We had another issue with standing this up, we've confirmed that we have a Streaming API username and password from the support team but when I start up the Falcon Orchestrator client I get this over and over in the text log:

2017-02-28 11:42:30,077 FATAL FalconOrchestrator.Client.Authentication - Error while authenticating to API
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse()
2017-02-28 11:42:30,093 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse()
at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

We've confirmed that the creds are correct, any other log entries I can provide to help troubleshoot?

I am getting the following when connecting to the web page. the database is on a SQL server not local.

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)

Hello,

Has anyone added a new field to the Detection Notification email that is sent by Falcon Orchestrator.

I'd like to add an exiting SQL Database field to my emailed report.

If so what are the steps to making this happen.

Thanks,

-Troy

Requesting a feature to follow-up with open tickets that have reached a threshold of no update after XX hours or YY days. Email would be re-sent to the existing assignee. For example: ticket created and assigned to "helpdesk". 5 days later there has been no update to the ticket. Response to this could be:

1. Notify the original Responder
   or
2. Re-notify the assignee
   or
3. Auto-close the ticket

Looking for the feature request for option2: re-notify the assignee. The other options would be beneficial as well, but at least option would work to help ensure followup. Everytime the threshold was reached, the response would continue until ticket closed.

Thank you for the consideration.

Navigating to Admin -> Configuration results in the following page being displayed:

Server Error in '/' Application.

Padding is invalid and cannot be removed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: Padding is invalid and cannot be removed.]
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) +3999831
System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +296
System.Security.Cryptography.CryptoStream.FlushFinalBlock() +34
System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing) +86
System.IO.Stream.Close() +21
FalconOrchestrator.DAL.Crypto.AES_Decrypt(Byte[] bytesToBeDecrypted, Byte[] passwordBytes) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.DAL\Helpers.cs:212
FalconOrchestrator.DAL.Crypto.DecryptText(String input, String password) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.DAL\Helpers.cs:180
FalconOrchestrator.DAL.AppConfiguration.get_EMAIL_PASSWORD() in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.DAL\AppConfiguration.cs:127
FalconOrchestratorWeb.Areas.Admin.Repository.ConfigurationRepository.MapExisitingValues() in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.Web\Areas\Admin\Repository\ConfigurationRepository.cs:39
lambda_method(Closure , ControllerBase , Object[] ) +66
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +182 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) +10 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +49
System.Web.Mvc.Async.<>c__DisplayClass39.b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +49 System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +24 System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +44
System.Web.Mvc.<>c__DisplayClass1d.b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +38 System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +16 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +28
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9744373
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Requesting a feature that sorts the Assignee list in the Ticketing Tab so when choosing an assignee, the list is easier to pick from. Thank you for the consideration.

I have the orchestrator installed on Windows 2012R2. I followed the documentation provided and for some reason, it is not pulling any data. Please help.

It was working for a while and suddenly stopped. let me know how to get new events to start showing in orchestrator.

enhancement request to allow detections/tickets that are closed in Orchestrator to be closed in CS portal.

I was installing this today on one of our servers after successfully working with it in the lab, and noticed I was getting a SQL connection error after installation even though the database was created and I could get into SSMS with the same login. After a bit of tinkering I noticed that if you specify a SQL instance name in the install screen, it doesn't necessarily update the web.config file during the install process (mine showed "localhost" as the datasource in the connection strings section of the Web.Config file, but once I edited it to be "localhost\falconorch" to match the instance name, I did an IISRESET and the site came up. It goes to the other suggestion for some validation during the installation script, but hopefully this helps anyone else who runs into the same issue.

When the AD Lookup processing rule is enabled a query against LDAP will only be performed if either the username does not exist in the orchestrator DB already or if the "days active" threshold has been exceeded. This is to reduce making an LDAP query for an account over and over when the metadata has already been resolved/stored. When this occurs (there is a local copy and no LDAP query) the metadata is not being pulled from the local DB and inserted into the email template.

We had some crypto library updates on our computers over the weekend and since then our Falcon Orchestrator box can neither start the ETL service or edit the web site configurations. I get this error in the RunLog.txt and even just backing out the crypto changes we still can't get it to start. I've confirmed that there are no FIPS settings configured on the server, any thoughts?

