search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] SERVICE UNAVAILABLE - Cortex service is unavailable, is configuration correct ? #31

Closed fkolacek closed 2 years ago

fkolacek commented 2 years ago

Request Type

Bug

Work Environment

Question Answer
OS RHEL 7.9
Cortex Version 3.1.1-1
Splunk version 8.2.2.1
TheHive-Cortex version 2.1.5

Problem Description

We are trying to configure our Cortex instance in your app so Splunk can talk to it, howerver we are seeing following error when trying to List Cortex jobs form within Splunk:

ERROR cortex:112 - [C26-ERROR] SERVICE UNAVAILABLE - Cortex service is unavailable, is configuration correct ?

Steps to Reproduce

  1. Installed fresh TheHive-Cortex app on our testing SH
  2. Created account used for Cortex (Settings->Account) using Cortex API token as password
  3. Created instance with default values as shown in screenshot below
  4. Tried to list Cortex jobs (Cortex->Cortex Jobs -> LIST)

To avoid any problems (SSL, firewall, etc) we've tried to forward the port from Cortex instance to the Splunk SH machine so Cortex actually listens on localhost (127.0.0.1) and default port (9001), so following command works:

curl -H "Authorization: Bearer [REDACTED]" http://127.0.0.1:9001/api/analyzer
cortex

Possible Solutions

-

Splunk Logs

2021-12-03 12:08:10,772 DEBUG   common:31 - [S2] Logging mode set to DEBUG
<KV Stored content redacted>
2021-12-03 12:08:11,090 DEBUG   common:128 - [S25] Successfully recovering passwords from storage passwords
2021-12-03 12:08:11,090 DEBUG   cortex:57 - [C6] Settings recovered
2021-12-03 12:08:11,090 DEBUG   common:217 - [S55] Getting this parameter: 100
2021-12-03 12:08:11,091 DEBUG   common:223 - [S60] Getting this parameter: -createdAt
2021-12-03 12:08:11,091 DEBUG   common:177 - [S35] This instance ID (fa082ff0) returns: apiuser
2021-12-03 12:08:11,091 DEBUG   common:163 - [S30] This instance ID (fa082ff0) returns: {'account_name': 'Cortex', 'authentication_type': 'api_key', 'client_cert': '-', 'host': '127.0.0.1', 'organisation': None, 'port': 9001, 'proxy_account': '-', 'proxy_url': '-', 'type': 'Cortex3', 'uri': '/', 'verify': False, '_user': 'nobody', '_key': '61aa075809cf067420127851', 'proxies': None, 'username': 'apiuser', 'password': '**********'}
2021-12-03 12:08:11,091 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: authentication_type=api_key
2021-12-03 12:08:11,091 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: proxies=None
2021-12-03 12:08:11,092 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: client_cert=-
2021-12-03 12:08:11,092 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: verify=False
2021-12-03 12:08:11,092 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: organisation=None
2021-12-03 12:08:11,092 DEBUG   common:185 - [S40] this instance id (fa082ff0) returns: type=Cortex3
2021-12-03 12:08:11,092 DEBUG   cortex:79 - [C8] Cortex instance will be initialized with an API Key (not a password)
2021-12-03 12:08:11,093 DEBUG   cortex:102 - [C20] Cortex object instanciated
2021-12-03 12:08:11,115 ERROR   cortex:112 - [C26-ERROR] SERVICE UNAVAILABLE - Cortex service is unavailable, is configuration correct ?
fkolacek commented 2 years ago

Forgot to mention that we were able to configure the app to talk to our Hive4 instance without any problems, it's just the Cortex part of the integration which doesn't work.

LetMeR00t commented 2 years ago

Hello @fkolacek, Thank you for submitting your issue and also providing a lot of details regarding your issue. Could you, from the SH, perform a curl request to your cortex instance just to check if the network is working well? If it’s working, I will make a review of your issue on my side with the same configuration.

thank you very much

fkolacek commented 2 years ago

Hello @LetMeR00t ,

thank you for your prompt reaction. Ive tried to access the Cortex instance directly from the Splunk SH using 2 approaches:

1) Contacting Cortex directly (there is an httpd reverse proxy running on the Cortex host used for SSL)

curl -H "Authorization: Bearer [REDACTED]" https://[CORTEX_HOST]/api/analyzer

2) Using SSH port forwarding to map Cortex default port locally (to eliminate possible problems with the httd reverse proxy)

curl -H "Authorization: Bearer [REDACTED]" http://127.0.0.1:9001/api/analyzer

Both of these approaches worked - I got valid API response from the Cortex API so the connectivity between Splunk SH and Cortex doesn't seem to be a problem.

LetMeR00t commented 2 years ago

Hello, I can reproduce the bug on my side. I'll work on it today. I confirm you that this is an issue within the application after the modification for cloud compatibility. I will let you know when the fix is ready.

LetMeR00t commented 2 years ago

I know what the issue is, and it seems to not be linked to the application. HTTPS is mandatory for both TheHive and Cortex now. Your tests are made using a Cortex URL in HTTP which is not accepted for Cloud environments (everything should be HTTP). Could you confirm that this is the issue you are facing ? Thank you

LetMeR00t commented 2 years ago

Hi again, After another check, yes, some things were missing in the application. A fix was provided on the github repository (v2.2.0) This version will be pushed to the Splunkbase soon. Thank you to tell me if the issue is now solved with this new version.

fkolacek commented 2 years ago

Hello again :)

I can confirm that the new version available on Splunkbase (v.2.2.0) fixed the issue and application now works well with both Cortex and Hive.

Thank you very much for such quick fix!