Troubleshooting

troubleshooting this guide helps you diagnose and resolve common issues in ai soc each section includes symptoms, root causes, and step by step solutions use the preventive measures to avoid issues before they occur quick reference common issues true 220,103,338 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type signal status issues signal stuck in processing symptoms signal status remains processing for a long time (longer than expected after ingestion) generate plan is not available or the signal never moves to new, closed, or escalated root causes threat intelligence enrichment has not completed (providers slow, errors, or observables not yet enriched) signal evaluation automation (correlation, kb linking, hero ai analysis) has not finished or failed the pending signal resolution flow has not run or encountered an error resolution check threat intelligence status on the signal if enrichments are still pending, wait for them to complete or verify ti provider assets and connectivity check flow run history in orchestration → playbooks for the signal evaluation and pending signal resolution flows look for failed or stuck runs and retry or fix the underlying cause verify correlation and hero ai are running correlation runs on a schedule; hero ai analysis runs as part of signal evaluation if hero ai is disabled or failing, the signal may remain in processing until those steps complete or timeout if the signal is truly stuck (all steps completed but status never updated), open the support tab on the signal and run ai signal analysis or run rules engine as appropriate, or contact your administrator to inspect the pending signal resolution flow prevention ensure threat intelligence providers are configured and responding (see docid b7njxu5xnzyrjcngqg5j ) monitor flow run history for repeated failures on signal evaluation or pending signal resolution hero ai service issues hero ai powers plan generation, verdict analysis, and playbook creation these issues typically relate to service availability, authentication, or configuration generate plan button missing or does nothing symptoms generate plan button does not appear at all (when hero ai feature flag is not enabled) or clicking generate plan shows no response, no loading indicator, no error; plan section remains empty root causes hero ai feature flag is not enabled for your tenant — in this case the generate plan button will not appear in the ui enablement is required before the button is shown hero ai is not enabled for your account or tenant (button may be hidden or non functional) required signal fields are missing ai alert analysis panel is not visible or configured (for example, rbac hides the button or section) browser console shows authentication errors resolution verify hero ai is enabled contact your system administrator to confirm hero ai premium is enabled check that your account has access to hero ai features verify the feature flag is active for your tenant check signal record configuration ensure the signal record has required fields populated (observables, signal source, etc ) verify the ai alert analysis panel is visible in the signal record layout confirm you have appropriate permissions to view and use hero ai features review browser console open browser developer tools (f12) check the console tab for authentication or api errors look for messages indicating hero ai service unavailability test hero ai connectivity try generating a plan on a different signal verify network connectivity to hero ai services check if other hero ai features (like chat) are working prevention confirm hero ai setup during initial ai soc installation regularly verify hero ai service status with your administrator keep browser and swimlane platform updated plan generation times out or fails symptoms generate plan shows a loading indicator but never completes error message "the request to hero ai timed out" plan generation fails after several minutes intermittent failures on some signals but not others root causes hero ai service is experiencing high load or rate limiting signal data is too large or complex network connectivity issues model unavailability or throttling resolution retry the operation wait 30 60 seconds and click generate plan again hero ai automatically retries on transient failures rate limits typically resolve within a few minutes check signal complexity signals with extremely large evidence sets may timeout try generating a plan on a simpler signal to verify service is working consider breaking down very complex signals verify service status check with your administrator if hero ai services are experiencing issues review system status pages or notifications confirm no scheduled maintenance is in progress review error details check the browser console for specific error messages look for rate limit indicators (429 status codes) note any model unavailability messages prevention avoid generating multiple plans simultaneously monitor hero ai service status during peak usage implement retry logic in custom playbooks that call hero ai hero ai returns low confidence or unexpected verdicts symptoms verdict confidence is consistently low (0 3 on 0 10 scale) verdicts do not match expected outcomes analysis summary mentions "insufficient data" improvement suggestions always request more data root causes signal lacks sufficient observables or evidence knowledge base articles are missing or incomplete threat intelligence enrichment hasn't completed similar signals history is unavailable resolution enrich signal data ensure observables are extracted and present on the signal wait for threat intelligence enrichment to complete verify knowledge base articles are linked to the signal review signal completeness check that all relevant evidence panels are populated verify correlation has run to find similar signals ensure investigation comments or summaries are added improve knowledge base create or update knowledge base articles for common scenarios link relevant kb articles to signals before generating verdicts ensure kb articles contain actionable guidance check historical context verify similar signals exist and have verdicts ensure