2017-03-29 15:05:19,256 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.SHA256.Create()
at FalconOrchestrator.DAL.Crypto.DecryptText(String input, String password)
at FalconOrchestrator.DAL.AppConfiguration.get_FALCON_STREAM_KEY()
at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

I am facing the same issue.
After deploying MVC asp.net application on IIS server when attempting to http://localhost.
Please help me.

Server Error in '/' Application.

The system cannot find the file specified

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The system cannot find the file specified

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Win32Exception (0x80004005): The system cannot find the file specified]

[SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)]
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +6568558 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +717 System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, Boolean withFailover) +6595000 System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +219 System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +6597350 System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +6597891 System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +942 System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +1162 System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +72 System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +6601145 System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +103 System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +2102 System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +116
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +1079 System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) +6605639
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry) +233 System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry) +278
System.Data.SqlClient.SqlConnection.Open() +239
System.Data.SqlClient.SqlProviderServices.UsingConnection(SqlConnection sqlConnection, Action1 act) +122 System.Data.SqlClient.SqlProviderServices.UsingMasterConnection(SqlConnection sqlConnection, Action1 act) +3843442
System.Data.SqlClient.SqlProviderServices.GetDbProviderManifestToken(DbConnection connection) +3847702
System.Data.Common.DbProviderServices.GetProviderManifestToken(DbConnection connection) +91

[ProviderIncompatibleException: The provider did not return a ProviderManifestToken string.]
System.Data.Common.DbProviderServices.GetProviderManifestToken(DbConnection connection) +4619229
System.Data.Entity.ModelConfiguration.Utilities.DbProviderServicesExtensions.GetProviderManifestTokenChecked(DbProviderServices providerServices, DbConnection connection) +48

[ProviderIncompatibleException: An error occurred while getting provider information from the database. This can be caused by Entity Framework using an incorrect connection string. Check the inner exceptions for details and ensure that the connection string is correct.]
System.Data.Entity.ModelConfiguration.Utilities.DbProviderServicesExtensions.GetProviderManifestTokenChecked(DbProviderServices providerServices, DbConnection connection) +238
System.Data.Entity.DbModelBuilder.Build(DbConnection providerConnection) +82
System.Data.Entity.Internal.LazyInternalContext.CreateModel(LazyInternalContext internalContext) +88
System.Data.Entity.Internal.RetryLazy`2.GetValue(TInput input) +248
System.Data.Entity.Internal.LazyInternalContext.InitializeContext() +524
System.Data.Entity.Internal.InternalContext.CreateObjectContextForDdlOps() +23
System.Data.Entity.Database.Exists() +40
CapexManagementTool.Filters.SimpleMembershipInitializer..ctor() +128

[InvalidOperationException: The ASP.NET Simple Membership database could not be initialized. For more information, please see http://go.microsoft.com/fwlink/?LinkId=256588]
CapexManagementTool.Filters.SimpleMembershipInitializer..ctor() +461

