Troubleshoot Threat Intelligence Director

The sections below describe possible solutions and mitigations for common threat intelligence director issues.

Fetching or uploading flat file sources generates an error

If the system fails to fetch or upload a flat file source, check that the data in the flat file matches the Type column on the Intelligence > Sources page.

TAXII or URL source update generates an error

If a TAXII or URL source update generates a source status error, check that your Server Certificate is not expired. If the certificate has expired, enter a new Server Certificate or delete the existing Server Certificate so threat intelligence director can retrieve a new certificate. For more information, see Configure TLS/SSL Settings for a Threat Intelligence Director Source.

"Block" action is not available for an indicator or source, only "Monitor"

You can change the action for individual observables in the indicator or source.

Threat Intelligence Director table views return "No results"

Table views include the Sources, Indicators, Observables, and Incidents pages.

If you do not see data in one of the threat intelligence director table views:

• Check your table filter and consider expanding the time window for the Last Updated filter attribute; see Filter Threat Intelligence Director Data in Table Views.

• Verify that you correctly configured your sources; see Options for Ingesting Data Sources.

• Verify that you configured your access control policy and related policies to support threat intelligence director; see Configure Policies to Support Threat Intelligence Director. For example, if your SHA-256 observables are not generating observations, verify that your deployed access control policy contains one or more access control rules that invoke a Malware Cloud Lookup or Block Malware file policy.

• Verify that you deployed the threat intelligence director-supporting access control policy and related policies to your elements; see Deploy Configuration Changes.

• Verify that you did not pause threat intelligence director data publication at the feature level; see Pause Threat Intelligence Director and Purge Threat Intelligence Director Data from Elements.

System is experiencing slowness or decreased performance

For more information about performance impact, see Performance Impact of Threat Intelligence Director.

Secure Firewall Management Center table views do not show threat intelligence director data

If you are publishing observables to your elements but no threat intelligence director data appears in the connection, security intelligence, file, or malware events tables, check the access control and file policies deployed to your elements. For more information, see Configure Policies to Support Threat Intelligence Director.

One or more elements are overwhelmed by threat intelligence director data

If threat intelligence director data is overwhelming one or more of your devices, consider pausing threat intelligence director publishing and purging the data stored on your elements. For more information, see Pause Threat Intelligence Director and Purge Threat Intelligence Director Data from Elements.

System is performing a Malware Cloud Lookup instead of a TID block

This is by design. For more information, see Threat Intelligence Director-Management Center Action Prioritization.

System is performing a Security Intelligence or DNS Policy action instead of a TID action

This is by design. For more information, see Threat Intelligence Director-Management Center Action Prioritization.

TID is disabled

• Add memory to your appliance. Threat Intelligence Director can only be used on appliances with at least 15GB of memory.

• Enable REST API access for the Secure Firewall Management Center. For more information, see Enabling REST API Access.

The system does not generate the threat intelligence director incident or take the threat intelligence director action that you expected

• Verify that all of your managed devices are properly enabled and configured for threat intelligence director. See View Threat Intelligence Director Status of Elements (Managed Devices) and Configure Policies to Support Threat Intelligence Director.

• It takes at least 5-10 minutes for changes to be published to elements, and significantly longer if publishing a large data feed.

• Check the action setting for the observable. See View and Manage Observables.

• For a list of the other factors that influence the threat intelligence director action that the system takes, see Factors That Affect the Action Taken.

• Elements (managed devices) may not have the threat data you think they have. See About Pausing Publishing.

One encounter with a particular threat generates multiple incidents

This can occur if a single indicator is included in multiple sources.

For details, see Handling of Duplicate Indicators.