[BUG] Splunk Alert with multiple rows/events leads to failure

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project

GNU Lesser General Public License v3.0

49 stars 11 forks source link

[BUG] Splunk Alert with multiple rows/events leads to failure #90

Closed marpoe closed 4 months ago

marpoe commented 6 months ago

Request Type

Bug

Work Environment

Problem Description

If my Splunk Alert consists of multiple events (rows) and the alert setting is set to "ES notable mode" the TA should create one TheHive Alert for each row

Steps to Reproduce

Create a Splunk Alert

_time | url
2024-04-22 05:05:07 | www.test.com
2024-04-29 10:27:02 | www.test.com
2024-04-22 05:05:08 | www.test.com
2024-04-23 05:06:04 | www.test.com

Run the Alert with Alert mode "ES notable mode" (1 alert per row). I tested the same with "Alert action mode" without a unique field.
Verify log output

error=CreateError - Alert alert:splunk:scheduler_cG9lbGxtcmtAc2NoYWVmZmxlci5jb20_c2NoYWVmZmxlcl9zb2M__RMD549035e33c4aa98f7_at_1714477620_73377_<xxxxxx> already exists in organisation Test"

Possible Solutions

It loos like that the "reference field" has to be unique. Is there something what I've configured the wrong way?

marpoe commented 6 months ago

Ok, something to add: I saw it must be unique based on reference, source & type which can be filled based on the splunk alerts data.

The display name of the link will be cutted after some lenght what leads to the fact that it's unique. The link is working correctly

LetMeR00t commented 6 months ago

Hello @marpoe Thank you for submitting your issue In order to check first if we can make it work otherwise, could you add in your search something like ‘| eval unique=123456789’ to get a new column in your result Then run the custom alert action with the Alert Action mode and set the Unique ID field parameter to « unique » See if it’s working like that first or not

marpoe commented 6 months ago

Hello @LetMeR00t - Thank you for your reply.

As you suggested, I've created the following entries by my splunk search

_time	unique	url
2024-04-29 10:27:02	123456789	www.test.com
2024-05-01 15:57:01	123456789	www.test.com
2024-04-23 05:06:04	123456789	www.test.com
2024-04-30 14:52:01	123456789	www.test.com

Alert setting:

Result Log:

error=CreateError - Alert alert:splunk:123456789 already exists in organisation xxxxx"

Result TheHive:

The "unique" value will be used as reference in TheHive. Due to the fact, that I'm using the same value for all 4 events, the creation fails. By ensuring a real unique value everything will work. No issue anymore in my opinion, just something to be aware of.

LetMeR00t commented 4 months ago

Hello, I'm sorry for the late response. Did you figured how to fix the issue or understand the root cause? If it still relevant today for you, I can work on this during July 2024. Thank you

marpoe commented 4 months ago

It's working by ensuring a unique value is present per row and the respective fieldname of this unique value is set in the alert action for "Unique ID field". No further action required, just to be aware of it. Thanks for your response & support!!