search

hRun / SA-haveibeenpwned

Splunk add-on providing a custom search command to query Troy Hunt's haveibeenpwned API (https://haveibeenpwned.com/api/v3/) for known breaches of your domains or mail addresses.
https://splunkbase.splunk.com/app/5050/
Apache License 2.0
6 stars 4 forks source link

Query result not found #9

Closed skydandrear closed 1 year ago

skydandrear commented 1 year ago

Hi, I am writing you because sometimes it happens that some email addresses are not analyzed and therefore the query in splunk does return errors.

Let me explain: when I try to check an email address xxx@gmail.com the query returns the result with all Breach and pastes. Sometimes, instead, with causal addresses like yyy@gmail.comnothing comes back.

I also see within the curl that nothing return in the event, there is an error: page not found 404 at the time of response of the site haveibeenpwned.

I can not understand why this occurs only for n mail address and not for all.

hRun commented 1 year ago

Hi Robert,

404 errors indicate that no breach/paste was found for an account (see https://haveibeenpwned.com/API/v3#ResponseCodes). They are handled in the code on lines 345 and 423 and should result in "No breach/paste reported for given account and time frame." messages in the respective Splunk result fields. This is the expected behavior.

I understand that the result fields are simply empty in your case though? If so, could you please provide me with as much information about this issue as possible? Are the same accounts affected every time, or random ones? Are different results returned when tested manually against the HIBP API? Do the affected mail addresses have something in common? Is this the case both when querying single accounts and multiple accounts? Is this the case for both the breach and paste fields?

Best Regards, hRun

skydandrear commented 1 year ago

Thank you for the explanation. Yes in my case Splunk search return an empty result (0 Event). The search head execute the search with a valid account that use the purchased Api key. So, we can say that is the same account that do not return any result. Unfortunately, this happen only on one of n instance that we have. In our environment we have other search head that run and execute the search without any problem on the same account that return 0 Event on other instance.

Hope this information are useful. Roberto

hRun commented 1 year ago

that info is certainly helpful in understanding the issue. unfortunately this sounds like something that i'll hardly be able to replicate. i'll try my best, but might have to close this issue without resolution.

hRun commented 1 year ago

hi there. sorry for forgetting to get back to you. i did some tesing around this issue previously though and was unable to reproduce it unfortunately. following unit testing practices, the only case where fields would not be populated is if you don't use a proxy and all requests fail. from what you described this is not the case in your setup though. i am afraid that with the little setup i have available for testing, i am not able to help out any further.