Troubleshooting Requirements for Valid Resources

Caution:  

It is possible that dependent resources are pointing to the wrong resource. This usually happens if you rename a resource, then re-use the old name on a new resource of the same type. The dependent resources will be linked to the old name. To avoid this problem, don’t re-use an old name on resources of the same type. An example of a dependent relationship is that of a query depending on a trend.

The most common cause of an invalid resource is a dependency issue; another resource that the broken resource depends on is missing from the database. Some resources have additional requirements or limits that can also affect validity. Following is a summary of requirements for creating valid resources.

If any of these requirements are not met, the resource will break. To fix the resource, edit its definition to be in line with these requirements.

The following table lists the resources that can become invalid:

Reasons for Invalidated Resources

This resource becomes invalid…

when it violates one or more of the following constraints…

which results in…

Device/Asset

  • Asset address must be unique within a zone.

  • An asset only belongs to one zone.

  • Asset IP address must fall in the address range of its network zone.

The invalid device/asset cannot participate in the event asset resolution. Therefore, if an event source/target address points to the invalid device it cannot be resolved.

Device/Asset Range

  • Start address must be less than end address.

  • Asset range must be within the address range of its network zone.

  • Asset range should not overlap another asset range in the same zone.

The invalid device/asset range cannot participate in the event asset resolution. Therefore, if an event has its source/target address fall in an invalid device range its asset resolution cannot be resolved.

Zone

  • Start address must be less than end address.

  • Network zone should not overlap other zones in the same network.

The assets falling within this invalid zone get invalidated and cannot participate in the event asset resolution.

Filter

Dependency constraint. For example, a filter may depend on other resources, like asset, active list, vulnerability etc.

The invalid filter causes the resources that depend on it to get invalidated.

Rule

Dependency constraint. For example, a rule may depend on other resources, like filter, asset, vulnerability, active list, session list etc.

The invalid rule cannot be triggered, so the corresponding correlation events are missed.

Data Monitor

Dependency constraint. For example, a data monitor may depend on other resources such as a filter.

The invalid data monitor stops fetching live data to feed the dashboard.

Active Channel

Dependency constraint. For example, an active channel may depend on other resources such as a filter, or asset vulnerability.

You cannot attach or open an invalid active channel

Report

Dependency constraint.

For example, a report may depend on other resources, such as filter or asset, vulnerability and active list.

You cannot run the invalid report manually from console or as a scheduled task.

Trend

Dependency constraint.

For example, a trend that depends on a query is invalid as soon as a query is changed.

The invalid trend stops generating any trend data.

Scheduled Task

Dependency constraint.

For example, a scheduled task may depend on other resources, such as filter.

The invalid scheduled task cannot run.

Report Template

The report template cannot contain more than 20 charts or more than 15 tables.

The invalid template causes the reports that depend on it to be invalid.

Profile

Dependency constraint. The Profile depends on resources such as the filter it uses to determine which events to run discovery on. It also depends on the group where snapshots and patterns are saved. All these resource must exist and the creator should have appropriate permissions for them.

This resource is invalidated and the scheduled runs may be skipped.

Active List

If the Active List schema does not match the underlying table etc, or due to some programming error.

The resources (Rules, reports etc.) that are dependent on the Active List get invalidated

Focused Report

Dependency constraint.

For example, a focused report may depend on other resources, such as a report, filter or asset.

The invalid focused report cannot be run either manually from the Console or as a scheduled task.

Query

Dependency constraint. For example, a query may depend on other resources, such as a filter, asset, or active list.

The invalid query causes the resources that depend on it, such as report and trend, to become invalid.