search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

Error create Splunk Alert to The Hive #12

Closed ladykillah0 closed 3 years ago

ladykillah0 commented 3 years ago

I got an error "Error in 'sendalert' command: Alert script returned error code 1." when i create alert in TheHive:Alert. Could you help me fix this problem. And Could you make a tutorial how to send alert from Splunk to TheHive. Thanks a lot

LetMeR00t commented 3 years ago

Hi @ladykillah0, Could you give me some information about the content of the file regarding the alert logs that you can find under SPLUNK_HOME/var/log/splunk/... ? I don’t remember the exact file name :) but the file is related to the name of the custom alert action

ladykillah0 commented 3 years ago

Do you mean that file is thehive_create_a_new_alert_modalert.log. It's here thehive_create_a_new_alert_modalert.log

ladykillah0 commented 3 years ago

config And this picture is my config

ladykillah0 commented 3 years ago

splunkd.log And file splunkd.log

LetMeR00t commented 3 years ago

Hi @ladykillah0 , Thanks for the logs. My first question is : did you configure the account under the Configuration page (Settings/Configuration#Account) ? (I mean the Splunk_TheHive3). Did you add the API key as the password ? if so, I don’t see any error in your logs. Could you delete the thehive_create_a_new_alert_modalert.log file, set the DEBUG mode under the Configuration page (Settings/Configuration#Logging) and rerun your alert. Then provide the file log in this issue (check if none sensitive information is in it before) Thank you

ladykillah0 commented 3 years ago

Dear admin, I configured API key as password so TheHive : Case work normally, but TheHive : Alert didn't work. I think i configure wrong at Organisation in Setting > Instances Here is file log [thehive_create_a_new_alert_modalert.log]

Thank admin

LetMeR00t commented 3 years ago

Hi again, Next time, check your log file as it contains sensitive information :) I've just removed it. Important thing is that your connection is working as it's working for the TheHive: Case. When I check your file log, I can see that all the process is done but not the last few lines that performs the request to TheHive. This part is not accessed :

https://github.com/LetMeR00t/TA-thehive-cortex/blob/d6e09ac5e7e225fca630398af0db8fe1d178d19b/TA-thehive-cortex/bin/ta_thehive_cortex/modalert_thehive_create_a_new_alert_helper.py#L502-L538

It's not accessed because this dictionary ("alerts") is populated by this part of the code only and you always have "[CAA-THCA-116]" in your debug logs so it explains why it's not processing it :

https://github.com/LetMeR00t/TA-thehive-cortex/blob/d6e09ac5e7e225fca630398af0db8fe1d178d19b/TA-thehive-cortex/bin/ta_thehive_cortex/modalert_thehive_create_a_new_alert_helper.py#L494-L500

It means that your "artifacts" list is empty. So why is that ? Because "artifacts" are elements like IP, hash etc. that can be found in your search results. To know that a field is an artifact, the code is using the lookups/thehive_datatypes.csv as reference. It contains default field name that can contains an artifact. In your case, your search results doesn't have any of these fields.

Regarding your logs, I assume that the field "src" can contains an IP address. So if your idea is to push this to TheHive. You have two solutions :

Hope it's clear enough, let me know if you need more help.

ladykillah0 commented 3 years ago

Thank a lot, I have solved this problem. Wishing you all the best.