search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Error creating alerts in TheHive from Splunk #27

Closed AndiLurtz closed 3 years ago

AndiLurtz commented 3 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Oracle Linux Server 7.9
TheHive version / git hash v3

Problem Description

I'm getting this error: ERROR pid=27305 tid=MainThread file=cim_actions.py:message:431 | sendmodaction - worker="xxx" signature="[CAA-THCA-126] ERROR theHive alert creation has failed.

My version of Splunk is 8.0.6 and TheHive/Cortex version is 2.1.0 While I'm able to see the alerts from TheHive using Splunk, I can't send any new alert to TheHive. Each time the action to send the alert is triggered, no alert is sent and I get the error mentioned above.

Steps to Reproduce

  1. Create a new alert in Splunk
  2. Add Trigger Action to send Alert to TheHive

Logs

thehive_create_a_new_alert_modalert.log

LetMeR00t commented 3 years ago

Hi I see something weird with the payload :

frame.number == 1032

do you know what is this parameter for you ? It appears in one of the artifacts sent

thank you

LetMeR00t commented 3 years ago

If you have no idea, I will need the complete log file with debug mode enabled You can enable the debug mode on the configuration tab with an admin user. You can send me the complete file at my email letmer00t@gmail.com or paste it here. Thank you

AndiLurtz commented 3 years ago

Sorry LetMeR00t, I must have copied the "frame.number == 1032" in the logs when checking it before the upload. That part wasn't originally in the logs.

This error only happens when I select 'Include all fields (default datatype is "other")' in Scope.

If I select the option 'Include only listed fields in thehive_datatypes.csv' in Scope I don't get any ERROR but the alert still doesn't get created.

Logs when selecting Include all fields in Scope: thehive_create_a_new_alert_modalert.log

Logs when selecting Include only listed fields in Scope: thehive_create_a_new_alert_modalert.log

Thanks!

LetMeR00t commented 3 years ago

Hi I need the complete job task in debug mode to see all the processing done before the alert creation please :)

Moreover do you have a screenshot of the results you are using in your saved search when the alert is created ? What are the fields/values ?

Sorry if I need a lot of things, it’s to easy my debug of this issue

LetMeR00t commented 3 years ago

Hi @AndiLurtz , I successfully received your logs by email and I will check them ASAP. Could you be more precise about your TheHive version ? You mean v3 and also "TheHive/Cortex version is 2.1.0" but you probably mentionned Cortex ? Can you be more specific about the version ? Thank you

AndiLurtz commented 3 years ago

Hi,

I meant that the version of the TheHive app on Splunk is v2.1.0, and the version of TheHive that we have installed in the server we are trying to send the alerts to is V3

El lun, 5 jul 2021 a las 13:06, LmR @.***>) escribió:

Hi @AndiLurtz https://github.com/AndiLurtz , I successfully received your logs by email and I will check them ASAP. Could you be more precise about your TheHive version ? You mean v3 and also "TheHive/Cortex version is 2.1.0" but you probably mentionned Cortex ? Can you be more specific about the version ? Thank you

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874214786, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV2LTIHJTKHJXA7QGJLTWHJ7FANCNFSM47WXYH3Q .

LetMeR00t commented 3 years ago

Hi @AndiLurtz, When you select "Include only listed fields", it means that an artifact should have a type defined in dataType. If none of your fields is listed as a potential artifact, the alert is no created as there is none artifact to consider. I'm doing some tests on TheHive 3.5.0-1

LetMeR00t commented 3 years ago

I've run some tests and I wasn't able to reproduce your issue... What is your TheHive version (complete) ?

The only thing curious in your logs is the presence of 3 artifacts coming from the same field "_time" but I wasn't able to reproduce the issue ... Are the results you send me by picture the results given to the alerts ? search_results

No more processing is done on this result before the alert right ?

What is the list of parameters you have configured with the alert?

AndiLurtz commented 3 years ago

The complete version is 3.3.1 and what you see in the screenshot is what was given to the alert. [image: THversion.jpg]

But the company just informed me that we won't be needing the integration with TheHive, so no need to keep debugging it. Anyway, if I discover what the issue was I'll let you know.

Thanks a lot for your time!

El lun, 5 jul 2021 a las 14:44, LmR @.***>) escribió:

I've run some tests and I wasn't able to reproduce your issue... What is your TheHive version (complete) ?

The only thing curious in your logs is the presence of 3 artifacts coming from the same field "_time" but I wasn't able to reproduce the issue ... Are the results you send me by picture the results given to the alerts ? [image: search_results] https://user-images.githubusercontent.com/10530375/124505237-50e0b200-ddc9-11eb-84d2-9fb7c95cb61c.PNG

No more processing is done on this result before the alert right ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874256456, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV7CC6EKN45JVNHSS7DTWHVPJANCNFSM47WXYH3Q .

LetMeR00t commented 3 years ago

Hi, No problem :) is it because you don’t want to use thehive or the application for Splunk is not enough complete ?

AndiLurtz commented 3 years ago

They just decided that it was better to send the alerts to Phantom which is already integrated, so why to integrate something new. Sad they didn't realize this before I started haha

El mar, 6 jul 2021 a las 2:21, LmR @.***>) escribió:

Hi, No problem :) is it because you don’t want to use thehive or the application for Splunk is not enough complete ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/27#issuecomment-874468581, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWGLV2X32DXXF2NZ6T3XGDTWKHF7ANCNFSM47WXYH3Q .