delay in case creation in Chronicle SOAR

dhirajtec · 11-28-2024 05:39 AM

Cases in Chronicle SOAR were created one hour after the alert was triggered in Sentinel, despite the connector's cron job being set to 10 seconds. What could be the possible reasons for the delayed case creation in Chronicle SOAR? Also, it was observed that under the event tab there were no record present. Attaching a snip

hzmndt

Check the connector -> logs, if any errors, warnings.

Sometimes it could be the sentinel side delay for the records showing up in the API call.

Someone else also reported the same

If the issues still there, please open a GCP support case to check. Another way to validate is to manually call the API to validate if anything in the API return.

Dmitry_Sarakeev

hi @dhirajtec, we have a similar question opened in the SOAR forum regarding delay and SOAR alerts not having any events.

Same as there, it is unexpected to not have any events in soar's alerts for those sentinel incidents, it should at least have 1 event with most general info.

Please either create a gcp support ticket or enable connector log collection with the most detailed level (info) and try to repro the issue and see if there are errors.

Also please check if you are running latest official integration and connector versions.

We have not seen such issues in our test lab, so we need either detailed connector logs or gcp ticket to investigate.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

delay in case creation in Chronicle SOAR