[TargetInvocationException: Exception has been thrown by the target of an invocation.]
System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck) +0
System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark) +159
System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark) +256
System.Activator.CreateInstance(Type type, Boolean nonPublic) +127
System.Activator.CreateInstance(Type type) +78
System.Threading.LazyHelpers1.ActivatorFactorySelector() +72 System.Threading.LazyInitializer.EnsureInitializedCore(T& target, Boolean& initialized, Object& syncLock, Func1 valueFactory) +241
System.Threading.LazyInitializer.EnsureInitialized(T& target, Boolean& initialized, Object& syncLock) +139
System.Web.Mvc.Async.AsyncControllerActionInvoker.InvokeActionMethodFilterAsynchronously(IActionFilter filter, ActionExecutingContext preContext, Func1 nextInChain) +145 System.Web.Mvc.Async.AsyncControllerActionInvoker.InvokeActionMethodFilterAsynchronously(IActionFilter filter, ActionExecutingContext preContext, Func1 nextInChain) +980
System.Web.Mvc.Async.<>c__DisplayClass37.b__31(AsyncCallback asyncCallback, Object asyncState) +264
System.Web.Mvc.Async.WrappedAsyncResult1.Begin(AsyncCallback callback, Object state, Int32 timeout) +146 System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag, Int32 timeout) +202
System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag) +112 System.Web.Mvc.Async.<>c__DisplayClass25.b__1e(AsyncCallback asyncCallback, Object asyncState) +955 System.Web.Mvc.Async.WrappedAsyncResult1.Begin(AsyncCallback callback, Object state, Int32 timeout) +146
System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag, Int32 timeout) +166 System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag) +27
System.Web.Mvc.<>c__DisplayClass1d.b__17(AsyncCallback asyncCallback, Object asyncState) +50
System.Web.Mvc.Async.WrappedAsyncResult1.Begin(AsyncCallback callback, Object state, Int32 timeout) +146 System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag, Int32 timeout) +166
System.Web.Mvc.Controller.BeginExecuteCore(AsyncCallback callback, Object state) +543
System.Web.Mvc.Async.WrappedAsyncResult1.Begin(AsyncCallback callback, Object state, Int32 timeout) +146 System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag, Int32 timeout) +166
System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate endDelegate, Object tag) +27
System.Web.Mvc.Controller.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) +409
System.Web.Mvc.<>c__DisplayClass8.b__2(AsyncCallback asyncCallback, Object asyncState) +144
System.Web.Mvc.Async.WrappedAsyncResult1.Begin(AsyncCallback callback, Object state, Int32 timeout) +146 System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate1 endDelegate, Object tag, Int32 timeout) +166
System.Web.Mvc.Async.AsyncResultWrapper.Begin(AsyncCallback callback, Object state, BeginInvokeDelegate beginDelegate, EndInvokeDelegate endDelegate, Object tag) +27
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +364
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +12289467
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

When setting Detection Tab status to Remediation, then saving, a ticket is created. Would like to have the Falcon portal Detect ID link in the ticket. It appears in the email when Notification in the Ticketing tab is enabled and ticket is saved. Would like to also have in the ticket.

Hello,

We have a detection that Falcon Orchestrator gets stuck on, looks like it couldn't save it and keeps sending us the detection email. Also, the Falcon Orchestrator Client service doesn't seem to run. I keep trying to start it and seconds later it stops. Any advice? Thanks!

2017-03-01 16:50:41,734 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service
2017-03-01 16:50:46,128 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - [21002] Event already stored in database
2017-03-01 16:50:46,238 DEBUG FalconOrchestrator.Client.Rule - Resolved IP address of xx.xx.xx.xx for host
2017-03-01 16:50:46,269 DEBUG FalconOrchestrator.Client.Rule - Notification rule is enabled and severity of High is above threshold, attempting to send email
2017-03-01 16:50:46,707 FATAL FalconOrchestrator.Client.EventModel - [21003] Error occured while trying to save detection event to database
System.Data.Entity.Validation.DbEntityValidationException: Validation failed for one or more entities. See 'EntityValidationErrors' property for more details.
at System.Data.Entity.Internal.InternalContext.SaveChanges()
at System.Data.Entity.Internal.LazyInternalContext.SaveChanges()
at System.Data.Entity.DbContext.SaveChanges()
at FalconOrchestrator.Client.Persistence.SaveToDatabase(String cid, String offset)
at FalconOrchestrator.Client.DetectionModel.Save()

WhiteListRule is missing logic to check for whitelisted status before sending.

I got the MSQL DB up and communicating with the web app. On first visit to http://localhost, I am prompted for username/password but am unclear on what I need to give it.

I tried the accounts i put in 'allowed users' but those didn't work. Am I missing something?

Thanks!

Relevant Module : FalconOrchestrator.LDAP

Description

When the AD Lookup rule is enabled, if a given user account exists in Active Directory but does not reside in an OU (i.e. is in the default Users folder), the client service will throw an unhandled error due to code on line 199 of FalconOrchestrator.LDAP.UserManager.GetMetaData() since the DistinguishedName property value does not contain "OU=".

model.OrganizationalUnit = dn.Substring(dn.IndexOf("OU="));

Expected Result

If an account does not reside in an OU and the "OU=" string does not exist in the DN, return a NULL value for OU to the client.

Error Message

The following error message is shown in RunLog.txt and the client service crashes.

