LetMeR00t
commented
1 week ago Hello @Ogwardd Thank you for your submission Do you have any log on TheHive related to this? How many alerts are you processing regularly ? Thank you
Closed Ogwardd closed 5 days ago
LetMeR00t
commented
1 week ago Hello @Ogwardd Thank you for your submission Do you have any log on TheHive related to this? How many alerts are you processing regularly ? Thank you
Ogwardd
commented
1 week ago Hi, I process hundreds of alerts a day and see a majority of them come through.
Regarding logs its difficult to send them for security reasons which im aware inherently makes this very hard to fix.
Regarding one alert it can make the connection and gets all the way to processing the alert before getting to:
file=cim_actions.py … [CAA-THCA-122-ERROR] TheHive alert creation has failed … content=None, error=BadRequest - Invalid json” action_name=“thehive_create_a_new_alert”
Is there any way for me to directly get a copy of the command it is trying to send from my end? That way I can run it and try and find the issue.
My main guess is it doesnt like something in how the alert content is set up but without knowing how it looks formatted its shooting in the dark
Sorry for not being able to give more detail
LetMeR00t
commented
1 week ago Did you tested to create the same alert again with the custom alert action? I mean, you successfully created the alert by yourself but did you checked if, by creating manually the alert through the alert action (using a search and the "sendalert" command, you are able to create it afterwards or not? I'm adding a capability of retry for the next version, allowing the possibility to retry several time to create a case (in the case the platform is overloaded)
Ogwardd
commented
1 week ago Apologies when I said I add the alerts manually I meant that I use the apps Alert create dashboard to send them in.
When I use the Splunk apps Alert Creator that uses the send alert function it works fine.
I have noticed with one of the alerts it works when there are no hashes, but when I see an alert with multiple hashes in a field it fails to send. Is the possibly something to do with json not managing to work with lists and It may be that I need to split out the hashes for them to work with observables?
LetMeR00t
commented
1 week ago Hello If you can’t reproduce the alert using the sendalert command, it means that this isn’t linked to the data itself as it’s the same process that is done. Again, did you checked on the TheHive instance itself to check if there is any relevant error ? I mean directly on the TheHive instance itself, not in Splunk. As long as we don’t have an example with specific data that isn’t working, I can’t assume that this is linked to it. In the latest version released yesterday, I implement a retry option, maybe you can install it and check if the issue still happens but thanks to the retry, it ends to be successful?
Ogwardd
commented
5 days ago Hi,
Apologies for not getting back on this but I think ive managed to figure out what the main problem was.
Some of my alerts had multiple values in one cell which were then attempting to be pulled as observables.
When it tried to send it as an alert, the multivalue field was getting treated as a list which I think may of caused issues if it was looking for a string.
In order to fix this problem Ive added an “| mvexpand
Thanks for spending the time helping :)
Request Type
Bug
Work Environment
Problem Description
Describe your problem here
Currently I am having a problem where a majority of my Splunk alerts are going through fine, but a couple continuously get the error “[CAA-THCA-122-ERROR] The Hive alert creation has failed… error=BadRequest - Invalid json”
This error happens quite a bit and currently cannot find the issue.
If I manually enter the details into the alert creator and then send it off, it works, but with the automated action it continuously causes the error.
Steps to Reproduce
Possible Solutions