resolved signals have manual verdicts set review correlation settings to ensure similar signals are found prevention maintain comprehensive knowledge base articles regularly review and update kb articles based on investigation outcomes ensure threat intelligence enrichment completes before verdict generation set manual verdicts on resolved signals to improve future analysis plan builder suggests components from other solutions (known issue) symptoms hero ai’s plan builder suggests components that are purpose built for another solution (for example, the classic soc solution) a suggested component may not be the right tool for the investigation step (for example, it does not produce the expected output) this mainly affects tenants where both the soc solution and ai soc are installed cause hero ai reviews all tools available in the tenant and can suggest any of them the platform does not currently segregate components by solution, so components from the soc solution can appear in ai soc plan suggestions workaround always review the tools hero ai suggests for each step if a suggested component is not appropriate (for example, it is built for another solution or does not fit the step), select a different component from the other available tools in the tenant you can change the suggested component before creating or running the playbook browser and ui issues playbook creation missing components (pop up blocker) symptoms after clicking create playbook from the plan, the playbook is created the generated playbook does not include components suggested in the plan builder some or all recommended components are missing playbook appears incomplete compared to the plan root causes browser pop up blocker is preventing required windows from opening pop ups are blocked for the swimlane domain browser security settings are too restrictive resolution allow pop ups for swimlane chrome/edge click the pop up blocked icon in the address bar → select "always allow pop ups from \[your swimlane domain]" firefox click the pop up blocked notification → select "allow pop ups for \[your swimlane domain]" safari go to safari → settings → websites → pop up windows → set your swimlane domain to "allow" retry playbook creation after allowing pop ups, delete the incomplete playbook if created return to the signal record and click create playbook again verify all suggested components are now included verify pop up settings test by clicking create playbook and confirming a new window/tab opens check browser settings to ensure swimlane domain is in allowed list clear browser cache if pop ups still do not work prevention add your swimlane domain to browser's allowed pop up list during initial setup document pop up requirements in user onboarding materials test playbook creation workflow after browser updates ai alert analysis panel not visible symptoms ai alert analysis panel does not appear on signal records panel is missing from the record layout other users can see the panel but you cannot root causes panel is disabled in widget configuration role based access control (rbac) restricts visibility widget configuration is incorrect application layout doesn't include the panel resolution check widget configuration verify the ai alert analysis panel is enabled in application builder confirm summarysection , plansection , and automationsection are enabled review widget configuration settings verify rbac settings check that your role has access to view the panel sections confirm roles \[" "] or your specific role is included in configuration review role assignments with your administrator check application layout verify the panel is added to the signal triage application layout ensure the widget is properly embedded in the record view confirm no layout customizations removed the panel prevention document widget configuration during setup regularly audit rbac settings to ensure appropriate access test panel visibility after application layout changes threat intelligence issues threat intelligence shows "error" status symptoms observable enrichment shows "error" status for one or more providers threat intelligence panel displays error indicators enrichment results are missing or incomplete some providers work while others fail root causes provider api credentials are missing, invalid, or expired provider service is unavailable or rate limited observable type is not supported by the provider network connectivity issues to provider apis resolution verify provider credentials go to assets and locate the provider asset (for example, virustotal, abuseipdb) check that api keys or credentials are configured and valid verify credentials haven't expired test credentials by making a manual api call if possible check provider service status visit the provider's status page (if available) verify the provider api is operational check for rate limit notifications or service disruptions validate observable type confirm the observable type (ip, domain, hash, etc ) is supported by the provider review provider documentation for supported types some providers only support specific observable types review enrichment retry logic ti enrichment automatically retries up to 5 times (about once per minute) wait a few minutes to see if enrichment completes check the raw enrichments panel for detailed error messages test provider connectivity verify network connectivity to provider apis check firewall rules allow outbound connections confirm no proxy settings are blocking requests prevention regularly rotate and update api credentials before expiration monitor provider service status pages configure multiple providers for redundancy set up credential expiration alerts document provider specific requirements and limitations threat intelligence enrichment never completes symptoms enrichment status remains "pending" indefinitely no results appear after several minutes enrichment appears stuck root causes enrichment job is queued but not processing provider api is slow to respond too many concurrent enrichment requests playbook or sensor processing the enrichment is disabled resolution check enrichment job status review playbook execution logs for enrichment playbooks verify