2016-05-27 16:19:10,932 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured
System.ArgumentOutOfRangeException: StartIndex cannot be less than zero.
Parameter name: startIndex
  at System.String.Substring(Int32 startIndex, Int32 length)
  at FalconOrchestrator.LDAP.UserManager.GetMetaData()
  at FalconOrchestrator.Client.ADLookup.LdapQuery()
  at FalconOrchestrator.Client.ADLookup.Execute()
  at FalconOrchestrator.Client.DetectionModel.<>c.<Save>b__5_1(Rule x)
  at System.Collections.Generic.List`1.ForEach(Action`1 action)
  at FalconOrchestrator.Client.DetectionModel.Save()
  at FalconOrchestrator.Client.FalconOrchestratorService.ProcessStream(Stream firehose)
  at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

How to configure the CS- Orchestrator to send alert and fetch the data from Cloud host to Orchestrator, and set the email alerts to team

Start on June 1st, we have not been able to use our Falcon Orchestrator. We have it installed on a W2K12-R2 server and the "Falcon Orchestrator Client" service keeps crashing. The log details are as follows:

The Falcon Orchestrator Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

I have tried restarting the server with no luck. Any idea?

enhancement request in the ticket system to have a view for pending, closed, and all.

Getting 500 error rights should be ok. I installed with the installer, any ideas?

Hello, we are getting a new error related to trying to save a detection to the SQL Database.

Here is the exact error from the log file.
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
at System.DateTime.Add(Double value, Int32 scale)
at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

I tried the last solution, which was to increment the offset of the event that is causing the error, N+1, but it did not help with this error, so far.

I also tried changing both the region and timezone, and back. Found someone on MSDN having a similar problem and it worked for him.

Has anyone ran into this error before and if so how did you fix it.

Thanks,

-Troy

installed orchestrator on a Windows 2012 R2 vm using the sparse instructions ontop of sql express 2016. Found out the hard way, it will not work with a corporate proxy (???) based upon the error
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

Installed Open Text Socks, SOCKS message goes away but now this one appears cannot get rid of:
2017-06-02 12:38:57,695 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service
2017-06-02 12:39:01,961 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - [0] Event already stored in database
2017-06-02 12:39:01,992 FATAL FalconOrchestrator.Client.EventModel - [7] Error occured while trying to save authentication activity audit event to database
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
at System.DateTime.Add(Double value, Int32 scale)
at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

SQL DBA looked at sql 2016 express instance and found no issues with the db. Decided to downgrade to SQL Server Express 2014 since that is the one specified in the wiki as having been tested with Orchestrator. After half a day, Orchestrator was re-installed and still, same error as before. This time on a vm running off a laptop connected to a Verizon mifi so there's no possible way, a proxy or lack of would be an issue.

2017-06-02 16:01:52,602 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service
2017-06-02 16:01:57,352 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - [0] Event already stored in database
2017-06-02 16:01:57,383 FATAL FalconOrchestrator.Client.EventModel - [7] Error occured while trying to save authentication activity audit event to database
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
at System.DateTime.Add(Double value, Int32 scale)
at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

I am getting the following errors:
2017-06-09 11:43:11,683 FATAL FalconOrchestrator.Client.Authentication - Error while authenticating to API
System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
at System.Net.HttpWebRequest.GetResponse()
at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse()
2017-06-09 11:43:11,714 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured
System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
at System.Net.HttpWebRequest.GetResponse()
at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse()
at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

What can be done to resolve?

This needs to be larger to support scenarios with a larger description value.

when clicking on indicators tab, this error occurs:

Server Error in '/' Application.

The remote server returned an error: (400) Bad Request.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The remote server returned an error: (400) Bad Request.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[WebException: The remote server returned an error: (400) Bad Request.]
System.Net.HttpWebRequest.GetResponse() +1390
FalconOrchestrator.IOC.ApiUtil.Response(HttpWebRequest request) in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.IOC\Utility.cs:65
FalconOrchestrator.IOC.IndicatorsAPI.List() in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.IOC\Indicators.cs:62
FalconOrchestratorWeb.Controllers.IndicatorController.Index() in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.Web\Controllers\IndicatorController.cs:38
lambda_method(Closure , ControllerBase , Object[] ) +62
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +182 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) +10 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass39.b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34 System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +24 System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c__DisplayClass1d.b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36 System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +16 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9744261
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1069.1

An error has been indentified, the limit field within the API for pagination is required to have a minimum value of 1 and maximum of 500. This was not considered during initial development and testing. Will be fixed in subsequent build.

Getting this error when doing a computer search in "Process Listing".

