IBM Support

Cloud Pak for Security: Data Source Error on Search

Troubleshooting


Problem

After a data search in Cloud Pak for Security (CP4S), receive error message:
"Data source error: Your last scan failed to finish due to an error in all of your data sources. Check your configurations."

Symptom

  • QRadar times out on searches, or QRadar is taking too long to query, and CP4S times out before data is returned.
  • In the logdna:
    tis-data-gateway error {"ibm_datetime":"{YEAR}-{MONTH}-{DAY}T{TIME}Z","label":"tis-data-gateway","level":"error","log":"Error occurred when fetching score for {SEARCH-REFERENCE-ID} - [object Object]","requestId":"{REQUEST-ID","transactionId":"{TRANSACTION-ID}"}
  • UDI and TII errors:
    udi-udiworkers error edgeproxy_timeout => Timeout of 60 mins exceeded
    udi-udiworkers error Error happened handling search results: {'priorityAddon': 0,..
    tiithreats error Error in publishing an event
    tis-data-gateway error {"ibm_datetime":"{YEAR}-{MONTH}-{DAY}T{TIME}Z","label":"tis-data-gateway","level":"error","log":"getXfeIocObjectScore object is missing label property","requestId":"{REQUEST_ID}","transactionId":"{TRANSACTION_ID}"}
    tiithreats warn resource not found

Cause

  • Not indexing common search parameters
  • Multiple hash Custom Event Properties (CEPs)
  • Ariel might not be performing optimally and searches are failing or timing out
  • Selecting multiple Indicators of Compromise (IOC) for search might cause large searches to be executed by QRadar
  • Processing expensive searches produces this error

Resolving The Problem

Warning: the following solution requires a few dozen GBs of extra disk space, and possibly more depending on the environment.
  1. Ensure QRadar deployments are sized correctly.
  2. Verify CP4S requirements are met.
  3. Log in to the QRadar Console:
    https://{IP}/console/
    Note: where IP is the IP, hostname, or vanity URL in use.
  4. Navigate to Admin tab.
  5. Select Index Management under System Configuration.
  6. Select the following event indexes by using Ctrl key on your keyboard:
    • File Hash (custom)
    • MD5 Hash (custom)
    • SHA256 Hash (custom)
    • Root Hash (custom)
    Note:  searching for 'hash' in the toolbar and filtering on the events database might be helpful.image-20221019131759-1
  7. Select Enable Index:
    image-20221019132412-2
  8. Select Save:
    image-20221019132440-3

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8kAAA","label":"Data Explorer"},{"code":"a8m0z0000001jrwAAA","label":"Threat Intelligence Insights"},{"code":"a8m0z0000001h8kAAA","label":"Data Explorer"},{"code":"a8m0z0000001jrwAAA","label":"Threat Intelligence Insights"},{"code":"a8m0z0000001h8kAAA","label":"Data Explorer"},{"code":"a8m0z0000001jrwAAA","label":"Threat Intelligence Insights"}],"ARM Case Number":"TS008676311","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.9.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"},{"code":"a8m0z000000cwtiAAA","label":"Performance"},{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
19 October 2022

UID

ibm16591269