Troubleshooting
Problem
Cloud Pak for Security TII application gives the error "Error while retrieving external threat intel source data" underneath Other Sources when viewing a threat from X-force-Exchange
Symptom
TII Threat enrichment does not work with any external threat intel source data like Sans, Threat Grid, Recorded future, etc.
The following is an example screen-capture of the error:
![image-20220127111534-1](/support/pages/system/files/inline-images/image-20220127111534-1.png)
To verify the error, log in to the cluster with the Red Hat OpenShift cli and run the following command:
The following errors can be seen:
oc logs tiisearch-<pod-name>
The following errors can be seen:
2022-01-19T12:09:28.709890400-06:00 {"level":"error","ibm_datetime":"2022-01-19T18:09:28.709Z","pid":1,"hostname":"tiisearch-7c6b5f9bfc-9872t","req":{"id":"f8cd97cc-b2e0-4fef-bf45-198bb8de06c0","method":"GET","url":"<xxxxxxxxx>/api/tii/v1/search?q=password%20grabber%20trickbot","subject":"<xxxxxxxxx>"},"error":{"type":"QueryError","message":"Failed with status 500 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/vulnerabilities/search/password%20grabber%20trickbot","stack":"Error: Failed with status 500 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/vulnerabilities/search/password%20grabber%20trickbot\n at /opt/app-root/build/service/api/search/queryController.js:58:9\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at async Promise.all (index 6)\n at async searchQuery (/opt/app-root/build/service/api/search/queryController.js:103:21)","resp":{"size":0,"timeout":0}},"message":"Error in fetching search query"}
2022-01-19T12:09:28.748108706-06:00 {"level":"error","ibm_datetime":"2022-01-19T18:09:28.747Z","pid":1,"hostname":"tiisearch-7c6b5f9bfc-9872t","req":{"id":"f8cd97cc-b2e0-4fef-bf45-198bb8de06c0","method":"GET","url":"<xxxxxxxxx>/api/tii/v1/search?q=password%20grabber%20trickbot","subject":"<xxxxxxxxx>"},"error":{"type":"QueryError","message":"Failed with status 404 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/malware/familyext/password%20grabber%20trickbot","stack":"Error: Failed with status 404 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/malware/familyext/password%20grabber%20trickbot\n at /opt/app-root/build/service/api/search/queryController.js:58:9\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at async Promise.all (index 12)\n at async searchQuery (/opt/app-root/build/service/api/search/queryController.js:103:21)","resp":{"size":0,"timeout":0}},"message":"Error in fetching search query"}
2022-01-19T12:09:29.074380851-06:00 {"level":"error","ibm_datetime":"2022-01-19T18:09:29.074Z","pid":1,"hostname":"tiisearch-7c6b5f9bfc-9872t","req":{"id":"f8cd97cc-b2e0-4fef-bf45-198bb8de06c0","method":"GET","url":"<xxxxxxxxx>/api/tii/v1/search?q=password%20grabber%20trickbot","subject":"<xxxxxxxxx>"},"error":{"type":"QueryError","message":"Failed with status 500 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/ipr/asn/password%20grabber%20trickbot","stack":"Error: Failed with status 500 to fetch query to url https://cp4sint.cp4s.svc/app/threat-intelligence-insights/xfe/api/v1/ipr/asn/password%20grabber%20trickbot\n at /opt/app-root/build/service/api/search/queryController.js:58:9\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at async Promise.all (index 13)\n at async searchQuery (/opt/app-root/build/service/api/search/queryController.js:103:21)","resp":{"size":0,"timeout":0}},"message":"Error in fetching search query"}
Environment
Cloud Pak for Security 1.9.0
Resolving The Problem
- Log in to the Red Hat OpenShift CLI
- Run the command oc get pods to display the pods that are running in the CP4S cluster. Example:
# oc get pods NAME READY STATUS RESTARTS AGE ambassador-744c5b675b-2f2pl 1/1 Running 0 4d14h ambassador-744c5b675b-7tvmr 1/1 Running 0 6d14h app-manager-1643889600-rgmxm 0/1 Completed 0 27h app-manager-1643932800-5kld8 0/1 Completed 0 15h app-manager-1643976000-ntmdk 0/1 Completed 0 3h47m authsvc-5dfc44c68c-9899j 1/1 Running 0 6d14h authsvc-5dfc44c68c-jl8r7 1/1 Running 0 4d14h output omitted...
Pod names are different between CP4S Clusters. - Find the following pod names from the previous output:
tiisettings
tiithreats
tis-data-gateway
tis-enrich-queue
tis-rfi - Run the following command to delete pods:
oc delete pods tiisettings-xxxxxx tiithreats-xxxxxx tis-data-gateway-xxxxxx tis-enrich-queue-xxxxxx tis-rfi-xxxxxx-xxx
If there are pods with the same name occurring twice or more, it is required to delete them as well. -
Wait for all the delete pods to be re-created, all pods ready, and in running Status.
Once all pods are ready and in running status, log back into the CP4S console and attempt to review Other Sources when clicking a threat in TII.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001jrwAAA","label":"TII"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.9.0"}]
Was this topic helpful?
Document Information
Modified date:
04 February 2022
UID
ibm16551426