Troubleshooting#

Why is my alert showing a low confidence score?

Confidence reflects how much evidence the AI had to work with. A low score typically means key data was missing -- for example, the source IP was a private address that cannot be queried in external threat intelligence databases, or endpoint telemetry was not available. Check the Missing Evidence section in the Score Breakdown to see exactly what the AI lacked.

Why did the AI close an alert without escalating it to me?

The AI automatically closes alerts it classifies as False Positive with sufficient confidence. If you believe an alert was incorrectly closed, open it from the Alerts list, review the AI Verdict and Score Breakdown, and click Reanalyze to re-run the investigation.

Why are my incidents not updating with new alerts?

The AI runs correlation periodically. New related alerts are added to an existing incident during the next correlation run. Check the Investigation & Correlation section on the Incident Detail page to see when the last correlation ran.

I ran a playbook but nothing happened in my cloud environment

Go to AgentSOAR > Executions and find the run. Check the console output for errors. The most common causes are missing or expired cloud provider credentials, insufficient permissions on the service account, or an incorrect resource ID in the configuration form.

Why is the Geographic Threat Map empty?

The map only populates when alerts contain public IP addresses with geolocation data. If most of your alerts involve internal or private IP addresses, the map will show little or no activity.

An alert was escalated to a case but no one received a notification

Check that the Cases toggle is enabled in Settings > Notifications for the assigned analyst. Also confirm the case is assigned to the correct user -- unassigned cases do not trigger notifications.

Why does my risk score stay the same after I add evidence to a case?

The risk score on the alert is computed deterministically from the original pipeline evidence and cannot be changed manually. Adding evidence to a case is for your investigation record and audit trail, not for recalculating the score. If you believe the score is wrong, click Reanalyze on the alert to re-run the full investigation.

I cannot connect my Google Workspace account

Make sure your Google Cloud service account has Domain-Wide Delegation enabled and the correct API scopes granted. The Delegated Admin Email must belong to a Google Workspace administrator with sufficient permissions to access audit logs. If the connection still fails after setup, check the service account JSON for errors and ensure the Customer ID is correct.

Why is my MTTD much higher than expected?

MTTD measures the time between a threat occurring and an alert being generated. A high MTTD usually means there is a delay between events being generated on your systems and arriving in Jutsu/AgentSOC. Check your SIEM connection under Integrations and compare the Source Time and Ingested At timestamps on recent alerts to identify where the delay is occurring.

A team member cannot see alerts or cases

Check their role under Organization > Team. Analyst and Member roles have access to alerts and cases. If their role is correct but they still cannot see data, confirm they are logged into the correct organization workspace.