Python script errors throwing 'External search command 'thehivecases' returned error code 1. '

[sirscottalot]

Hi @LetMeR00t i have the same issue and here are the python errors.

01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': Traceback (most recent call last): 01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 43, in 01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': configuration = Settings("spl, logger") 01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 13, in init 01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': for i in client.inputs: 01-07-2021 16:05:57.106 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py': AttributeError: 'str' object has no attribute 'inputs' 01-07-2021 16:05:57.136 ERROR script - xxxxxxxxxxxxxxxxxxxxx__search6_1610035556.143 External search command 'thehivecases' returned error code 1. .

what do you think the issue might be?

[LetMeR00t]

Hi @sirscottalot , Did you updated the source code ? because I can see that the Settings class is instanciated with « spl, logger » which is weird but maybe it’s a render issue of the log ? Which version of TheHive and Splunk do you have ? On which instance do you run Splunk ? (Linux/Windows/Docker etc)

[sirscottalot]

Hey,

running splunk on ubuntu LTR, splunk is version 8.0.2.1 and hive is version 4,

I can see that the API is calling out succsefully to hive, it seems that its returning no data thou.

I dint make any edits to the source, i did check through to see if there were any syntax errors at first, but im going to try a fresh install of the app again to ensure there's no source code edits made accidently. (btw downloaded form the splunk appstore not github)

cheers

S

[sirscottalot]

done a fresh install and still getting the same errors.

cheers

S

[LetMeR00t]

Could you detail me what you’ve configured once you installed the app ? Did you add the TheHive input and the configuration page ?

[sirscottalot]

i have configured a Splunk user and left the rest as default. (username and password double checked and correct)

and added a 'thehive:Supervisor'

i can see within the logs that it is sayign it is working i can also see from the hive that an API call is being made :

[sirscottalot]

this is the error log when i go into the search.log i can see the errors i have already sent.

[LetMeR00t]

Thank you for your quick and detailed response.

1) Could you check for me something to be sure about this "configuration = Settings("spl, logger")" Open the file '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py' Could you check the content of the line 43. Do you have :

• configuration = Settings("spl, logger") or
• configuration = Settings(spl, logger) ?

2) Enable debug mode in the configuration page, then run the search and check on the logs if you have anything. Could you also check under /opt/splunk/var/log/splunk/ if you have files starting with "command_" and check if you have anything relevant concerning errors on those files ?

Main problem is that it's saying that "client", which should be an object representing a connection with Splunk, is considered as a simple "string" and don't have the "inputs" attribute. I want to determine why do you have this error...

Moreover, I can't see if you set your Splunk credentials on the configuration page. Regarding this point : https://github.com/LetMeR00t/TA-thehive-cortex#add-on-settings, do you set a valid admin Splunk account ? (which will be removed in the next version).

Last point, which account are you using for the search ? Is it an admin account or a simple user account and with which roles ?

Connection with TheHive seems working so the issue is concerning Splunk, let's find out what is it :)

PS : Are you using the last version of this application ?

[sirscottalot]

currentl line 43 reads "configuration = Settings(spl, logger)"

I have configured it using and admin account with full privileges. and am conducting the search with a full admin account.

I have set to debug mode and run the search again looking in the logs i can see some new error messages.

looking in the var/log/splunk folder i can see the following debug logs.

I've downloaded straight from the splunk app store. looks to be last updated around 2 months ago.

[sirscottalot]

OK so i also added a cortex supervisor (made up one as i haven't got it integrated with hive right now and re run the searches and got the following)

I can see that it has actually pulled back data from hive into splunk (that is a tet case ive made) but its still throwing the same overall error.

[sirscottalot]

also within the var/log folder there is content in the command_thehive_cases.log

It seems you need both a the hive supervisor and a cortex supervisor configured but still not sure what the issue is that the reasults arnt displaying in the splunk dashboard.

Have also set up cortex and the job dashboard is populated in the app no prblems 👍

this sort of narrows it down to the '| thehivecases' part of the splnk dashoboard.

[LetMeR00t]

You're right, some issues happened when only one instance is provided. I will work on it, I can"t reproduce your error for the moment but I will do some tests. I'll keep you informed.

[sirscottalot]

No Worries thanks for the help so far :D

I'm going to check my Splunk settings (as we run some custom rules etc) try it on a fresh build see if its something my end

[LetMeR00t]

Let's start with a new version here : https://github.com/LetMeR00t/TA-thehive-cortex/tree/v1.1.4

You can download the SPL file and install it directly.

Could you tell me if it's better or not ?

[sirscottalot]

hey so i got it working :D

had to make some changes (commented out 3 sections of the 'thehive_search_cases.py' script. See below. im not amazing with pyhton but it looks like it cant handle it when there is a 'null' feild. for example if a case has no close or updated time (cause its not been)

[LetMeR00t]

hey so i got it working :D

had to make some changes (commented out 3 sections of the 'thehive_search_cases.py' script. See below. im not amazing with pyhton but it looks like it cant handle it when there is a 'null' feild. for example if a case has no close or updated time (cause its not been)

Great, could you check the fix I provided before your comment ? It handle the lines you commented :)

[sirscottalot]

yer think we posted at same time :P im pulling your fix now. will update once I reinstall

[LetMeR00t]

yer think we posted at same time :P im pulling your fix now. will update once I reinstall

I don't handle the 3 sections so it could raise en error again :) but if so, I will update my code given your changes. However, it seems you resolved several issues to make it work because it can't explains the first issue you reported. You can also try to remove the Cortex instance and have only the TheHive one.

[sirscottalot]

hey fresh install from the new version, still have to have both inputs, and still had to comment out the above sections to hande the null error. but it is working now 👍.

[LetMeR00t]

Could you provide me both logs with errors please to understand why you have these ? Cause I don't have them on my side with my current data.

[sirscottalot]

for when the observables are uncommented.

for when the caseenddate is uncommented

[LetMeR00t]

This is maybe related to the fact that you are using TheHive 4 and that was created with TheHive 3 :) I will provide a fix for that but yes it will be different in the future. Thanks for the logs Can I close the issue ? Or do you want me to provide the fix and test it ?

[LetMeR00t]

@sirscottalot, A new fix was provided. Could you test it please ? Thank you

[sirscottalot]

yer happy for you to close. look forward to future releases. 💯