Search works file for File Extraction, File System Browser & Software Inventory.

Any help would be appreciated.

I was installed Falcon Orchestrator on Windows server 2016(AWS).
when I starting 'Falcon Orchestrator Client service', it goes stop. and log is

2018-10-03 11:06:46,481 DEBUG FalconOrchestrator.Client.FalconOrchestratorService - Connection to database is successful, starting service 2018-10-03 11:06:47,950 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing) at System.IO.Stream.Close() at FalconOrchestrator.DAL.Crypto.AES_Decrypt(Byte[] bytesToBeDecrypted, Byte[] passwordBytes) at FalconOrchestrator.DAL.Crypto.DecryptText(String input, String password) at FalconOrchestrator.DAL.AppConfiguration.get_FALCON_STREAM_KEY() at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

help me please.

Email notifications for detections are coming through just fine, however for process endtime within the email notification we're getting the following:

End Time | {{ProcessEndtime}}

So instead of seeing the actual processendtime we see the placeholder for it.
The detection appears fine on the Orchestrator web ui.

Thanks!
-lucas

I am having issues using only the File Extraction forensic tool. If I try to extract a file from a remote host using the hostname I get:

•Exception calling "UploadFile" with "2" argument(s): "The remote server returned an error: (500) Internal Server Error."

If I try to extract using the IP address as the computer, i get:

•Connecting to remote server 10.XX.XXX.XXX failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

I have tried accessing the console via the IP address and via the hostname. I have tried accessing the portal remotely as well as on the server that it sits on. All other forensics tools work so I dont believe this is firewall related.

I suggest having the datetimes (i.e. Timestamp) as datetimeoffset(7)

Several alerts today are showing the CS portal but not in the detection tab on Orchestrator.

Good morning,

We have encountered the following error this morning:

When using the Forensics modules, if a failure occurs the winrm process (wsmprovhost.exe) is not terminated as expected on the remote host. If this occurs 5 times the following error will be presented. The workaround solution is to go an terminate those processes on the remote host. This will be addressed in the next release.

Error! Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user. For more information, see the about_Remote_Troubleshooting Help topic.

my installation attempts fail saying the setup ended prematurely. is there a log to check / what are the steps to troubleshoot installation issues

Wiki page on Ticketing is blank. Would be nice to see this filled out as we roll out the sensors and stand up the orchestration server.

Thanks!

Orchestrator has been configured to send email notifications but it has been noticed that the emails being sent are often 20min to several hours after the malware detection. The Orchestrator console on the other hand, does match up within a few minutes with the Crowdstrike Falcon Cloud console.

Is there a setting that can be specified to hard-code a window within which email alerts must be sent upon malware detection? And one for the Orchestrator console itself to retrieve data using the Streaming API?

thanks,
Chris

The Dashboard and notifications are blank. I have configured the UUID and Key but I do not see orcestrator even attempting to communicate with Crowdstrike. I know the UUID and Key work because our SIEM is actively using it. I see the SIEM communication in the firewall but nothing from Orchestrator.

After installation, getting this error when attempting http://localhost

Server Error in '/' Application.

The system cannot find the file specified

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The system cannot find the file specified

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Win32Exception (0x80004005): The system cannot find the file specified]

[SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)]
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling) +830
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +329
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +682
System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +89
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +426
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78 System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +191
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) +154 System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) +21
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry) +90 System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry) +217
System.Data.SqlClient.SqlConnection.Open() +96
System.Data.Entity.Infrastructure.Interception.DbConnectionDispatcher.b__36(DbConnection t, DbConnectionInterceptionContext c) +10
System.Data.Entity.Infrastructure.Interception.InternalDispatcher1.Dispatch(TTarget target, Action2 operation, TInterceptionContext interceptionContext, Action3 executing, Action3 executed) +72
System.Data.Entity.Infrastructure.Interception.DbConnectionDispatcher.Open(DbConnection connection, DbInterceptionContext interceptionContext) +359
System.Data.Entity.Core.EntityClient.EntityConnection.b__2() +55
System.Data.Entity.SqlServer.<>c__DisplayClass1.b__0() +10
System.Data.Entity.SqlServer.DefaultSqlExecutionStrategy.Execute(Func`1 operation) +189
System.Data.Entity.SqlServer.DefaultSqlExecutionStrategy.Execute(Action operation) +77
System.Data.Entity.Core.EntityClient.EntityConnection.Open() +253

