Troubleshooting Requirements for Valid Resources
Caution:
It is possible that dependent resources are pointing to the wrong resource. This usually happens if you rename a resource, then re-use the old name on a new resource of the same type. The dependent resources will be linked to the old name. To avoid this problem, don’t re-use an old name on resources of the same type. An example of a dependent relationship is that of a query depending on a trend.
The most common cause of an invalid resource is a dependency issue; another resource that the broken resource depends on is missing from the database. Some resources have additional requirements or limits that can also affect validity. Following is a summary of requirements for creating valid resources.
If any of these requirements are not met, the resource will break. To fix the resource, edit its definition to be in line with these requirements.
-
All Resources - If the definition for a resource references another resource, the referenced resource must be available in the Manager database. This requirement is true for all types of resources.
-
Devices and Assets - Each asset address must be unique within a zone, an asset can belong to one zone only, and the asset IP address must fall within the address range of its network zone.
-
Device and Asset Ranges - Start addresses must be less than end addresses, asset ranges must be within the address range of the associated network zone, and asset ranges should not overlap another asset range in the same zone.
-
Zones - Start addresses must be less than end addresses and network zones should not overlap other zones in the same network.
-
Reports - Report templates cannot contain more than 20 charts or more than 15 tables.
-
Active Lists - Active List schema must match the underlying table and must not include programming errors.
The following table lists the resources that can become invalid:
This resource becomes invalid… |
when it violates one or more of the following constraints… |
which results in… |
---|---|---|
Device/Asset |
|
The invalid device/asset cannot participate in the event asset resolution. Therefore, if an event source/target address points to the invalid device it cannot be resolved. |
Device/Asset Range |
|
The invalid device/asset range cannot participate in the event asset resolution. Therefore, if an event has its source/target address fall in an invalid device range its asset resolution cannot be resolved. |
Zone |
|
The assets falling within this invalid zone get invalidated and cannot participate in the event asset resolution. |
Filter |
Dependency constraint. For example, a filter may depend on other resources, like asset, active list, vulnerability etc. |
The invalid filter causes the resources that depend on it to get invalidated. |
Rule |
Dependency constraint. For example, a rule may depend on other resources, like filter, asset, vulnerability, active list, session list etc. |
The invalid rule cannot be triggered, so the corresponding correlation events are missed. |
Data Monitor |
Dependency constraint. For example, a data monitor may depend on other resources such as a filter. |
The invalid data monitor stops fetching live data to feed the dashboard. |
Active Channel |
Dependency constraint. For example, an active channel may depend on other resources such as a filter, or asset vulnerability. |
You cannot attach or open an invalid active channel |
Report |
Dependency constraint. For example, a report may depend on other resources, such as filter or asset, vulnerability and active list. |
You cannot run the invalid report manually from console or as a scheduled task. |
Trend |
Dependency constraint. For example, a trend that depends on a query is invalid as soon as a query is changed. |
The invalid trend stops generating any trend data. |
Scheduled Task |
Dependency constraint. For example, a scheduled task may depend on other resources, such as filter. |
The invalid scheduled task cannot run. |
Report Template |
The report template cannot contain more than 20 charts or more than 15 tables. |
The invalid template causes the reports that depend on it to be invalid. |
Profile |
Dependency constraint. The Profile depends on resources such as the filter it uses to determine which events to run discovery on. It also depends on the group where snapshots and patterns are saved. All these resource must exist and the creator should have appropriate permissions for them. |
This resource is invalidated and the scheduled runs may be skipped. |
Active List |
If the Active List schema does not match the underlying table etc, or due to some programming error. |
The resources (Rules, reports etc.) that are dependent on the Active List get invalidated |
Focused Report |
Dependency constraint. For example, a focused report may depend on other resources, such as a report, filter or asset. |
The invalid focused report cannot be run either manually from the Console or as a scheduled task. |
Query |
Dependency constraint. For example, a query may depend on other resources, such as a filter, asset, or active list. |
The invalid query causes the resources that depend on it, such as report and trend, to become invalid. |