[BUG] Splunk SPL safeguards blocking hive as risky commands

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project

GNU Lesser General Public License v3.0

47 stars 11 forks source link

[BUG] Splunk SPL safeguards blocking hive as risky commands #87

Closed maazbaig19 closed 2 months ago

maazbaig19 commented 3 months ago

Request Type

Bug

Work Environment

Question	Answer
OS version (server)
TheHive version / git hash	5.2.12-1

Problem Description

I am trying to install the Hive app on splunk, during the configuration splunk SPL is blocking the commands as risky, I opened a case with the Splunk support team and they are asking for those commands so I can send them to Splunk? So that the safeguards can be removed.

Steps to Reproduce

Go to the TheHive/Cortex application > Settings > Instances Add a new instance Post adding all the information in the debug it is showing as splunk is identifying the commands as risky,

Possible Solutions

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

LetMeR00t commented 3 months ago

Hello @maazbaig19 Any execution of a custom custom is considered as risky by default on Splunk. All the commands are safe and can be trusted by Splunk. Don't know if I have anything to do on my side for it?

maazbaig19 commented 3 months ago

Thanks for your quick response.

Would you be able to provide the list of commands that are used so we can whitelist it.

Thanks Maaz

On Wed, 10 Apr, 2024, 11:00 pm LmR, @.***> wrote:

Hello @maazbaig19 https://github.com/maazbaig19 Any execution of a custom custom is considered as risky by default on Splunk. All the commands are safe and can be trusted by Splunk. Don't know if I have anything to do on my side for it?

— Reply to this email directly, view it on GitHub https://github.com/LetMeR00t/TA-thehive-cortex/issues/87#issuecomment-2048107818, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADBMZVSRD3VVW72U3EW4MNDY4VZLXAVCNFSM6AAAAABGAYVZHOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBYGEYDOOBRHA . You are receiving this because you were mentioned.Message ID: @.***>

LetMeR00t commented 3 months ago

Hello For all Python commands, everything is defined under the commands.conf file: https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/TA-thehive-cortex/default/commands.conf

In your case, I’m wondering if we aren’t talking about few JavaScript scripts used to load data from the lookups.

in that case all the JavaScript scripts (4 in total at the end of the folder) are available here: https://github.com/LetMeR00t/TA-thehive-cortex/tree/main/TA-thehive-cortex/appserver/static

maazbaig19 commented 2 months ago

This was resolved after disabling SPL safeguards