the enrichment playbook is enabled and running check for any playbook execution errors verify sensor configuration ensure sensors triggering enrichment are enabled check sensor schedules if using cron based enrichment confirm webhook sensors are receiving events review provider response times some providers may take several minutes to respond check provider documentation for expected response times consider provider rate limits if making many requests check system resources verify turbine has sufficient resources to process jobs review system logs for resource constraints check for playbook execution backlogs prevention monitor enrichment completion times set up alerts for enrichment jobs that exceed expected duration configure appropriate timeouts for provider api calls use multiple providers to avoid single points of failure missing threat intelligence data symptoms threat intelligence panel is empty no enrichment results are displayed observables exist but have no ti data root causes no threat intelligence providers are configured enrichment playbooks are not running observables haven't been extracted from signals enrichment hasn't been triggered resolution verify providers are configured go to assets and confirm at least one ti provider is configured check that provider credentials are valid ensure providers are enabled and accessible check observable extraction verify observables are present on the signal record confirm observable extraction playbooks have run review signal data to ensure observables were identified trigger enrichment manually if enrichment playbooks are configured, trigger them manually check playbook execution logs for errors verify sensors are properly configured to trigger enrichment review enrichment playbook configuration ensure enrichment playbooks are enabled verify playbooks are configured to run on signal creation or update check playbook triggers and conditions prevention configure multiple ti providers during initial setup test enrichment workflow after configuration set up monitoring for enrichment completion rates document which providers support which observable types signal ingestion issues signals not being created symptoms alerts or emails are sent but no signal records appear expected signals are missing ingestion appears to be failing root causes ingestion playbooks are disabled sensors are not receiving events webhook endpoints are misconfigured data transformation is failing resolution verify ingestion playbooks are enabled go to playbooks and locate ingestion playbooks (for example, "ingest webhook alert", "ingest bulk alerts") confirm playbooks are enabled check playbook execution history for errors check sensor configuration verify sensors are enabled and running for webhook sensors, confirm the endpoint url is correct for cron sensors, verify the schedule is configured for email sensors, ensure email ingestion is set up test webhook endpoints send a test alert to the webhook endpoint verify the webhook receives the request check webhook logs for incoming requests review data transformation verify teds mapping is correct check that alert data matches expected schema review transformation playbook logs for errors check playbook triggers confirm playbooks are triggered by the correct sensor events verify trigger conditions are met review sensor event logs prevention test ingestion workflows after configuration set up monitoring for signal creation rates document expected signal volumes regularly review ingestion playbook execution logs signals missing required fields symptoms signal records are created but fields are empty required fields like observables are missing signal data is incomplete root causes data transformation is not mapping fields correctly source alert data doesn't contain expected fields field extraction playbooks haven't run teds mapping is incorrect resolution review source data check the raw alert data sent to the ingestion endpoint verify source systems are sending complete data compare expected vs actual field values validate teds mapping review the teds transformation in ingestion playbooks verify field mappings are correct test transformation with sample data check field extraction ensure observable extraction playbooks have run verify extraction logic is working correctly review extraction playbook logs test with sample data send a test alert with known field values verify fields are populated correctly compare input data to signal record fields prevention document expected field mappings during setup test transformations with representative sample data validate field extraction regularly set up alerts for signals with missing critical fields playbook execution issues the following sections cover playbook issues you're most likely to see when using ai soc investigation plan steps that fail when you click run , and ingestion, enrichment, or routing playbooks that fail investigation plan steps fail when you click run symptoms clicking run or run all steps on an investigation plan step fails step shows failure or error in the plan timeline "install" or missing component message appears for a step root causes (ai soc–specific) component required by the plan step is not installed (for example, ti provider, edr connector) asset (credentials) for the component is missing or invalid signal is missing required fields the step needs (for example, observable, host id) resolution identify the failing step in the plan timeline and note the component or action name install missing components if the step shows install — use the swimlane content library or marketplace configure assets for that component (api keys, credentials) under orchestration → assets confirm signal data — ensure observables or other required fields are present on the signal prevention install and configure components and assets before running plan steps use review on each step to see required inputs before running other playbook failures (ingestion, enrichment, routing) for failures outside the investigation plan (for example, ingestion playbook runs but no signal is created, enrichment fails, or a routing rule triggers a playbook that fails), use playbook execution logs and