search

cudeso / misp2sentinel

MISP to Sentinel integration
MIT License
57 stars 18 forks source link

Can anyone help with this error, I am stumped. #95

Closed johnckeen closed 2 months ago

johnckeen commented 3 months ago

I am getting this error when running and I have redeployed and double checked over a dozen times (not exaggerating!)

Result: Failure Exception: TypeError: string indices must be integers, not 'str' Stack: File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/dispatcher.py", line 604, in _handleinvocation_request call_result = await self._loop.run_in_executor( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run result = self.fn(*self.args, self.kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/dispatcher.py", line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/extension.py", line 215, in _raw_invocation_wrapper result = function(args) ^^^^^^^^^^^^^^^^ File "/home/site/wwwroot/MISP2Sentinel/init.py", line 128, in main pmain() File "/home/site/wwwroot/MISP2Sentinel/init__.py", line 111, in pmain push_to_sentinel(item['tenantId'], item['id'], item['secret'], item['workspaceId']) ~~~~^^^^^^^^^^^^

my tenants secret is laid out like this in a single line in keyvault: {"tenantId": "xxxx-xxxx-xxxx-xxxx", "id": "xxxx-xxxx-xxxx-xxxx", "secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx", "workspaceId": "xxxx-xxxx-xxxx-xxxx"}

Everything is green for referencing vault secrets in function app.

cudeso commented 3 months ago

Have you tried adding the credentials in a list (with [] )? As per the example at https://github.com/cudeso/misp2sentinel/tree/main/AzureFunction

[
   { 
      "tenantId": "<TENANT_ID_WITH_APP_1>",
      "id": "<APP_ID>",
      "secret": "<APP_SECRET>",
      "workspaceId": "<WORKSPACE_ID>"
   },
   {
      "tenantId": "<TENANT_ID_WITH_APP_N>",
      "id": "<APP_ID>",
      "secret": "<APP_SECRET_N>",
      "workspaceId": "<WORKSPACE_ID_N>"
   }
]
johnckeen commented 3 months ago

Yes I have tried putting the following into key vault using a JSON variable then converting it to secure string:

$JSON = @" [ { "tenantId": "xxxx-xxxx-xxxx-xxxx", "id": "xxxx-xxxx-xxxx-xxxx", "secret": "xxxxxxxxxxxxxxxxxxxxxxxxxx", "workspaceId": "xxxx-xxxx-xxxx-xxxx" } ] "@

Set-AzKeyVaultSecret -VaultName misp2sentinelsoftcat -Name tenants -SecretValue ($JSON | ConvertTo-SecureString -AsPlainText -Force)

johnckeen commented 3 months ago

Is the above the wrong way to do this?

cudeso commented 3 months ago

As far as I can check it's OK. I'm not an Azure expert and haven't used the Azure Function setup yet (sticked to the "local" install). @lnfernux would you happen to know if the syntax needs updating?

lnfernux commented 3 months ago

Another thing is that if you want to add a multiline variable to a keyvault secret you have two options, either

  1. Add the file to VSCode, select all the text and use the join option to create a single line json blob
  2. https://learn.microsoft.com/en-us/azure/key-vault/secrets/multiline-secrets

I usually go for number 1, so it might be the issue that it only will support a single line JSON-blob actually when I think about it. Can you try that and let me know if it works?

johnckeen commented 3 months ago

Thank you, I will try this later today and see if it helps. I was using secure string because all the docs I could find on putting json into secret was to convert to secure string.

johnckeen commented 3 months ago

I am stumped. Downloaded from github again and redeployed using vscode. Tried the following using your option 1 which is a massive life saver for other use cases too so thanks for that but still no dice.

{ "tenantId": "xxxx-xxxx-xxxx-xxxx", "id": "xxxx-xxxx-xxxx-xxxx", "secret": "***", "workspaceId": "xxxx-xxxx-xxxx-xxxx" }

I have tried with [ ] and without with no success, below is the error still "string indices must be integers, not 'str'. [cid:abaf833b-bf08-4395-8bb9-49339aec8107]

johnckeen commented 3 months ago

Can someone confirm if this is the correct format to store the secret in when just using one instance?

image

lnfernux commented 3 months ago

You still need the same formatting when sending to one instance :) It's just a matter of including only one. The link is here to the relevant section in the docs, but it should look like this:

[
    {
      "tenantId": "<TENANT_ID_WITH_APP_1>",
      "id": "<APP_ID>",
      "secret": "<APP_SECRET>",
      "workspaceId": "<WORKSPACE_ID>"
    }
]

Formatting as a single line, it should be like this:

[ { "tenantId": "<TENANT_ID_WITH_APP_1>", "id": "<APP_ID>", "secret": "<APP_SECRET>", "workspaceId": "<WORKSPACE_ID>" } ]

In my case (just tested), it worked for a single instance by using the single line above added to the keyvault.

cudeso commented 2 months ago

hello @johnckeen can this issue be closed?

johnckeen commented 2 months ago

Thank you Infernex, For what ever reason, copying your single line and adding my details then pasting it into key vault worked. I've got both lines in notepad++ and can see no difference so I'm stumped as to why yours worked and mine didn't.

You can close this issue now and thank you so much for all the help!