search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] thehivecases fails on empty observables #41

Closed marcnil815 closed 1 year ago

marcnil815 commented 1 year ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Splunk 9.x / TheHive 5.x (StrangeBee hosted)
TheHive version / git hash TA-thehive-cortex 2.3.1

Problem Description

TA-thehive-cortex is fully configured. Pulling cases results in Python throwing a stack trace 

03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':  Traceback (most recent call last):
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':    File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 145, in <module>
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':      event["thehive_case_observables"] = len([o for o in observables.json() if "status" in o and o["status"] == "ok"])
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':    File "/pack/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/requests/models.py", line 900, in json
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':      return complexjson.loads(self.text, **kwargs)
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':    File "/pack/splunk/lib/python3.7/json/__init__.py", line 348, in loads
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':      return _default_decoder.decode(s)
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':    File "/pack/splunk/lib/python3.7/json/decoder.py", line 337, in decode
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':      obj, end = self.raw_decode(s, idx=_w(s, 0).end())
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':    File "/pack/splunk/lib/python3.7/json/decoder.py", line 355, in raw_decode
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':      raise JSONDecodeError("Expecting value", s, err.value) from None
03-14-2023 14:43:03.953 ERROR ScriptRunner [2294578 phase_1] - stderr from '/pack/splunk/bin/python3.7 /pack/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py c90fb8eb':  json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

The TA never makes it to [thsc-45]

Steps to Reproduce

Add case with no observables in TheHive Pull cases with TA

Possible Solutions

Catch errors on any empty json blobs returned (observables, metrics, tasks, dates)

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-

marcnil815 commented 1 year ago

related to #6

spacepatcher commented 1 year ago

Have the same issue in my environment.

Question Answer
OS version (server) thehiveproject/thehive4
TheHive version / git hash 4.1.24-1
LetMeR00t commented 1 year ago

Hello @marcnil815 , Good news, a new version of this application with a complete rework is going to be ready soon. Your issue will be fixed by this new version. Tomorrow, I'll proceed with the commits/doc updates in the development branch. If you want to test it directly you can do so but of course I would recommand you to wait for the Splunk validation before.

LetMeR00t commented 1 year ago

Hi, v3.0.0 with a fix for your issue is available. I close this issue, thank you