your platform's playbook troubleshooting documentation common causes include missing or misconfigured components, invalid or expired assets, external service unavailability, and incorrect playbook or sensor configuration no steps available in investigation plan symptoms plan is generated but shows no steps plan section is empty "no steps available" message appears root causes signal has no observables threat intelligence enrichment hasn't completed no relevant components are available signal data is insufficient resolution verify observables exist check the signal record for observables (ips, domains, hashes, etc ) ensure observable extraction has completed review signal data to confirm observables were identified wait for enrichment threat intelligence enrichment may be required before steps are generated check enrichment status in threat intelligence panel wait for enrichment to complete, then regenerate the plan check component availability verify relevant components are installed confirm components are available in the marketplace review component compatibility review signal completeness ensure signal has sufficient data for plan generation verify signal source and type are set correctly check that signal has relevant context prevention ensure observable extraction runs before plan generation configure multiple enrichment providers for better coverage maintain a library of commonly used components document expected signal data requirements no playbooks appear for routing symptoms when creating a routing rule, no playbooks appear in the selection playbook dropdown is empty "no playbooks available" message root causes only single flow playbooks with emit triggers appear in routing playbooks are disabled playbooks do not have the correct trigger type permission issues resolution verify playbook trigger type routing rules only show playbooks with emit triggers check that playbooks use the correct trigger type confirm playbooks are single flow (not multi flow) check playbook status ensure playbooks are enabled verify playbooks are accessible in your workspace check playbook permissions review playbook configuration confirm playbooks are properly configured verify playbooks are in the correct workspace check for any playbook errors prevention use emit triggers for playbooks intended for routing document which playbooks are available for routing regularly review and update routing playbooks test routing rules after playbook changes configuration issues rbac features not visible or accessible symptoms certain features or sections are not visible actions are disabled or missing different users see different options permission errors when performing actions root causes role based access control (rbac) restricts feature visibility widget configuration limits access by role user role assignments are incorrect configuration changes haven't been applied resolution review widget configuration check ai alert analysis panel configuration verify roles settings for each section (summary, plan, automation) confirm your role is included in allowed roles verify role assignments check your user role assignments confirm you have the necessary permissions review role definitions with your administrator check section specific settings summarysection , plansection , automationsection each have role settings generateplan , modifyplan , executeplan have separate role controls verify each action you need is enabled for your role review application permissions check workspace and application access verify record level permissions confirm field level permissions if applicable prevention document rbac configuration during setup regularly audit role assignments test feature visibility for each role update documentation when rbac changes application layout issues symptoms panels or widgets are missing from records layout appears different than expected customizations are not visible root causes widget is not added to application layout layout customizations were removed widget configuration is incorrect application layout was reset resolution check application layout go to application builder for the application verify widgets are added to the layout confirm widget placement and visibility review widget configuration check widget settings in application builder verify widget is enabled confirm widget configuration matches requirements restore layout if needed check if layout was recently modified restore from backup if available re add widgets if they were removed prevention document application layouts backup layout configurations before changes test layout changes in a development environment first limit who can modify application layouts general troubleshooting tips before contacting support gather information note the exact error message or symptom record when the issue started identify if it affects all users or specific users check if it's consistent or intermittent review logs check browser console for errors (f12 → console) review playbook execution logs check system logs if accessible test basic functionality verify other ai soc features are working test with a different signal or record try a different browser or user account check recent changes review recent configuration changes check for system updates or maintenance verify no recent playbook or workflow changes common diagnostic steps clear browser cache hard refresh (ctrl+shift+r or cmd+shift+r) clear browser cache and cookies try incognito/private browsing mode verify connectivity check network connectivity verify access to external services test api endpoints if applicable check system status review system status pages verify no scheduled maintenance check for known issues or outages review documentation check this troubleshooting guide review relevant user guide sections consult configuration documentation getting additional help if you've tried the troubleshooting steps above and the issue persists contact your system administrator for hero ai service configuration rbac and permission issues system level configuration problems escalate to swimlane support with detailed error messages steps to reproduce the issue relevant log entries system and browser information