search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Issue with the splunk cloud sending alerts to thehive #95

Open maazbaig19 opened 1 month ago

maazbaig19 commented 1 month ago

Request Type

Bug

Work Environment

prod

Question Answer
OS version (server) splunk cloud Version: 9.2.2403.106
TheHive version / git hash 3.3

Problem Description

We have configured correlation searches on Splunk enterprise app to forward all the alerts to thehive but its not working. Status shows as failure. This is done thorough adaptive responses to create a new alert on thehive.

Steps to Reproduce

  1. Hive app is configured and working
  2. For correlation searches, under adaptive actions configure the action to send an alert to thehive

Possible Solutions

How to troubleshoot the issue? Is there any known issue with this?

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-

LetMeR00t commented 1 month ago

Hello Did you checked the Audit Logs dashboard to find any error ? thank you

maazbaig19 commented 1 month ago

I see these errors

Unexpected error: invalid literal for int() with base 10: '_time'.

LetMeR00t commented 1 month ago

Hello Check your savedsearch configuration Did you configure the « timestamp » parameter to « _time »? If so and if you don’t have this field in your alert, it might cause an issue Just removing it will help to solve the issue keep me posted

LetMeR00t commented 20 hours ago

Hello, Any update? Thank you