Unexpected error: 'ConnectionError' object has no attribute 'message'.

[4A616D6573]

Overview

When attempting to use the alert action from Splunk the The Hive it appears to fail with the following error:

2020-08-02 12:13:19,783 ERROR pid=13783 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Unexpected error: 'ConnectionError' object has no attribute 'message'." action_name="thehive_ce_alert" search_name="Test" sid="scheduler__admin__search__Test_at_1596370140_18" rid="0" app="search" user="admin" action_mode="saved" action_status="failure"

Configuration

Lookup Tables

thehive_datatypes.csv: default thehive_instance_list.csv: th_prod https://localhost:8443 thehive_api_key1 False False False

Log Level

DEBUG

Proxy Configuration

None

Testing

Manual API Call for evidence that it is functional:

curl -XPOST -H 'Authorization: Bearer i/QR9Ay2uXc3k4OacZrwxkGIfSJURh2j' -H 'Content-Type: application/json' https://localhost:8443/api/alert -d '{
  "title": "New Alert",
  "description": "N/A",
  "type": "external",
  "source": "splunk",
  "sourceRef": "alert-ref"
}' --insecure
{"severity":2,"date":1596371003861,"_routing":"fe0988bc0335076d1725cf11dbf9f1f3","customFields":{},"_type":"alert","description":"N/A","lastSyncDate":1596371003862,"source":"splunk","type":"external","follow":true,"title":"New Alert","createdAt":1596371003845,"_parent":null,"createdBy":"splunkenterpriseintegration","tlp":2,"_id":"fe0988bc0335076d1725cf11dbf9f1f3","id":"fe0988bc0335076d1725cf11dbf9f1f3","sourceRef":"alert-ref","_version":1,"artifacts":[],"status":"New"}

Notes

• Alert is based on the test search here: https://github.com/remg427/TA-thehive-ce/blob/master/docs/thehivealerts.md
• The Hive configuration is built in containers within Docker and is using an Nginx reverse proxy, note manual API calls still work.
• Additionally due to the resolution of https://github.com/remg427/TA-thehive-ce/issues/1 you now must use HTTPS (if you're building The Hive from the containers they default to HTTP).

[4A616D6573]

Let me know if you need any more data.

[4A616D6573]

I was the villain, using localhost within 'thehive_instance_list.csv' was the issue as Splunk was also running in a container, changing to the IP address of the node resolved the issue.

[user794dy]

I also have the same error when trying to create alert in TheHive, but I have the correct ip address in thehive_instance_list.csv (only without port). Any idea what can be wrong?