Troubleshooting Live Services

This section provides troubleshooting instructions for issues faced when using the Live Services module in NetWitness.

Some Rules Are Invalid for Version 11.x

The rules "NetWitness Incident Management - Alert Details" and "NetWitness Incident Management - Incident Summary" are not valid for NetWitness version 11.x. Do not deploy these rules to an 11.x system.

Note: Rules are updated frequently, and the documentation for them is available in the Content space on NetWitness Community. For the latest information on Rules, see RSA NetWitness Rules.

OutOfMemoryError on Context Hub Server

You may encounter an OutOfMemoryError on Context Hub server, and the service becomes unresponsive.

If there are any TAXII feeds configured, Health and Wellness raises alerts when the available heap memory of Context Hub server is critically low. If the status of Context Hub server is Unhealthy because of low memory, perform the following steps:

  1. Make sure that the feeds Start Date is within 180 days.
  2. Check if any TAXII feed is consuming too much disk space. A TAXII feed can consume maximum of 300 MB. If it consumes more disk space, you must reduce the value in the Remove STIX data older than field under Advanced Options in the Custom Feed Creation Wizard when you edit a TAXII feeds.

    Note: If the issue still persists, you must execute step 3.

  1. To decrease the number of parallel threads available for processing STIX:

    1. Go to netwitness_adminicon_25x22.png (Admin) > Services > Context Hub service > View > Explore.
    2. In the tree panel, navigate to enrichment/stix/ config.
    3. In the right panel, set the stix-query-scheduler-pool-size field value to 2. By default the value is 5. This setting controls how many number of threads are allowed to process queries for STIX data at the same time.
    4. Set the taxii-poll-scheduler-pool-size field value to 2. By default the value is 5. This setting controls how many number of threads are allowed to poll TAXII servers at the same time.
    5. Restart the Context Hub server.

    Troubleshooting Live Connect Threat Data Sharing

    This section discusses troubleshooting Live Connect Threat Data Sharing.

    Query Log Retrieval Sample

    To retrieve a sample of threat intelligence data sent to Live Connect, you must construct a URL by setting the following parameters:

    • sendReport: value is true or false: true to send this report to the Live Connect server. False to just create the report for viewing. The value defaults to false.
    • hashValues: value is true or false: true to hash the values as md5/sha256. False to show values in clear text – should use only for manual viewing. Defaults to false.
    • startDate / endDate: Dates for time boundaries for log entries. Format: YYYY-MM-DD HH:mm:ss

    The following is an example of the URL used to retrieve query logs:

    https://<server>/admin/liveconnect/force_aggregation?startDate=2016-01-18%2000:00:00&endDate=2016-01-19%2010:10:00&sendReport=false&hashValues=true

    System Logging: Debug

    To access debug information:

    1. Go to netwitness_adminicon_25x22.png (Admin) > System > System Logging.
    2. Select the Settings tab.
    3. In the Package Configuration section, select com > netwitness > platform > server > liveconnect > service (DEBUG).

    netwitness_livecncttrbldebug.png