Skip to main content

Rehandle customer autonomous investigations

When a customer's autonomous investigation fails or runs incorrectly we may want to rehandle those investigations so they run again and hopefully they complete successfully.

Which rehandle mode to choose​

We have 2 options for rehandling an autonomous investigation:

  • Rerun - runs the investigation again from scratch, meaning we take the same workflow input but all steps will run again
  • Retry - continue the failed investigation from the point it stopped, meaning failed steps will be run again and investigation will continue from there

The main difference between the 2 options is whether we also run completed steps again (rerun) or only failed steps (retry) before continuing to the rest of the investigation steps. Usually retry is the right option, unless we explicitly know that a step was marked as skipped or completed but didn't run correctly and needs to be run again - which retry won't do and rerun will.

When to rehandle an investigation​

Customers receive a notification when autonomous investigations fail and they can retry failed autonomous investigations on their own from the webapp. That means we may not always want to rehandle a customer investigation, since it can confuse the customer or cause unwanted side effects. For example if an autonomous investigation fail, customer already investigated it manually (or with guided mode) and then we rehandle the investigation - the same item can be investigated more than once and lead to wrong results.

Guidelines for when we should rehandle a customer's investigation for them:

  • Failure is very recent (less than 2 hours passed since the failure)
  • Failure seems transient or failure reason was fixed since then (e.g no reason to rehandle if credentials are wrong or security tool is still down)
  • Optional - failures count is high enough that we don't want customer to manually retry the failures one-by-one (more than 5 as a very rough guideline)

How to rehandle an investigation​

  1. Open session viewer mgmt page
  2. Use the customer dropdown to choose the relevant customer
  3. Optionally add additional filter to narrow down relevant investigations to rehandle (session type autonomous, status failed, relevant time range, potential filter by workflow or usecase)
  4. Use the checkboxes next to each result session to choose the investigations that should be rehandled
  5. Click the 'Bulk actions' menu button and choose the desired rehandle mode - rerun or retry
  6. Verify the number and ids of the investigations to rehandle and click 'OK' in the confirmation dialog
  7. Reinvestigations will be queued for each of the selected investigations and they will gradually be allocated workers and start investigating again. Make sure to track the rehandled inves