search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Can't create new alert or cases #49

Closed chang6chang closed 1 year ago

chang6chang commented 1 year ago

Request Type

Bug Hello team, I can't create new alerts or cases using the dasboard.

Work Environment

OS: Debian 11

Splunk Enterprise Version : 9.0.4.1 Build : 419ad9369127

TheHive cloud (5.0.26-1)

Question Answer
OS version (server)
TheHive version / git hash

Problem Description

Splunk is well connected to my TheHive instance. I can list the existing alerts and cases, but i can't create new alerts and cases using the existing dasboard

Steps to Reproduce

  1. Here the conf used to create the alerts

    splunk_TA

  2. Here the query used to generate the Job Id

splunk2

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-logs from /opt/splunk/var/log/splunk/thehive_create_a_new_alert_modalert.log image

-no error in the search log

Thanks in advance !

LetMeR00t commented 1 year ago

Hello Thank you for submitting the issue Did you checked the Audit Logs dashboard for any issue ? Did you enabled the DEBUG logging mode ?

chang6chang commented 1 year ago

Hello , Thank you for your feedback . Nothing relevant in the Audit Logs ( yes i'm in debug logging mode) .

strangely, it started to work this morning...

I don't understand why . I'll now install the app in my prod environment , thank you for your help !

Just one question , my prod environment is a managed splunk (Splunk Cloud Version: 9.0.2209.4) and the version of TA-thehive-cortex proposed by the app manager is 2.3.1 . So we have to go through the external dowload of the package to get the last stable version ?

Thanks

LetMeR00t commented 1 year ago

Hello I’m waiting for the Cloud vet to be approved but I don’t have any news for that. It seems there is nothing to prevent the cloud vet. For me you can download it and install it by your own. At least it’s working for you at the end, great

LetMeR00t commented 1 year ago

Hello FYI, the application was granted for Splunk Cloud in v3.0.1 Thank you

chang6chang commented 1 year ago

Hello , thank you for your feedback , I just upgraded it now . (from version 2.3.1 --> 3.0.1 ) . I use : Splunk Cloud Version: 9.0.2209.4

But there is a bug with this version . When i add my hive instance in (Settings > Instances) and then try to list all the thehive alerts from that instance , i have this error (from search.log)

image

here the output from audit log :

image

It seams that the field 'verify' not exist .

I had the same error with this version in a previous dev environment .I had to add manualy this field in the csv file . But now , i don't have access to the server do you have any idea how to solve this ?

PS: everything worked fine with the previous version

Thanks in advance .

LetMeR00t commented 1 year ago

Hi, Thank you for your complete debug. I provided a recent fix provided in the 'develop' branch. If you want, you can directly replace those lines within your code to see the effect (and not wait for the Splunk Cloud vet)

Let me know if it helped you to solve your issue

See https://github.com/LetMeR00t/TA-thehive-cortex/compare/main...develop for the complete changes to be pushed as soon as possible on Splunkbase

LetMeR00t commented 1 year ago

Hello v3.0.2 was released on the Splunkbase but still waiting for the Cloud Vet. If after installing this version, you keep having issues, please reopen this issue. For now, I'm considering it done. Thank you for your comprehension