Troubleshoot a Failed Job

Workflows can fail for a variety of reasons:

• The connection or credential information is incorrect.
• The step input is incorrect, malformed, or unexpected.
• The step outputs a null state, which leads to a failure.

If the investigation timeline or automation history indicates that your workflow has failed, you need to find the step causing the error. To find the step causing the error:

1. Go to

• Jobs > Job Details in InsightConnect
• Automation > History or Investigation > Investigation Details in InsightIDR
• Automation>History in InsightVM

2. From the job history, choose the failed job.
3. Click the “All Outputs” tab.
4. Locate the step containing the error. Some workflow step types create artifacts when an error occurs, so check the “Artifacts” tab first, then the “Logs” tab.
5. Review the details provided.
6. Refer to the following suggested actions to resolve the issue. These are organized by plugin type.

Artifact Errors

Each plugin will yield different errors and error messages, but some create artifacts detailing reasons the plugin failed to operate. For Insight platform pre-built workflow integrations, check for the following titles and error messages on the Artifacts tab. To resolve the issue, first try the troubleshooting suggestions provided. If the error persists after you try the following, please contact our support team for further assistance.

Click on the integration driving your workflow. Active DirectoryCarbon Black ResponseCisco ISEIBM BigFixMicrosoft SCCMOktaPalo Alto PAN-OSServiceNow

Active Directory

No Distinguished Name

If you see The <enable/disable> user action was skipped because the distinguished name did not exist in the event from IDR. DN: ____ Name: ____:

• Check that the distinguished name is spelled correctly and exists in the IDR event.

No User Artifact

If you see The <enable/disable> user action was skipped because the user did not exist in Active Directory/LDAP during the job's execution. DN: ____ Name ____:

• Check that the user spelling is correct, and that the user exists in the LDAP before executing the workflow.

Carbon Black Response

No Sensor Found or Existing Isolation

If you see The isolate action was skipped because the Cb sensor was not found or has already been isolated. Sensor: ____ or The unisolate action was skipped because the Cb sensor was not found or has already been unisolated. Sensor: ____

• First check for any spelling errors in the Cb Response step configuration.
• If the problem persists when you re-run the workflow, review the sensor in Cb Response and adjust the step configuration as needed.
• If the sensor was already isolated or unisolated, remove it from your step configuration

No Isolation

If you see The isolate action was skipped by a human decision during the job's execution. Sensor: ____ or The unisolate action was skipped by a human decision during the job's execution. Sensor: ____:

• Review the human decisions and logs to understand why the sensor isolation or unisolation was skipped. Contact the team member who executed the decision for more information.

Failure

If you see Failure to isolate the sensor. Sensor: ____ or Failure to unisolate the sensor. Sensor: ____:

• Check information in the last artifact created by the workflow, as the previous steps may have impacted the Cb Response step.
• If the issue persists after you rerun the workflow, review the logs and search for the step that failed for more information.

Cisco ISE

Not Quarantine Artifact

If you see MAC address quarantine for ____ was skipped by a human decision during the job's execution. or MAC address unquarantine for ____ was skipped by a human decision during the job's execution.:

• Review the human decisions and logs to understand why the MAC address quarantine or unquarantine was skipped. Contact the team member who executed the decision for more information.

Failure Artifact

If you see Failed to apply policy rule for IP address during the job's execution. Address: _____ Quarantined: ____:

• Check your policy rules as well as the IP address you're trying to quarantine for spelling errors, then make sure the policy rule applies to that address.

If you see Failed to unquarantine asset for the provided MAC address during this job's execution. Address: ____ Unquarantined: ____:

• Check your policy rules as well as the MAC address you're trying to quarantine for spelling errors, then make sure the policy rule applies to that address.

IBM BigFix

Failure Artifact

If you see Unable to create baseline. Please check your step logs and the logs on the BigFix server.:

• Follow the instructions in the error message. Check the logs for the IBM BigFix step as well as the logs on the BigFix server for more information.

Microsoft SCCM

Software Update Not Found

If you see: The software update _____ was not found in SCCM. Please confirm that the software update exists and has been downloaded to SCCM.:

• Follow the instructions in the error message. Check for spelling or punctuation errors in the Microsoft SCCM step configuration.

Okta

No User Artifact

If you see The suspend a user action was skipped because the user did not exist in Okta during the job's execution. Email: ____ Name:____ or The unsuspend a user action was skipped because the user did not exist in Okta during the job's execution. Email: ____ Name:____:

• Check that the user's email and name are spelled correctly, and that they exist in your Okta directory.

No Suspension Artifact

If you see The suspend a user action was skipped by a human decision during the job's execution. Email: ____ Name: ____:

• Review the human decisions and logs to understand why the user suspension was skipped. Contact your team member executing the decision for more information.

No Unsuspend Artifact

If you see The unsuspend a user action was skipped by a human decision during the job's execution. Email: ___ Name: ____:

• Review the human decisions and logs to understand why the user unsuspension was skipped. Contact your team member executing the decision for more information.

Unsuspend User Artifact

If you see Unsuspension of user failed. Check the action's output and the account in Okta. User: ____ Email: ____:

• Check the action step's output and the provided user's account in Okta.

Palo Alto PAN-OS

Blocked Artifact

If you see IP address unblock for ____ was skipped by a human decision during the job's execution.:

• Review the human decisions and logs to understand why the IP address unblock was skipped. Contact your team member who executed the decision for more information.

Failure Artifact

If you see Failed to apply policy rule for IP address during the job's execution. Address: ____ Status: ____ Code: _______ Message: _____:

• Review your configuration for the Palo Alto PAN-OS steps. Ensure that the syntax for the rules as well as for the relevant URLs and IP addresses are correct.
• If your problem persists, review the logs for the Palo Alto PAN-OS steps, or check your management console for your Palo Alto devices.

Not Blocked Artifact

If you see IP address block for ____ was skipped by a human decision during the job's execution.:

• Review the human decisions and logs to understand why the IP address block was skipped. Contact your team member who executed the decision for more information.

ServiceNow

Ticket Creation Failed

If you see: Failed to Create Ticket! Please ensure your ServiceNow connection is configured properly and try again. If the issue persists, please contact InsightConnect support.:

• Check that your ServiceNow connection works, then try again. Connections sometimes fail if credentials or configurations were changed in the application but not in an orchestrator, or if spelling errors are present.

Log Errors

The output logs contain other information not captured by error artifacts. If your attempts to remediate artifacts errors do not resolve the issue, review the logs for further detail. If you do not see any errors, or there are errors you cannot fix, please take a screenshot of your Inputs and Logs and reach out to Technical Support.