search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Documentation update and wont create case without task #29

Closed Tango43 closed 2 years ago

Tango43 commented 2 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian 11 latest splunk.
TheHive version / git hash TheHive 4 Latest version.

Problem Description

Several of the examples for create case dont work and it seems that more fields are required than specified to create cases. The only way i got createcase to work was with the following:

| makeresults | eval description="descriptiontest", title="Critical case", severity="3", tags="none", pap="4", tlp="4", tasks="none" | thehivecreate c2a5081a

Possible Solutions

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

Logs if you attempt to create a case without a task:

10-11-2021 12:15:37.770 ERROR ScriptRunner [46855 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': INFO:command_thehive_create_cases.log:[S67] Parameter "tasks" not found, using default value="[]" 10-11-2021 12:15:37.770 ERROR ScriptRunner [46855 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': Traceback (most recent call last): 10-11-2021 12:15:37.770 ERROR ScriptRunner [46855 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py", line 39, in 10-11-2021 12:15:37.770 ERROR ScriptRunner [46855 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': createTasks = [CaseTask(title=t) for t in configuration.checkAndValidate(result, "tasks", default=[], is_mandatory=False).split(" ;")] 10-11-2021 12:15:37.770 ERROR ScriptRunner [46855 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': AttributeError: 'list' object has no attribute 'split' 10-11-2021 12:15:37.812 ERROR script [46855 phase_1] - sid:1633947331.31 External search command 'thehivecreate' returned error code 1. .

Tango43 commented 2 years ago

Additionally the app defaults to medium severity in string if none is set like so: | makeresults | eval description="descriptiontest", title="Critical case", tags="none", pap="4", tlp="4" | thehivecreate c2a5081a

But this results in failure because a the rest of the code is built for a integer to be set.

Logs: 10-11-2021 12:30:47.150 ERROR ScriptRunner [49191 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py", line 33, in 10-11-2021 12:30:47.150 ERROR ScriptRunner [49191 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': createSeverity = int(configuration.checkAndValidate(result, "severity", default=SEVERITY_DEFAULT, is_mandatory=False)) 10-11-2021 12:30:47.150 ERROR ScriptRunner [49191 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py c2a5081a': TypeError: int() argument must be a string, a bytes-like object or a number, not 'Severity' 10-11-2021 12:30:47.195 ERROR script [49191 phase_1] - sid:1633948241.35 External search command 'thehivecreate' returned error code 1. .

LetMeR00t commented 2 years ago

A solution is provided by the v2.1.1. Thank you for submitting the issue.