[Cyber Command] Linkage processing failure resulted in no subsequent automatic linkage
Problem Description
The generated alarm meets the linkage policy, but no linkage is performed
Effective troubleshooting steps
- Check the handling center and find that some alarms have no linkage policy.
- Searching the disposal records based on the IP, we found that the linkage was carried out in the early morning, but all the disposals failed.
- Check the corresponding alarm and find that it was initially generated in the early morning of today.
- Confirmed with the customer that the network adjustment was being made in the early morning, which caused policy to fail.
Root cause
Currently, the automatic linkage strategy configured by SOAR will try to re-link if the first execution fails, and will not try again later. However, if the alarm is updated the next day, it will be linked again.
solution
Mechanism problem, just explain it
Original Link
https://support.sangfor.com.cn/cases/list?product_id=24&type=1&category_id=10256&isOpen=true