[BUG] Case dashboard - Issue on the title field

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project

GNU Lesser General Public License v3.0

47 stars 11 forks source link

[BUG] Case dashboard - Issue on the title field #45

Closed SecurityJill closed 1 year ago

SecurityJill commented 1 year ago

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Splunk
TheHive version / git hash	hive5 and TA version 3

Problem Description

List Cases dashboard showing the following error when title=*.

External search command 'thehivecases' returned error code 1. .

If text is entered into title field, the query runs fine. In previous version, I followed this issue for last TA version to get the dashboard working.

https://github.com/LetMeR00t/TA-thehive-cortex/issues/6, and it fixed the issue.

Steps to Reproduce

List Cases Dashboard
title=* - error
title="TEXT" - success

Also not having this issue on the Alerts dashboard as it is working fine

Possible Solutions

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

there are no logs, even on debug

LetMeR00t commented 1 year ago

Hi @SecurityJill , In fact it’s weird to have this bug. do you mean that when you load the dashboard by default , selecting your instance then you have your error ? You should have some logs in the search.log of the job, did you checked ? At least I need to have both commands output to the audit logs dashboard too, thanks for this information

it should come from: https://github.com/LetMeR00t/TA-thehive-cortex/blob/c903a040338b88ab5d48f9ffdd80e0524d91e9e1/TA-thehive-cortex/bin/thehive_search_cases.py#L80

but it’s weird as if "" if given, it’s not taking this path. is it possible that you used " " by mistake ?

if you have any log to share, do not hesitate

thank you

LetMeR00t commented 1 year ago

I've made from tests, I was able to reproduce the error However, doing the same search again is giving me results. It seems to have an issue in the JSON answer received from the server. Can you try again ? I don't know why I have this issue but it's more linked to TheHive itself rather than the application. Thank you

SecurityJill commented 1 year ago

hey no problem, i have tried numerous times and cant seem to pull back the results. If this is a hive issue then no problem at all!

LetMeR00t commented 1 year ago

No result at all seems weird, did you checked the search.log ? Any error somewhere ? there is a log file under var/log/splunk/command…..log that you can check for errors too

thank you

SecurityJill commented 1 year ago

is this what you are looking for?

ERROR SearchMessages - orig_component="script" app="TA-thehive-cortex" sid="[redacted]" message_key="EXTERN:SCRIPT_NONZERO_RETURN" message=External search command 'thehivecases' returned error code 1.

the command log displays as if it should be working, i see results..

LetMeR00t commented 1 year ago

Not really you should have something else for me detailing the error around the end of the search.log file. You can try to enable the DEBUG mode for logging to have more logs in the search.log Thank you

LetMeR00t commented 1 year ago

Hello v3.0.2 was released on the Splunkbase but still waiting for the Cloud Vet. If after installing this version, you keep having issues, please reopen this issue. For now, I'm considering it done. Thank you for your comprehension