Troubleshooting

Common issues encountered when using CICADA IR, along with solutions. If your issue is not covered here, contact support at support@cicada-ir.ai.

Cannot reach the web interface

If you cannot load the CICADA IR web UI in your browser after booting the VM:

1. Check the VM is running — Open your hypervisor console and confirm the VM has booted. The console displays a banner with the IP address once services are ready. Allow 1–2 minutes after boot for all services to start.
2. Verify the URL — Make sure you are using https:// (nothttp://) followed by the IP shown on the VM console banner.
3. Accept the certificate warning — CICADA IR ships with a self-signed TLS certificate. Your browser will show a security warning. Click Advanced and then Proceed (or equivalent in your browser) to continue.
4. Check network connectivity — From your workstation, test if you can reach the VM:

   # From your workstation (macOS/Linux)
   ping <vm-ip>
   
   # Or on Windows
   ping <vm-ip>
   
   # If ping works but the web page doesn't load, port 443 may be blocked
   # by your workstation firewall or corporate network

5. Check hypervisor networking — Ensure the VM's network adapter is configured correctly in your hypervisor:
   • Bridged mode: The VM gets its own IP on your network (recommended)
   • NAT mode: The VM shares the host's IP — you may need port forwarding to access it
   See the Setup Guide for platform-specific networking instructions.
6. Reboot the VM — If the console banner is not showing or the IP is missing, try a clean restart from your hypervisor.

Setup wizard issues

License activation fails

Did not receive the activation email

• Check your spam/junk folder for an email from noreply@cicada-ir.ai
• Verify you entered the correct email address on the pricing page
• If you use a corporate email with strict filtering, ask your IT team to allow emails from cicada-ir.ai
• If you still haven't received the email after 10 minutes, contact support@cicada-ir.ai with the email address you used

Data source connection issues

Microsoft Entra ID / Defender connection fails

If the Test Connection button fails when configuring a Microsoft data source:

• Verify your Azure App Registration — Ensure the Tenant ID, Client ID, and Client Secret are correct and the app has the required API permissions (see Getting Started)
• Check secret expiry — Azure client secrets expire. If the secret was created more than 6–24 months ago, generate a new one in the Azure portal
• Verify API permissions — The app registration needs the correct Microsoft Graph permissions and they must be admin-consented
• Network access — The VM needs outbound HTTPS access to login.microsoftonline.com and graph.microsoft.com. Ask your network team to whitelist these if the VM is behind a restrictive firewall (see Network Requirements)

CrowdStrike connection fails

• Verify the API Client ID and Secret are correct
• Ensure you are using the correct API base URL for your CrowdStrike cloud:
  • US-1: api.crowdstrike.com
  • US-2: api.us-2.crowdstrike.com
  • EU-1: api.eu-1.crowdstrike.com
• Check that the API client has the required scopes in the CrowdStrike console

Active Directory (on-prem) connection fails

• The VM must be able to reach your domain controller on port 389 (LDAP) or 636 (LDAPS). This typically requires the VM to be on the same network or have a route to the DC.
• Verify the service account credentials and ensure the account is not locked or expired
• If using LDAPS (recommended), ensure the DC's certificate is trusted or check the "Skip certificate validation" option for testing

Threat intelligence enrichment not working

If IOC lookups return no results or show errors:

• Check API keys — Navigate to Settings > Threat Intelligence and verify that API keys are configured for the providers you want to use
• Rate limits — Free-tier API keys have strict limits:

  Provider	Free tier limit
  VirusTotal	4 requests/minute
  AbuseIPDB	1,000 requests/day
  Shodan	1 request/second

  If you are running large investigations with many IOCs, lookups may be throttled. CICADA IR queues and retries automatically, but results may take longer to appear.
• Network access — The VM needs outbound HTTPS access to the TI provider APIs. See Network Requirements for the full list.

AI analysis issues

AI analysis returns an error

If using Ollama (local LLM):

• Ollama runs inside the VM and starts automatically. If AI analysis fails, the Ollama service may have stopped or the model may not be loaded. Try restarting the VM from your hypervisor.
• Check that the model name in Settings > AI Configuration matches an installed model. The default is llama3.1:8b.
• If the VM has limited RAM (4 GB or less), the model may fail to load. Consider increasing the VM's memory allocation in your hypervisor to at least 8 GB.

If using a cloud LLM (Anthropic Claude):

• Verify the API key is configured in Settings > AI Configuration
• Check that the VM has outbound access to api.anthropic.com on port 443. Ask your network team to whitelist this if needed.
• Verify your API key has sufficient credits at console.anthropic.com

AI analysis is slow

• Local LLMs (Ollama): Speed depends on the VM's CPU and RAM allocation. Increase the VM's resources in your hypervisor for faster inference. Without GPU passthrough, expect 30–120 seconds per analysis depending on the model size.
• Cloud LLMs: Typically respond in 10–30 seconds. If responses are slower, check your network latency to api.anthropic.com.

Performance issues

Slow evidence collection

• Large timeframes: Collecting 90 days of sign-in logs for a tenant with thousands of users takes time. Narrow the timeframe or target specific users/entities to speed up collection.
• API throttling: Microsoft Graph and CrowdStrike enforce rate limits. CICADA IR handles throttling automatically with exponential backoff, but heavy collection may take longer. A progress indicator is shown during collection.
• Network latency: If the VM is on a slow network link, data transfers will be slower. Ensure the VM has a reliable network connection.

Web interface is slow or unresponsive

• Increase VM resources: If the web UI feels sluggish, the VM may need more CPU or RAM. We recommend at least 4 vCPUs and 8 GB RAM for typical workloads.
• Close completed investigations: Active investigations consume memory. Archive completed investigations through Investigations > Archive to free resources.
• Restart the VM: If the interface becomes unresponsive, restart the VM from your hypervisor. All investigation data is saved to disk and will be available after restart.

Download issues

Download link expired

Download links are valid for 24 hours. If your link has expired, contact support@cicada-ir.ai with the email address you used to request a new download link.

Which image format do I need?

Browser compatibility

CICADA IR is tested and supported on:

• Google Chrome (latest)
• Microsoft Edge (latest)
• Mozilla Firefox (latest)
• Safari 17+

If you experience display or functionality issues:

• Try clearing your browser cache and refreshing the page
• Disable browser extensions that may interfere (ad blockers, privacy extensions)
• Try an incognito/private window to rule out extension conflicts

Still need help?

If your issue is not covered above, contact CICADA IR support. Please include:

• A description of the issue and when it started
• The error message (if any) — a screenshot is helpful
• Your CICADA IR version (shown in the bottom-left of the web interface)
• Your hypervisor type and VM resource allocation
• Any recent changes to your environment (network, data sources, etc.)

Email: support@cicada-ir.ai