000031717 - RSA SecOps alerts are not getting aggregated to incidents in RSA Archer

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 1, 2019
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031717
Applies ToRSA Product Set: Archer, Security Management
RSA Product/Service Type: SecOps, UCF
RSA Version/Condition: 1.2.x, 1.3.x
IssueAlerts are making it into the Archer SecOps/Cyber incident and breach response use ase , but aggregation is not occurring to append the alerts to incidents.
 

Archer W3WP log error:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
        <EventID>0</EventID>
        <Type>3</Type>
        <SubType Name="Error">0</SubType>
        <Level>2</Level>
        <TimeCreated SystemTime="2015-11-10T19:28:26.7390408Z" />
        <Source Name="Archer.NET" />
        <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
        <Execution ProcessName="w3wp" ProcessID="3548" ThreadID="64" />
        <AssemblyVersion>XXXXX</AssemblyVersion>
        <Channel />
        <Computer>XXXXXXXXXXXX</Computer>
    </System>
    <ApplicationData>
        <TraceData>
            <DataItem>
                <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                    <TraceIdentifier>Archer.NET</TraceIdentifier>
                    <Description>Server was unable to process request.</Description>
                    <AppDomain>/LM/W3SVC/1/ROOT-1-130915803693497114</AppDomain>
                    <Exception>
                        <ExceptionType>System.Web.Services.Protocols.SoapException, System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a</ExceptionType>
                        <Message>Server was unable to process request.</Message>
                        <Source />
                        <StackTrace />
                        <InnerException>
                            <ExceptionType>System.Exception, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                            <Message>Other text is required for field SAIM Priority.</Message>
                            <Source>Security2000</Source>
                            <StackTrace>   at Security2000.ws.record.CreateRecord(SessionContext sessionContext, Content content, Nullable`1 subformFieldId)
   at Security2000.ws.record.CreateRecord(String sessionToken, XmlNode recordNode, Nullable`1 subformFieldId)
   at Security2000.ws.record.CreateRecord(String sessionToken, Int32 moduleId, String fieldValues)</StackTrace>
                        </InnerException>
                    </Exception>
                </TraceRecord>
            </DataItem>
        </TraceData>
    </ApplicationData>
</E2ETraceEvent>

