closing multiple incidents with postprocessing scripts causes xsoar to hang

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

closing multiple incidents with postprocessing scripts causes xsoar to hang

L3 Networker

Hi all,

 

I am working with Carbon Black EDR so I want incidents to be closed not only on xsoar but also on carbon black instance. To achieve that I implemented a post processing script. when an incident on xsoar is closed the script closes the alert on carbon black edr too . It works fine when working with a single incident. Things get complicated when multiple incidents involved.

 

From the incidents page I select multiple incidents (50 incidents to be more specific)  and hit close, after doing that XSOAR instance hangs and it can't pull any data (it loads web pages but no data on them). After a while I am able to view incidents again. I check to see what happened to the incidents and notice that the post processing script executed as expected but docker container timed out and failed.

 

I am not sure if it's a docker limitation or something else. The server has plenty of resources. What is wrong?

 

 

EnesOzdemir_0-1665045390481.png

 

 

2 REPLIES 2

L3 Networker

EnesOzdemir_0-1665053945186.png

 

This is another one

 

L0 Member

HI, 

 

I was looking for some answers to another issue and found this question, I know I am quite late to answer this question. But if this helps someone who is looking for the same answer than it will be great. Since few months back I was also looking for the same answer and fixed it with some Googling. 

 

Follow these steps to fix the issue - 

 

  • Login to the XSOAR Platform.
  • Go to the Settings page.
  • Navigate to ABOUT > Troubleshooting.
  • Under the Server Configuration section, add these two parameters by clicking on “+ Add Server Configuration”:
    • key = <name_of_integration>.<name_of_the_fucntion>.timeout, value = time out value you need , should be something higher than the time your script need to run. 

                         Example -  key = my_integration.my-multi-table-query.timeout, value = 1440

  • The <name_of_integration> is the name of the integration, but lowercased and replacing spaces with underscores: if its name its “My Integration v3”, then it is transformed to “my_integration_v3”.
  • Click on the Save button for each added property.
  • 1071 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!