Open maazbaig19 opened 2 months ago
LetMeR00t
commented
2 months ago Hello @maazbaig19 Did you checked on the Audit Logs dashboard embedded in the application for any error on the period you did your tries ? Otherwise, you can check the job log (search.log) of the job that ran the command and check for any error at the end of the file. Keep me posted
maazbaig19
commented
2 months ago I checked in the audit logs dashboard, no results are found
maazbaig19
commented
2 months ago Its basically I'm not able to list the hive cases in splunk app. screenshot attached.
Also can you help me where do i check the job log (search.log) of the job that ran the command and check for any error at the end of the file.
LetMeR00t
commented
2 months ago When you are on the dashboard where the issue happens, you can open the search from the panel showing the error (you have an icon on the bottom right of the panel) Once the search is opened, you can click on Jon and then inspect the job. You shall be then able to access the search.log file from here
maazbaig19
commented
2 months ago I'm seeing these errors
04-23-2024 06:09:16.902 ERROR ScriptRunner [1504148 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': Traceback (most recent call last):
04-23-2024 06:09:16.902 ERROR ScriptRunner [1504148 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 29, in
LetMeR00t
commented
2 months ago Hello It seems that the GET request can’t be done Are you able to ping your TheHive instance from your Splunk instance ? Are you using a custom certificate authority ? If so did you specified it as mentionned in the document
maazbaig19
commented
2 months ago No we are not using a custom certificate authority. We are using Splunk cloud so cannot test the ping response. However outbound 443 is open.
LetMeR00t
commented
2 months ago Hello I invite you to enable the DEBUG mode in the Configuration dashboard available in the navigation of the application (see the documentation if you can’t find it) Then rerun your command to get the error Go on the Audit Logs dashboard and check the information shown, especially how the URL is built to see if there is no issue in it. Thank you
maazbaig19
commented
2 months ago I see these errors Unexpected error: HTTP 403 Forbidden -- You (user=**) do not have permission to perform this operation (requires capability: list_storage_passwords OR edit_storage_passwords OR admin_all_objects)..
maazbaig19
commented
2 months ago sourcetype is modular_alerts:thehive_create_a_new_alert
maazbaig19
commented
2 months ago one more query, When configuring instances and the account does the TA not reach out to the TheHIve to validate that the credentials work?
LetMeR00t
commented
2 months ago I see these errors Unexpected error: HTTP 403 Forbidden -- You (user=**) do not have permission to perform this operation (requires capability: list_storage_passwords OR edit_storage_passwords OR admin_all_objects)..
Your account needs at least a capability named « list_storage_passwords » associated to one of your rôle to be able to do what you want. Please check with your Splunk admins of the platform to let you have this role
LetMeR00t
commented
2 months ago one more query, When configuring instances and the account does the TA not reach out to the TheHIve to validate that the credentials work?
No it doesn’t It’s only when you try to do a request Here the issue is more that you don’t have the capability to list storage passwords, it’s where the password of the account you are using to reach TheHive is stored
maazbaig19
commented
2 months ago I see these errors Unexpected error: HTTP 403 Forbidden -- You (user=**) do not have permission to perform this operation (requires capability: list_storage_passwords OR edit_storage_passwords OR admin_all_objects)..
Your account needs at least a capability named « list_storage_passwords » associated to one of your rôle to be able to do what you want. Please check with your Splunk admins of the platform to let you have this role
This i agree we can fix it with the permissions.
maazbaig19
commented
2 months ago one more query, When configuring instances and the account does the TA not reach out to the TheHIve to validate that the credentials work?
No it doesn’t It’s only when you try to do a request Here the issue is more that you don’t have the capability to list storage passwords, it’s where the password of the account you are using to reach TheHive is stored
We are still seeing these errors, 04-25-2024 01:41:17.399 ERROR ScriptRunner [2075626 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': return self.request(url, { 'method': "GET", 'headers': headers }) 04-25-2024 01:41:17.399 ERROR ScriptRunner [2075626 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': File "/opt/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1302, in request 04-25-2024 01:41:17.399 ERROR ScriptRunner [2075626 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': raise HTTPError(response) 04-25-2024 01:41:17.399 ERROR ScriptRunner [2075626 phase_1] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py 58c92c70': splunklib.binding.HTTPError: HTTP 04-25-2024 01:41:17.411 ERROR script [2075626 phase_1] - SearchMessage orig_component=script sid=_bWFhei5iYWlnQG1lcmFraS5uZXQ_bWFhei5iYWlnQG1lcmFraS5uZXQ_VEEtdGhlaGl2ZS1jb3J0ZXg__search8_1714009277.27837_FD90E9CD-A4C6-4875-92E0-9D26EA29860A message_key=EXTERN:SCRIPT_NONZERO_RETURN_%s%d_%s message=External search command 'thehivecases' returned error code 1.
maazbaig19
commented
2 months ago how to troubleshoot these errors?
maazbaig19
commented
2 months ago Also to add another point here, the issue is with the Victoria splunk version, we are not seeing this issue on splunk classic, do you plan to provide a fix for this on the code?
LetMeR00t
commented
2 months ago Also to add another point here, the issue is with the Victoria splunk version, we are not seeing this issue on splunk classic, do you plan to provide a fix for this on the code?
Well before talking about providing a fix on something, we shall first understand from where comes the issue. At this point, I can’t help you to solve this as we don’t have the root cause yet if you already fix the issue with the list of storage password capability.
Saying so, would it be possible to share by email more details about the implementation you did, especially on the settings of your TheHive instance in the app?
Moreover, when enabling the DEBUG logs you shall see at least some of the logs in the Audit Logs dashboard
Please provide me as much details as you can by email: letmer00t@gmail.com
LetMeR00t
commented
1 week ago Hello @maazbaig19 Any update on this ? Thank you
Request Type
Bug
Work Environment
Problem Description
When trying to view the cases on TheHive splunk app , it is throwing this error "External search command 'thehivecases' returned error code 1" This is happening on Splunk production instance on which we are running splunk version 9.1.2312.104
Steps to Reproduce
Possible Solutions
-
Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)
-