Troubleshooting Multitenant Functionalities & Accessing Internal Applications

For on-premise deployments, additional synchronizations are performed through an entity named SUPERORG. Once the SUPERORG is accessed, the below caches can be refreshed in case a synchronization problem is detected.

From "Security Management" -> "Settings," global synchronization activities can be managed. The synchronizations performed by the SUPERORG are managed from this section:

• Re-Initialize Synchronization: All synchronization tasks for rules, policies, and hardening rules are re-triggered for all organizations.

• Clear Threat Intelligence Query Cache: All caches for all organizations are re-cleared.

• Unschedule Vulnerability Synchronization: CyberCyte threat intel synchronizes CVE data with NVD to discover application vulnerabilities. SUPERORG synchronizes this data from Threat Intel to provide the information to all tenants. The synchronization job can be first stopped, then the SUPERORG vulnerability cache cleaned, and the vulnerability synchronization job can be enabled again.

• Schedule Vulnerability Synchronization: Unscheduled vulnerability synchronization is enabled.

• Clear Vulnerability Database: The vulnerability database is cleared, and a full update starts from the CyberCyte threat intel.

• Reschedule Elastic Synchronization for Configuration Updates: Windows Sysmon and Event Log artifacts are initially stored in the Elastic server. The full log data is summarized through transforms, and the original data is deleted after seven days. When there is a change in the parsing rules or a problem in getting Sysmon data, elastic synchronization rules can be re-applied by clicking this button.

• Clear Non-existing Organizations Transforms on Elastic: In multitenant deployments with multiple organizations, elastic transforms are not deleted when the organization is deleted to protect the data. Elastic transforms can be manually deleted by clicking this button.

When Sysmon data is not received even though Sysmon policies are configured, The last time synchronization between Elastic and the server can be checked from "Security Management" -> "Settings". The "Last Time Elastic Synchronization Run" value displays the last time the synchronization job has been executed. When "Elastic Synchronization Interval (Sec)" is set to 0, then saved, and after setting a new value and saving, the Elastic Synchronization job is re-created. The "Reschedule Elastic Synchronization for Configuration Updates" button performs the same operation. If there is still no data, please review the Elastic server to identify if logs have been collected. The "Agent" microservice logs identify possible problems where sysmon logs cannot be written to Elastic. If there is Sysmon and Event Log data in Elastic but not in server "Extdatasync" microservice logs should be inspected.

To access the components of the infrastructure, the below URL's are typically used. To reset access passwords, please send an e-mail to [email protected]

• Kibana: https://<elastic-ip>:5601

• Elastic: https://<elastic-ip>:9200 -> Health State in a JSON document should be displayed.

• Pgadmin for PostgreSQL: https://<server-ip>:8344