There are a couple of technical processes that have standard troubleshooting approaches. Those are documented below.

Table of Contents

Correlation Search Introspection

This overall process is very reliable, and pretty simple. I’ve yet to get it to fail, but here are the four steps that it takes.

Step One

First, check if there’s data if you run the search:

| inputlookup sse_content_exported_lookup

(Make sure to refresh the bookmarks page after the introspection — generally not a problem, but if someone is testing they will sometimes not do it)

Step Two

If you should be able to search index=notable, you should see mitre_technique fields.

index=notable OR index=risk | stats count as num_total count(eval(isnotnull(mitre_technique))) as num_with_mitre_technique

Step Three

If that works, try the same search from within the ES app.

Step Four

Open Incident Review and see if the fields show up.

Data Inventory Introspection

First, make sure that you are running at least SSE 3.0.3 (Release Date: Dec 11, 2019.) Most of the issues that have been seen with the Data Introspection have been intermittent and go away after resetting and running the configuration.

If you are running into issues, run through the following troubleshooting steps to reset the system and allow it to start from scratch.

Step One

Refresh the data inventory page. If you just opened it, you can proceed past this step – the concern here is that while the system tries to kill all the running configurations, in corner cases it is possible that after we clear the config some activity on the page could re-start it.

Step Two

Open the status dialog. This will either say “XX Remaining” or “Completed” and is in the upper right hand side.

Step Three

Click Reset Configurations. It will process for one moment and then ask you to refresh the page.

Step Four

Wait for the prompt to run data introspection. If this doesn’t appear, the configuration wasn’t fully complete reset and you should continue from step two.

Once the prompt appears, click Run Data Introspection.

Step Five

Wait for the introspection to complete.

Step Six

Go through all “Review” configurations and define what product they belong to, (as documented)[/features/datainventory/].