Apps for ServiceNow - Troubleshooting


Troubleshooting

The URL in the configuration must be the Carbon Black Cloud Hostname from the Authentication Page or the URL when you are logged in to the Carbon Black Cloud console.

For example, https://dashboard.confer.net
If you experience any errors, check the application logs to get information about the error and how to resolve it.

• Requires ServiceNow System Administrator role.
• Navigate to System Logs > System Log > Application Logs or VMware Carbon Black Cloud > Application Logs.
If you are unable to create new user in ServiceNow instance, review the following link and execute the steps.
Service Now User Administration
If you are unable to install/activate plugin in ServiceNow instance, review the following link and execute the steps.
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/plugins/task/t_ActivateAPlugin.html
When you install the application on a fresh instance and try to configure a new profile, sometimes it saves the configuration profile with empty values and does not allow you to enter values in Configuration.
• Clear the Cache by
• Log Out from the Instance and Login again.
• Create a new configuration profile by providing empty values. It will give field validations and will not save the Configuration.

When you start data collection for the Configuration Profile, sometimes you don’t get an alert in the Alerts table.

• Open the Configuration profile
• Go to the Alert Filtering section
• Check the Filter Condition in Custom Query. Sometimes it may happen that for specific filters (like Device OS=Other, Type=Device Control, etc.) in a specific time range there may be no alerts.
• Either change the time range for data collection or remove that filter and perform the Data Collection.
Incident Creation Criteria are set to escalate certain alerts to Security Incidents, but the Security Incident is not created according to the criteria.
• Open the Configuration profile.
• Go to the Incident Creation tab.
• Check the value of the Condition. If it is incorrect, change it to the correct value.
• Save the Configuration and start the Data Collection.
• Check whether the Security Incidents are created.
To view the list of alerts associated with an Incident:
• Scroll down on the Incident Page
• Under “Related Links,” click on “Show All Related Lists”
• A new set of tabs will appear underneath.
• Click on the “Alerts” tab to view the list of alerts associated to the Incident.



Known issues

  • SOAR actions including Update Endpoint Policy, Quarantine/Unquarantine Endpoint, Delete File on Endpoint sometimes show multiple “Flow Execution started for….action” Worknotes for a single action.
  • For Some Process GUIDs, you may not receive Process Metadata for those selected alerts.
    • When fetching process details using an alert’s process GUID, sometimes the API response does not include that alert id. The results in this initiating alert not having a process record associated with it.
  • Enriched events: Page size is set as 1000 in API calls, so while fetching events in pages, there is a mismatch in counts.
  • Flow number is shown instead of flow name in Worknotes for SOAR action in ServiceNow Quebec version.
  • If Incident Creation Criteria are set and then you give a default value to Alert Aggregation, the condition given to Incident Creation will either vanish (if performed for the first time) or show the previous value as the value is not saved if you refresh the page using the “Apply Defaults” button.
  • Able to perform Quarantine Endpoint SOAR action even if the alert has already been quarantined.
  • Able to perform Unquarantine Endpoint SOAR action even if the alert has already been unquarantined.
  • Able to perform Ban Process Hash SOAR action even if the alert has already been banned.
  • Able to perform Unban Process Hash SOAR action even if the alert has already been unbanned.

For updates, see the Release Notes.

Support and Resources

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support.
  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Last modified on August 24, 2022