Closed srek3502 closed 1 year ago
Hello @srek3502 , Thank you for your submission. It seems to be linked to a recent fix provided in the 'develop' branch. If you want, you can directly update this line in your own app code by this new one: https://github.com/LetMeR00t/TA-thehive-cortex/blob/662b56035f32c5069a42bf7b8ac00effe17a1f3d/TA-thehive-cortex/bin/thehive.py#L28
Let me know if it solve your issue or not.
See https://github.com/LetMeR00t/TA-thehive-cortex/compare/main...develop for the complete changes to be pushed as soon as possible on Splunkbase
Hi,
I have checked the thehive.py script and it appears that, the same line is updated in the code. I am using the add-on version 2.3.1. Are you referring this change on latest 3.x version. ? Please advise
# Initialize settings
token = settings["sessionKey"] if "sessionKey" in settings else settings["session_key"]
spl = client.connect(app="TA-thehive-cortex",owner="nobody",token=token)
Hi The issue might be elsewhere actually Could you check this answer and see if the fix is helping you ? https://github.com/LetMeR00t/TA-thehive-cortex/issues/48#issuecomment-1532468713
Thank you
Hi,
This fix applies for the 3.x version correct ? Does it also apply to 2.3.1 ? because i see that the changes are mentioned specifically to 3.x.
If you could provide me specific changes to be completed for the 2.3.1 it will be good. I do have the hive version 4 and i think it doesn't support the latest version of the add-on correct ?
Thanks,
Hello @srek3502, The part you see regarding the credential app check on the if could be done on your version without any major impact If it’s complicated for you I can work on a fix in a different branch but it might take time
Hi,
I have modified the common.py to include the "credential app check". Does it make sense ?
BEFORE:
proxy_clear_password = None
for credential in self.client.storage_passwords:
username = credential.content.get('username')
if 'proxy' in username:
clear_credentials = credential.content.get('clear_password')
if 'proxy_password' in clear_credentials:
proxy_creds = json.loads(clear_credentials)
proxy_clear_password = str(proxy_creds['proxy_password'])
AFTER:
proxy_clear_password = None
for credential in self.client.storage_passwords:
if credential.access["app"] == "TA-thehive-cortex": <=== (Added Line here)
username = credential.content.get('username')
if 'proxy' in username:
clear_credentials = credential.content.get('clear_password')
if 'proxy_password' in clear_credentials:
proxy_creds = json.loads(clear_credentials)
proxy_clear_password = str(proxy_creds['proxy_password'])
No the if added should be for the all stuff behind , including the if behind
here it’s for the proxy password but it should be done for the password too
Like this ?
proxy_clear_password = None
for credential in self.client.storage_passwords:
if credential.access["app"] == "TA-thehive-cortex":
username = credential.content.get('username')
if 'proxy' in username:
clear_credentials = credential.content.get('clear_password')
if 'proxy_password' in clear_credentials:
proxy_creds = json.loads(clear_credentials)
proxy_clear_password = str(proxy_creds['proxy_password'])
Can you please also point out appropriate block for "password" as well. ?
Hello, Sorry for the late answer, so here we are: https://github.com/LetMeR00t/TA-thehive-cortex/blob/9363b2a1e6f91ad9675fc276d0082bee95d560a9/TA-thehive-cortex/bin/common.py#L145
You should use this instead:
def getAccountPassword(self, account):
""" Get storage passwords for the account password """
password = None
for s in self.client.storage_passwords:
if account in s['username'] and s.access["app"] == "TA-thehive-cortex" and "password" in s['clear_password']:
password = str(json.loads(s["clear_password"])["password"])
return password
I didn't tested it but it should work. Let me know if you have any issue
Hi,
I have modified the add-on with the above mentioned line of code and tried to upload the app in splunk cloud but i am getting the error.
This app is available for installation directly from Splunkbase. To install this app, use the App Browser page in Splunk Web
Thanks,
Hi It means that you must install it from the Splunkbase so that I need to provide a fix and wait for the cloud vet to let you be able to install it Honestly it can take up to 2 weeks to have the Splunk vet so are sure to not go on TheHive5 soon ? I’m not against providing you a fix but you know the delay :)
Hi The new version 2.3.2 is available on Splunkbase and provide a fix for this issue. You’ll have to wait a little more until Splunk is giving the Cloud Vet. Thank you
Request Type
Bug
Work Environment
Problem Description
External search command 'thehivecreate' returned error code 1
Steps to Reproduce
Possible Solutions
-
Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)
- 05-02-2023 11:57:14.969 INFO ServerConfig [464391 phase_1] - Will add app jailing prefix /opt/splunk/bin/nsjail-wrapper for TA-thehive-cortex 05-02-2023 11:57:15.396 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': Traceback (most recent call last): 05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py", line 25, in
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': (thehive, configuration, defaults, logger) = initialize_thehive_instance(keywords, settings ,logger_name="thehive_create_cases")
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 23, in initialize_thehive_instance
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': return create_thehive_instance(instance_id, settings, logger)
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 31, in create_thehive_instance
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': configuration = Settings(spl, settings, logger)
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 125, in init
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': password = self.getAccountPassword(account)
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 150, in getAccountPassword
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': password = str(json.loads(s["clear_password"])["password"])
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/init.py", line 348, in loads
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': return _default_decoder.decode(s)
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/decoder.py", line 337, in decode
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': obj, end = self.raw_decode(s, idx=_w(s, 0).end())
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': File "/opt/splunk/lib/python3.7/json/decoder.py", line 353, in raw_decode
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': obj, end = self.scan_once(s, idx)
05-02-2023 11:57:15.397 ERROR ScriptRunner [464391 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_create_case.py 6f1XXXXX': json.decoder.JSONDecodeError: Expecting ',' delimiter: line 1 column 256 (char 255)
05-02-2023 11:57:15.423 ERROR script [464391 phase_1] - SearchMessage orig_component=script sid=1683028634.142701 message_key=EXTERN:SCRIPT_NONZERO_RETURN_%s%d_%s message=External search command 'thehivecreate' returned error code 1. .