Error in Collector.log (SA IM middleware server):
10 Nov 2015 13:54:25,471 | ERROR - ArcherDataStoreTasklet.pushToArcher(413) | Exception occured
org.springframework.jms.listener.adapter.ListenerExecutionFailedException: Failed when communicating with Archer; nested exception is javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> Other text is required for field SAIM Priority.
 at com.rsa.srm.collector.messaging.batch.ArcherDataStoreTasklet.pushToArcher(ArcherDataStoreTasklet.java:403)
 at com.rsa.srm.collector.messaging.batch.ArcherIncidentAddedTasklet.execute(ArcherIncidentAddedTasklet.java:203)
 at org.springframework.batch.core.step.tasklet.TaskletStep$ChunkTransactionCallback.doInTransaction(TaskletStep.java:395)
 at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130)
 at org.springframework.batch.core.step.tasklet.TaskletStep$2.doInChunkContext(TaskletStep.java:267)
 at org.springframework.batch.core.scope.context.StepContextRepeatCallback.doInIteration(StepContextRepeatCallback.java:77)
 at org.springframework.batch.repeat.support.RepeatTemplate.getNextResult(RepeatTemplate.java:368)
 at org.springframework.batch.repeat.support.RepeatTemplate.executeInternal(RepeatTemplate.java:215)
 at org.springframework.batch.repeat.support.RepeatTemplate.iterate(RepeatTemplate.java:144)
 at org.springframework.batch.core.step.tasklet.TaskletStep.doExecute(TaskletStep.java:253)
 at org.springframework.batch.core.step.AbstractStep.execute(AbstractStep.java:195)
 at org.springframework.batch.core.job.SimpleStepHandler.handleStep(SimpleStepHandler.java:137)
 at org.springframework.batch.core.job.flow.JobFlowExecutor.executeStep(JobFlowExecutor.java:64)
 at org.springframework.batch.core.job.flow.support.state.StepState.handle(StepState.java:60)
 at org.springframework.batch.core.job.flow.support.SimpleFlow.resume(SimpleFlow.java:152)
 at org.springframework.batch.core.job.flow.support.SimpleFlow.start(SimpleFlow.java:131)
 at org.springframework.batch.core.job.flow.FlowJob.doExecute(FlowJob.java:135)
 at org.springframework.batch.core.job.AbstractJob.execute(AbstractJob.java:301)
 at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher$1.run(PasswordAwareSimpleJobLauncher.java:99)
 at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:48)
 at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher.run(PasswordAwareSimpleJobLauncher.java:93)
 at com.rsa.srm.collector.messaging.listener.AbstractQueueListener.executeWorkflow(AbstractQueueListener.java:193)
 at com.rsa.srm.collector.messaging.listener.IncidentsQueueListener.onMessage(IncidentsQueueListener.java:34)
 at org.springframework.amqp.rabbit.listener.adapter.MessageListenerAdapter.onMessage(MessageListenerAdapter.java:349)
 at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:650)
 at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:576)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$001(SimpleMessageListenerContainer.java:78)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$1.invokeListener(SimpleMessageListenerContainer.java:161)
 at sun.reflect.GeneratedMethodAccessor136.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
 at org.springframework.retry.interceptor.RetryOperationsInterceptor$1.doWithRetry(RetryOperationsInterceptor.java:69)
 at org.springframework.retry.support.RetryTemplate.doExecute(RetryTemplate.java:255)
 at org.springframework.retry.support.RetryTemplate.execute(RetryTemplate.java:162)
 at org.springframework.retry.interceptor.RetryOperationsInterceptor.invoke(RetryOperationsInterceptor.java:87)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
 at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
 at com.sun.proxy.$Proxy21.invokeListener(Unknown Source)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.invokeListener(SimpleMessageListenerContainer.java:1177)
 at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:559)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.doReceiveAndExecute(SimpleMessageListenerContainer.java:950)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.receiveAndExecute(SimpleMessageListenerContainer.java:934)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$600(SimpleMessageListenerContainer.java:78)
 at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1045)
 at java.lang.Thread.run(Unknown Source)
Caused by: javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> Other text is required for field SAIM Priority.
 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
 at com.sun.proxy.$Proxy67.createRecord(Unknown Source)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper$CreateRecordCallback.call(ArcherWSHelper.java:720)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.callArcher(ArcherWSHelper.java:397)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:322)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.writeRecord(ArcherWSHelper.java:288)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:211)
 at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.putData(ArcherDataStore.java:568)
 at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.handleData(ArcherDataStore.java:447)
 at com.rsa.srm.collector.messaging.batch.ArcherDataStoreTasklet.pushToArcher(ArcherDataStoreTasklet.java:393)
 ... 47 more
Caused by: org.apache.cxf.binding.soap.SoapFault: Server was unable to process request. ---> Other text is required for field SAIM Priority.
 at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:84)
 at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:51)
 at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:40)
 at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
 at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
 at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
 at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
 at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
 at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:845)
 at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1624)
 at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
 at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
 at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
 at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
 at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
 at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:632)
 at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
 at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
 at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
 at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)

 

 
ResolutionTo resolve the issue, remove the "Require users to enter supporting information when they select this value" option for any values in the "SAIM Priority" values list field in the Security Incident application:
  1. Select "Administration" workspace.
  2. Select "Application Builder".
  3. Select the "Security Incidents" application.
  4. Select the "SAIM Priority" field and edit the field.
  5. Select the "Values" tab.
  6. Validate that none of the values is utilizing the "Other" property.
  7. If any value indicates that "Other" is selected then select that value and remove the  "Require users to enter supporting information when they select this value" option.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesA similar issue can occur in other fields as well. Be careful when configuring a field to be "required" for modules in the Security Operations Management solution.  If a required field is not being populated by the record creation via the API then the record creation will fail for those records.  Aggregation of alerts to incidents may not occur either.

Attachments

    Outcomes