Closed ladykillah0 closed 3 years ago
Hi @ladykillah0, Could you give me some information about the content of the file regarding the alert logs that you can find under SPLUNK_HOME/var/log/splunk/... ? I don’t remember the exact file name :) but the file is related to the name of the custom alert action
Do you mean that file is thehive_create_a_new_alert_modalert.log. It's here thehive_create_a_new_alert_modalert.log
And this picture is my config
splunkd.log And file splunkd.log
Hi @ladykillah0 , Thanks for the logs. My first question is : did you configure the account under the Configuration page (Settings/Configuration#Account) ? (I mean the Splunk_TheHive3). Did you add the API key as the password ? if so, I don’t see any error in your logs. Could you delete the thehive_create_a_new_alert_modalert.log file, set the DEBUG mode under the Configuration page (Settings/Configuration#Logging) and rerun your alert. Then provide the file log in this issue (check if none sensitive information is in it before) Thank you
Dear admin, I configured API key as password so TheHive : Case work normally, but TheHive : Alert didn't work. I think i configure wrong at Organisation in Setting > Instances Here is file log [thehive_create_a_new_alert_modalert.log]
Thank admin
Hi again, Next time, check your log file as it contains sensitive information :) I've just removed it. Important thing is that your connection is working as it's working for the TheHive: Case. When I check your file log, I can see that all the process is done but not the last few lines that performs the request to TheHive. This part is not accessed :
It's not accessed because this dictionary ("alerts") is populated by this part of the code only and you always have "[CAA-THCA-116]" in your debug logs so it explains why it's not processing it :
It means that your "artifacts" list is empty. So why is that ? Because "artifacts" are elements like IP, hash etc. that can be found in your search results. To know that a field is an artifact, the code is using the lookups/thehive_datatypes.csv as reference. It contains default field name that can contains an artifact. In your case, your search results doesn't have any of these fields.
Regarding your logs, I assume that the field "src" can contains an IP address. So if your idea is to push this to TheHive. You have two solutions :
Hope it's clear enough, let me know if you need more help.
Thank a lot, I have solved this problem. Wishing you all the best.
I got an error "Error in 'sendalert' command: Alert script returned error code 1." when i create alert in TheHive:Alert. Could you help me fix this problem. And Could you make a tutorial how to send alert from Splunk to TheHive. Thanks a lot