[EntityException: The underlying provider failed on Open.]
System.Data.Entity.Core.EntityClient.EntityConnection.Open() +323
System.Data.Entity.Core.Objects.ObjectContext.EnsureConnection(Boolean shouldMonitorTransactions) +133
System.Data.Entity.Core.Objects.ObjectContext.ExecuteInTransaction(Func1 func, IDbExecutionStrategy executionStrategy, Boolean startLocalTransaction, Boolean releaseConnectionOnSuccess) +46 System.Data.Entity.Core.Objects.<>c__DisplayClass7.<GetResults>b__5() +155 System.Data.Entity.SqlServer.DefaultSqlExecutionStrategy.Execute(Func1 operation) +189
System.Data.Entity.Core.Objects.ObjectQuery1.GetResults(Nullable1 forMergeOption) +281
System.Data.Entity.Core.Objects.ObjectQuery1.<System.Collections.Generic.IEnumerable<T>.GetEnumerator>b__0() +11 System.Data.Entity.Internal.LazyEnumerator1.MoveNext() +45
System.Collections.Generic.List1..ctor(IEnumerable1 collection) +381
System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
FalconOrchestratorWeb.MvcApplication.Application_Start() in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.Web\Global.asax.cs:25

[HttpException (0x80004005): The underlying provider failed on Open.]
System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +9964517
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +118
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +172
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +339
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +296

[HttpException (0x80004005): The underlying provider failed on Open.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9946024
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +90
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +261

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1069.1

I’m trying to build an internal Falcon Orchestrator server but I have received this error. I can see calls the to the local disk for Visual Studio files, however, I don’t see this account anywhere on the local disk.

Can you advise how to solve the problem?

The remote server returned an error: (401) Unauthorized.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The remote server returned an error: (401) Unauthorized.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +1390
FalconOrchestrator.IOC.ApiUtil.Response(HttpWebRequest request) in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.IOC\Utility.cs:65
FalconOrchestrator.IOC.IndicatorsAPI.List() in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.IOC\Indicators.cs:59
FalconOrchestratorWeb.Controllers.IndicatorController.Index() in C:\Users\Falcon\Documents\Visual Studio 2015\Projects\FalconOrchestrator\FalconOrchestrator.Web\Controllers\IndicatorController.cs:38
lambda_method(Closure , ControllerBase , Object[] ) +62
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +182 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) +10 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass39.b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34 System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +24 System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c__DisplayClass1d.b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult1.End() +50 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36 System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +16 System.Web.Mvc.Async.WrappedAsyncResult1.End() +50
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +16
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9744261
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

My team noticed we were not receiving alerts via email. Found out the Falcon Orchestrator Client service terminated unexpectedly. Event ID: 7031

Looking in:
C:\Program Files (x86)\Falcon Orchestrator\RunLog.txt
We see several of these errors:

2017-06-02 10:51:22,331 FATAL FalconOrchestrator.Client.EventModel - [21145] Error occured while trying to save authentication activity audit event to database
System.ArgumentOutOfRangeException: Value to add was out of range.
Parameter name: value
   at System.DateTime.Add(Double value, Int32 scale)
   at FalconOrchestrator.Client.AuditEvent.get_FormattedTimestamp()
   at FalconOrchestrator.Client.AuthActivityAuditModel.Save()

Could you provide assistance with how to resolve this or what we can check next to provide more info?

Thanks! FJ

PS: Is slack not an option for support? Seems I need a crowdstrike email to create an account for https://falcon-orchestrator.slack.com/

Enhancement request in the Admin/Schedule form to allow for "follow the sun" 24/7 incident response teams. Any enhancement to include multiple times during the days for different respondsers, instead of just one responder per day. For example: Monday 12:00am-8:00am/Responder A, Monday 8:00am-4:00pm, Responder B, Monday 4:00pm-12:00am, Responder C.

Hello,

I have performed these two steps.

1. Updated Password for the Falcon SQL Account.

2. Updated the Microsoft IIS Database Connection String.

Then, everything came up and it running, but we have noticed that we are not receiving any new detection's.

Does anyone know what I might have missed.

Thanks,

-Troy

Hi there - I'm seeing this event every couple minutes in the 'runlog' - I'm receiving detection events but not sure if this is a problem.

