LetMeR00t
commented
1 year ago Hi @mtGomez, You're right, it's not so clear as we can expect. The "password" field in Splunk is used to store the credential, whater is the password or the API key. So if you are using an API key, put it in the "password" field of the account and by indicating in your instance that you are using an API key, it will interprete the account password as the API key and not the username password. Hope it's more clear now. Let me know if not. Regards
Hello there!
I open this thread because it seems to me that there is a problem in the configuration of the instances and the subsequent authentication via ApiKey with TheHive.
In the file in the following path: TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/thehive4py/api.py
In the check to know which authentication it is in front of, basic or api, (lines 75-78) it checks by means of an IF if the password exists and if it does not exist then it does the authentication by API. The attribute that is passed to the function is "Principal" which refers to the username or ApiKey according to the comments above the code.
The problem is that when configuring the instance in Splunk, it forces you to enter a password, therefore, the attribute "Password" in the code would never be "None" right? Is this how it works or am I correct? What should I put then in the "Password" field in Splunk to do the "BearerAuth"?
Attached image:
Is it some kind of error or I am not configuring it correctly, could you help me?
Thank you very much! :)