Closed AndiLurtz closed 3 years ago
Hi I see something weird with the payload :
frame.number == 1032
do you know what is this parameter for you ? It appears in one of the artifacts sent
thank you
If you have no idea, I will need the complete log file with debug mode enabled You can enable the debug mode on the configuration tab with an admin user. You can send me the complete file at my email letmer00t@gmail.com or paste it here. Thank you
Sorry LetMeR00t, I must have copied the "frame.number == 1032" in the logs when checking it before the upload. That part wasn't originally in the logs.
This error only happens when I select 'Include all fields (default datatype is "other")' in Scope.
If I select the option 'Include only listed fields in thehive_datatypes.csv' in Scope I don't get any ERROR but the alert still doesn't get created.
Logs when selecting Include all fields in Scope: thehive_create_a_new_alert_modalert.log
Logs when selecting Include only listed fields in Scope: thehive_create_a_new_alert_modalert.log
Thanks!
Hi I need the complete job task in debug mode to see all the processing done before the alert creation please :)
Moreover do you have a screenshot of the results you are using in your saved search when the alert is created ? What are the fields/values ?
Sorry if I need a lot of things, it’s to easy my debug of this issue
Hi @AndiLurtz , I successfully received your logs by email and I will check them ASAP. Could you be more precise about your TheHive version ? You mean v3 and also "TheHive/Cortex version is 2.1.0" but you probably mentionned Cortex ? Can you be more specific about the version ? Thank you
Hi,
I meant that the version of the TheHive app on Splunk is v2.1.0, and the version of TheHive that we have installed in the server we are trying to send the alerts to is V3
El lun, 5 jul 2021 a las 13:06, LmR @.***>) escribió:
Hi @AndiLurtz https://github.com/AndiLurtz , I successfully received your logs by email and I will check them ASAP. Could you be more precise about your TheHive version ? You mean v3 and also "TheHive/Cortex version is 2.1.0" but you probably mentionned Cortex ? Can you be more specific about the version ? Thank you
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874214786, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV2LTIHJTKHJXA7QGJLTWHJ7FANCNFSM47WXYH3Q .
Hi @AndiLurtz, When you select "Include only listed fields", it means that an artifact should have a type defined in dataType. If none of your fields is listed as a potential artifact, the alert is no created as there is none artifact to consider. I'm doing some tests on TheHive 3.5.0-1
I've run some tests and I wasn't able to reproduce your issue... What is your TheHive version (complete) ?
The only thing curious in your logs is the presence of 3 artifacts coming from the same field "_time" but I wasn't able to reproduce the issue ... Are the results you send me by picture the results given to the alerts ?
No more processing is done on this result before the alert right ?
What is the list of parameters you have configured with the alert?
The complete version is 3.3.1 and what you see in the screenshot is what was given to the alert. [image: THversion.jpg]
But the company just informed me that we won't be needing the integration with TheHive, so no need to keep debugging it. Anyway, if I discover what the issue was I'll let you know.
Thanks a lot for your time!
El lun, 5 jul 2021 a las 14:44, LmR @.***>) escribió:
I've run some tests and I wasn't able to reproduce your issue... What is your TheHive version (complete) ?
The only thing curious in your logs is the presence of 3 artifacts coming from the same field "_time" but I wasn't able to reproduce the issue ... Are the results you send me by picture the results given to the alerts ? [image: search_results] https://user-images.githubusercontent.com/10530375/124505237-50e0b200-ddc9-11eb-84d2-9fb7c95cb61c.PNG
No more processing is done on this result before the alert right ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874256456, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV7CC6EKN45JVNHSS7DTWHVPJANCNFSM47WXYH3Q .
Hi, No problem :) is it because you don’t want to use thehive or the application for Splunk is not enough complete ?
They just decided that it was better to send the alerts to Phantom which is already integrated, so why to integrate something new. Sad they didn't realize this before I started haha
El mar, 6 jul 2021 a las 2:21, LmR @.***>) escribió:
Hi, No problem :) is it because you don’t want to use thehive or the application for Splunk is not enough complete ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874468581, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV2X32DXXF2NZ6T3XGDTWKHF7ANCNFSM47WXYH3Q .
Request Type
Bug
Work Environment
Problem Description
I'm getting this error: ERROR pid=27305 tid=MainThread file=cim_actions.py:message:431 | sendmodaction - worker="xxx" signature="[CAA-THCA-126] ERROR theHive alert creation has failed.
My version of Splunk is 8.0.6 and TheHive/Cortex version is 2.1.0 While I'm able to see the alerts from TheHive using Splunk, I can't send any new alert to TheHive. Each time the action to send the alert is triggered, no alert is sent and I get the error mentioned above.
Steps to Reproduce
Logs
thehive_create_a_new_alert_modalert.log