[BUG] Tagged Observables cause Unexpected Error Exception when not accompanied by their untagged counterpart set to null()

[Bamfax]

Hi LetMeRoot,

would you be so kind to take a look at the following repro code? This code fails to execute with the error 2023-12-07 13:21:03,127 ERROR pid=704 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Unexpected error: 'ip'." action_name="thehive_create_a_new_alert" search_name="SAS_Alert_Test_TestAlertToHiveDirect", when the last two eval statements (setting ip and user to null()) are removed.

Thanks a lot for your time and help, Oliver

TA-thehive-cortex v3.1

| makeresults count=1

| streamstats count as id
| eval _time         = now() + id
| eval event_id      = _time . ".000≡b923e20827098d3f34d6746ba1d877d4≡e9fc87e4a6e4da9af3a03efe3cfb5b3e"
| eval alert_title   = "SAS_Alert_Test_TestAlertToHiveDirect"
| eval case_template = "SAS_Alert_Test_TestAlertToHiveDirect"
| eval tag           = "999thLevel,SAS_Alert_Test_TestAlertToHiveDirect,splunk,pan,threatdetection,1.2.3.4,ZGrab Application Layer Scanner Detection(57955)"

| eval desc="|earliestTime|latestTime|activeLastDay|src_ip|src_location|src_zone|provider|src_ip_whois|dst_ip|dc_dst_ip|dst_port|threat_name|action|severity|countAttacks|
|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|
|2023-07-25_03:32:26|2023-07-26_23:03:29|1|1.2.3.4|Country01|internet|UNMANAGED-DEDICATED-SERVERS|99.99.99.99, 99.99.99.0/24, UNMANAGED-DEDICATED-SERVERS, C01, admin01@example.net|4.5.6.7,10.11.12.13|19|80|SomeAttack(12345)|alert|medium|23|"

| eval alertTime          =_time
| eval obs_ip:attacker    = "1.2.3.4"
| eval obs_pan_threat     = "SomeAttack(12345)"
| eval obs_user:testtag01 = "marsupilami"

| table _time event_id alert_title case_template tag desc obs_*
| rename obs_* as *

| eval ip = "", ip = null()
| eval user = "", user = null()

[LetMeR00t]

Hi @Bamfax I’ll investigate this as soon as possible but probably in a couple of weeks. Sorry for the delay

[LetMeR00t]

Hi @Bamfax, When I try your code with or without the two statements set to "null()", I don't have any error and the alerts are created accordingly. Are you sure your search is the same ?

With null():

Without null():

[Bamfax]

Hi @LetMeR00t,

thanks a lot for testing it. That is interesting that it works on your setup. It is a reproducible error here using the repro code as above. I wonder what the difference between our two setups might be. Maybe it is influenced by the configuration of the custom alert action. I should have provided that alongside the repro code. Here it is:

Also using a Splunk Trigger Condition of "For each result"

A sendalert with es_mode and blank unique field also triggers the error, so it should not come from the custom alert action configuration difference of referencing the eventset fields via $result.[fieldname]$, [fieldname] or static values.

[LetMeR00t]

Hi @Bamfax Can you try the following things in your setup :

• remove the case template parameter
• change the timestamp parameter to « _time »
• change the title parameter to « alert_title »
• change the description parameter to « desc »
• change the tag parameter to « tag »

Is it better ?

[Bamfax]

Hi @LetMeR00t,

I just tried it, but unfortunately it still gives the same error:

2023-12-20 19:35:02,641 ERROR pid=21891 tid=MainThread file=cim_actions.py:message:243 \| sendmodaction - signature="Unexpected error: 'ip'." action_name="thehive_create_a_new_alert" search_name="Test_ErrorUsingTaggedObs" sid="scheduler_ejAwMzRiaHktYTEw__appabc__RMD555c712c996669e92_at_1703097300_10671_E0D9E3AA-7BD8-4AB7-A575-DBD341ED1218" rid="0" app="appabc" user="userabc" action_mode="saved" action_status="failure"

Trying it via a "|sendalert" cmd which has the alert_title, tag, etc. statically configured, gives the same error.

[LetMeR00t]

Hi @Bamfax

Could you try to install the v3.2 recently published to test if you still have the error ? I’ll continue some tests but it would help me to know if this is still happening in the last released version.

Thank you

[Bamfax]

Hi @LetMeR00t,

yes, surely. I could also image that this may show a different behaviour with your adaptions to the observable tagging. But it will take me until end of January, as I need to adapt my interface first to the new 3.2 changes.

[LetMeR00t]

Hello @Bamfax , I'll release a v3.3 with few fixes in December so go for this latest one if you need so and keep me posted. I'll make some tests today on your issue on my side but my recent changes might have change the behavior. Thank you

[LetMeR00t]

I've done one test this morning and it worked with my latest changes:

As you can notice, no observable was created due to the missing value. A warning was added in the logs accordingly to detect this:

FYI, this is my savedsearch settings:

But I'm pretty sure the latest changes will solve your issue ...

[Bamfax]

I'd say we can then close this issue, as from 3.2 on the base-field of an observable will always need to be present. If it is not, e.g. ip:tags being present, but not ip, that's a clear error then.