'2018-02-21 14:52:45,948 WARN FalconOrchestrator.Client.AuditEvent - Malformed audit event timestamp, failing over to current time'

Thanks so much in advance.

When I select Ticketing, I get the following stack trace:

Server Error in '/' Application.

TryExpression is not supported as a child expression when accessing a member on type 'System.Nullable`1[System.DateTime]' because it is a value type. Construct the tree so the TryExpression is not nested inside of this expression.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NotSupportedException: TryExpression is not supported as a child expression when accessing a member on type 'System.Nullable`1[System.DateTime]' because it is a value type. Construct the tree so the TryExpression is not nested inside of this expression.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NotSupportedException: TryExpression is not supported as a child expression when accessing a member on type 'System.Nullable1[System.DateTime]' because it is a value type. Construct the tree so the TryExpression is not nested inside of this expression.] System.Linq.Expressions.Compiler.StackSpiller.RequireNotRefInstance(Expression instance) +2253505 System.Linq.Expressions.Compiler.StackSpiller.RewriteMethodCallExpression(Expression expr, Stack stack) +4379405 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +114 System.Linq.Expressions.Compiler.ChildRewriter.Add(Expression node) +37 System.Linq.Expressions.Compiler.StackSpiller.RewriteMemberAssignment(BinaryExpression node, Stack stack) +122 System.Linq.Expressions.Compiler.StackSpiller.RewriteAssignBinaryExpression(Expression expr, Stack stack) +4427678 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +408 System.Linq.Expressions.Compiler.StackSpiller.RewriteBlockExpression(Expression expr, Stack stack) +114 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +294 System.Linq.Expressions.Compiler.StackSpiller.RewriteTryExpression(Expression expr, Stack stack) +89 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +4379415 System.Linq.Expressions.Compiler.StackSpiller.RewriteBlockExpression(Expression expr, Stack stack) +114 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +294 System.Linq.Expressions.Compiler.StackSpiller.RewriteConditionalExpression(Expression expr, Stack stack) +122 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +218 System.Linq.Expressions.Compiler.StackSpiller.RewriteBlockExpression(Expression expr, Stack stack) +114 System.Linq.Expressions.Compiler.StackSpiller.RewriteExpression(Expression node, Stack stack) +294 System.Linq.Expressions.Compiler.StackSpiller.Rewrite(Expression1 lambda) +61
System.Linq.Expressions.Expression1.Accept(StackSpiller spiller) +44 System.Linq.Expressions.Compiler.LambdaCompiler.Compile(LambdaExpression lambda, DebugInfoGenerator debugInfoGenerator) +116 System.Linq.Expressions.LambdaExpression.Compile() +11 AutoMapper.MapperFuncs..ctor(MapRequest mapRequest, LambdaExpression typedExpression) +145 AutoMapper.MapperFuncs..ctor(MapRequest mapRequest, TypeMap typeMap) +132 AutoMapper.MapperConfiguration.CreateMapperFuncs(MapRequest mapRequest) +251 System.Collections.Concurrent.ConcurrentDictionary2.GetOrAdd(TKey key, Func2 valueFactory) +132 AutoMapper.MapperConfiguration.GetMapperFunc(MapRequest mapRequest) +98 AutoMapper.MapperConfiguration.GetMapperFunc(TypePair types) +240 AutoMapper.Mapper.AutoMapper.IMapper.Map(TSource source) +314 FalconOrchestratorWeb.Repository.TicketingRepository.GetList() in C:\Users\eerickson\Downloads\falcon-orchestrator-1.0.0\falcon-orchestrator-1.0.0\FalconOrchestrator.Web\Repository\TicketingRepository.cs:72 lambda_method(Closure , ControllerBase , Object[] ) +66 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +157
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27 System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22 System.Web.Mvc.Async.WrappedAsyncResult2.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +49 System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50 System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225 System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +49 System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26 System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100 System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +44 System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +55 System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +22
System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +45 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10 System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +45
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9744261
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1069.1

Hi,

I have having connectivity problem while connecting to the database through browser. Installation seems to be completed without an error but I am getting the attached error. Instance name for DB is localhost\SQLEXPRESS01 and I have changed the connection string accordingly.

DB_Error.txt

Any help is highly appreciated.

Thanks

Wasim