Troubleshooting¶
This guide covers limitations, known issues, troubleshooting steps, cost information, and references for the Chronicle App for DomainTools.
Limitations¶
- Chronicle Backstory Notation (CBN) parser will only be able to parse the DomainTools events.
- We suggest using the second generation of Cloud Function. The first generation of Cloud Function has a maximum execution time of 9 minutes and the second generation of Cloud Function has a maximum execution time of 60 minutes. If the execution time of the Cloud Function exceeds timeout then there are chances that the complete data (Alerts, Activities, Devices, Vulnerabilities) isn't ingested in the Chronicle.
- Chronicle search API calls have a rate limit of 120 queries per hour, with each query yielding a maximum of 10,000 results. Hence, in total, we can fetch 1200k Unified Data Model (UDM) data from the Chronicle in an hour. [More details can be found at https://cloud.google.com/chronicle/docs/reference/search-api#search_api_query_limits
- The rate limit for DomainTools enrich API is 60/minute. Hence in total, we could fetch around 360k domains in an hour.
- The cloud scheduler runs a maximum of 30 minutes. If cloud function execution is taking more than 30 minutes, execution of the cloud function will be stopped.
Known issues¶
- The looker dashboard doesn't display data in the drill down table when there are too many records to be displayed.
- In the Enrichment Explorer dashboard, the Threat Type will always populate with Not a Threat filter value if there is a single record present in the applied time range filter.
- Looker will only show data from the past 180 days, but this can vary as per the retention policy configured in BigQuery.
- According to the query time zone selected by the user in connection with the Chronicle database, the Looker dashboards would be reflected according to the configured timezone.
- While redirecting to Google Chronicle, it will show an error like this 'Search has encountered an error and couldn't load data. Please try again, and contact support if this error continues.' if the searched date range is more than 3 months.
Troubleshooting¶
This section describes common issues that might occur during deployment or operation of the app and steps to resolve them.
Monitoring and logs¶
Use GCloud logs for troubleshooting. To access logs:
- Log in to https://console.cloud.google.com/ using valid credentials.
- Navigate to Cloud functions and click the deployed function.
- Open the logs module.
- Filter logs by severity as needed.
Missing default logs: GCloud default logs may not appear in the logs module after testing the function manually or when the scheduler job invokes the function. Refresh the GCloud page to resolve this issue.
Deployment and configuration¶
Testing timing: If you test the cloud function immediately after deploying it, the function may not work as expected. Wait a few seconds before testing.
Database connection: If data isn't displayed on the dashboard, verify that the database connection is configured correctly.
Cloud Function execution¶
Memory limit exceeded: If the cloud function stops execution because memory exceeds the limit, reconfigure the cloud function's memory configuration and increase the memory limit.
Looker dashboard issues¶
Cached data: The Looker dashboard may display cached data instead of the latest events. To resolve:
- Click the three dots on the rightmost side of the dashboard.
- Click Clear cache and refresh.![][image43]
Data not displaying: If data isn't displayed on the dashboard, verify that:
- The database connection is configured correctly
- Filters are not too restrictive
Incorrect filters: If desired events aren't showing in the visualization, ensure that the filters in the dashboard are configured correctly. Overly restrictive filters may prevent the dashboard from displaying data.
Slow or unresponsive dashboard: The dashboard may be slow to load or unresponsive due to:
- Data source being unavailable
- Too much data being queried
- Query performance issues
- Rendering problems
Enrichment Explorer domain filter mismatch: In the Enrichment Explorer dashboard, data in the table and domains in the Domain filter may not match. This occurs because the Domain filter populates with domains from the Last Enriched filter in ascending alphabetical order, while the table displays data in descending order of the Last Enriched DateTime column.
To display domain details that aren't in the table but are within the Last Enriched time range:
- Search for the domain in the Domain filter.
- Select the domain to populate the dashboard.
Chronicle integration¶
Redirect errors: If you encounter an error while redirecting to Google Chronicle, check the searched date range. Chronicle supports a maximum of 3 months for search ranges.
Data validation: If you're unable to see data in the dashboards, verify that data exists in Chronicle:
- Open your Chronicle instance.
- Click the Application Menu in the upper right corner, then select UDM Search. ![][image44]
- In the UDM Search Bar, enter this query:
metadata.log_type = "DOMAINTOOLS_THREATINTEL"- Ensure the date range matches the dashboard and all other filters are unselected.
- If no data appears in Chronicle, Looker dashboards won't populate. If data appears, verify tile-specific data in Chronicle for the same time range.
Google Cloud Platform resources and services approximate cost details¶
| Service | Standard Configurations | Purpose | Reference |
|---|---|---|---|
| Memorystore for Redis | Service tier: Standard Instance size: 4GiB | Caching domains based on Time To Live (TTL) provided. | Approx cost \~ $185/month https://cloud.google.com/memorystore/docs/redis/pricing. |
| Cloud Functions | Type: Memory: 8192 MB CPU: 4.8GHz Execution time per function (ms): 3600 Invocations per month: 1500 Minimum number of instances: 1 | Function / Script which pulls data from Chronicle & enriches from DomainTools API. | Approx cost \~ $66/month https://cloud.google.com/functions/pricing |
| Cloud Storage | Total Amount of Storage: 1 GiB | Storage bucket used to manage API checkpoints | Approx cost \~ $0.02/month https://cloud.google.com/storage/pricing |
| Secret Manager | Active secret versions per replica location: 4 Access operations: 1500 | Used to maintain credentials. | Approx cost \~ $0/month https://cloud.google.com/secret-manager/pricing |
| Cloud Scheduler | Total amount of jobs: 1 | Scheduler which executes above cloud function at a specific time interval. | Approx cost \~ $0/month https://cloud.google.com/scheduler/pricing |
| Serverless VPC access | - | Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud (VPC) network from serverless environments such as Cloud Run, App Engine, or Cloud Functions. | https://cloud.google.com/vpc/pricing |
| Looker | https://cloud.google.com/looker/pricing#platform_editions | Visualization tool to visualize events from Chronicle. | https://cloud.google.com/looker/pricing Cost depends on the edition which we select from the link on the left column. |
Note: Users can also calculate (using pricing calculator) the estimated price of the preceding Google Cloud services used.