, clear or change your criteria"
　etc

a).Check if multiple tabs open is affecting or not.
When you are operating with multiple tabs opened, may be affecting the issue, so I would like you to try the following first.
1. Please check if the series of actions can be reproduced in one tab.
2. Please refresh the tab in your browser and see if the situation changes.

b).Please check whether you are using a compatible browser and check points below.
XSOAR8
Supported web browsers
   https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Supported...
1.Does logging in and out make any difference?
2.Does restarting the browser make any difference?
3.Does operating in one tab make any difference?

c).Please check if your user account privilege
Login to Cortex XSOAR tenant then click the username,
select "About" from the menu and share the tenant information displayed as a text.

1. What kind of role and permission applied to the user who is trying to do that?
2. Does the same issue happen when the admin user tries to do the same?
3. If the admin user failed to do that, please let me share the screenshots during the reproduction of the issue.
4. Please also let me share the tenant information of the customer's environment with the following steps.

■トラブルシューティング(事象別) Classify by Troubleshooting type.

初動対応にてご提供いただきたい資料 ①,②or③

XSOAR UI レスポンスタイムの遅延 ①,②or③,④,⑦,⑧,⑨

フェッチインシデントにかかわる問題 ①,②or③,⑤,⑥,⑫,⑬,⑭

XSOAR UIアイテム表示問題　①,②or③,⑮

サインインで完全なコミュニティ体験を！

情報収集のご依頼（XSOARトラブルシューティング初動対応時）

情報収集のご依頼（XSOARトラブルシューティング初動対応時）