You can investigate and take action on health issues from the Health Issues page and the Issues Table.
The following tasks explain how to investigate and resolve health issues. You can see health issues on the following pages:
Go to Settings → Health Issues
Go to Cases & Issues → Issues and change the table view to Health Domain.
A data ingestion issue identifies disruption in the data ingestion pipeline. For example, a data source is not sending logs, or there is a significant drop in log collection compared to the calculated ingestion baseline.
Identify the error: Type = Ingestion.
Right-click and select Investigate in XQL query.
The Query Builder opens and runs a prefilled query to display related data ingestion metrics entries.
Review the query results.
The results provide context for the issue and the events leading up to it. For more information about data ingestion metrics and setting up correlation rules with your own data ingestion logic, see Monitor data ingestion health.
Investigate data collector errors. Return to the Health Issues page, right-click the issue, and select Pivot to views → View collector details.
Depending on the type of collector in error, the relevant data collector settings page opens, filtered by data collector.
A collection issue identifies connectivity disruption in your collection integrations, custom collectors, and Marketplace integrations.
Identify the error: Type = Collection.
See the current status of the collector.
Right-click and select Pivot to views → View collector details. Depending on the type of collector in error, the relevant data collector settings page opens, filtered by data collector.
If the data collector is still in error, you can update the collector settings as required.
Investigate the collector error status.
Run a query on the
collection_auditingdataset to see all the connectivity changes of the collector over time, the escalation or recovery of the connectivity status, and the error, warning, and informational messages related to status changes.Example 73.This example searches for status changes for the "instance1" data collector integration:
dataset = collection_auditing |filter collector_type = "STRATA_IOT" and instance = "instance1"
For more information about troubleshooting collector errors and setting up correlation rules to trigger additional collection issues, see Verify collector connectivity.
A correlation issue identifies errors in your correlation rules.
Identify the error: Type = Correlation.
Right-click and select Investigate Correlation Auditing.
The Query Builder opens and runs a prefilled query to display related correlation execution records.
Review the query results.
Identify the correlation rule in error and take steps to resolve the error. For more information about how Cortex XDR identifies correlation rule errors, see Monitor correlation rules.
Automation issues identify potential misconfigurations in automations, enabling you to take a proactive approach to fixing misconfiguration issues before they affect system performance.
Identify the error: Type = Automation.
Click the automation health issue to view the details of the related case or component.
Based on the details of the automation health issue, review any related automations, such as playbooks and integrations, for possible misconfigurations.