search

remg427 / TA-thehive

Splunk TA for alert action to TheHive-project
GNU Lesser General Public License v3.0
11 stars 3 forks source link

App input configuration not working on Splunk Cloud #19

Closed traceflow closed 5 years ago

traceflow commented 5 years ago

The page does not load as you can see: image

Error log generated by Splunk

127.0.0.1 - ****** [06/Sep/2019:17:15:35.754 +0000] "GET /servicesNS/nobody/TA-thehive/data/inputs/connector_to_thehive_instance?count=0&output_mode=json HTTP/1.1" 404 50 - - - 0ms
remg427 commented 5 years ago

I'll check ASAP but I don't have cloud instance Is it a fresh install of the app? It looks like that the endpoint is missing i.e. so I should be able to trouble shoot on standard instance

traceflow commented 5 years ago

Fresh install. I'll try to get some more details.

On Sat, Sep 7, 2019, at 7:08 AM, Rémi Séguy wrote:

I'll check ASAP but I don't have cloud instance Is it a fresh install of the app?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/remg427/TA-thehive/issues/19?email_source=notifications&email_token=AJL3MOD3QLDCB6X2UYIDUMDQIODRPA5CNFSM4IULF3M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6EWM6I#issuecomment-529098361, or mute the thread https://github.com/notifications/unsubscribe-auth/AJL3MOCMAIBU5YZSPFQHI6LQIODRPANCNFSM4IULF3MQ.

remg427 commented 5 years ago

I have tested a fresh install of 2.0.1 (using the .tar.gz) on Splunk 7.3.0 and there is no timeout. has your profile on cloud instance the right to use APIs endpoint. From the error code 404 il looks like a page is not found. I'll try to get more info from splunk experts

traceflow commented 5 years ago

Thanks! I'll also open a support ticket on my side.

On Sun, Sep 8, 2019, at 3:01 PM, Rémi Séguy wrote:

I have tested a fresh install of 2.0.1 (using the .tar.gz) on Splunk 7.3.0 and there is no timeout. has your profile on cloud instance the right to use APIs endpoint. From the error code 404 il looks like a page is not found. I'll try to get more info from splunk experts

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/remg427/TA-thehive/issues/19?email_source=notifications&email_token=AJL3MOAFWI2YRX3E2D32C73QIVDYXA5CNFSM4IULF3M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6FXATI#issuecomment-529231949, or mute the thread https://github.com/notifications/unsubscribe-auth/AJL3MOE5K56HKAP2YHVNY2TQIVDYXANCNFSM4IULF3MQ.

jynolen commented 5 years ago

Hello @remg427 Think i found the issue on our side It check requests send to the backend & try to access directly though the REST API.

Here the stacktrace of the error :

URL Reference : GET on https://exemple.splunkcloud.com:8089/servicesNS/nobody/TA-thehive/TA_thehive_create_alert_connector_to_thehive_instance

09-18-2019 14:30:09.267 +0000 ERROR AdminManagerExternal - Stack trace from python handler:
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init
    hand.execute(info)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute
    if self.requestedAction == ACTION_LIST:     self.handleList(confInfo)
  File "/opt/splunk/etc/apps/TA-thehive/bin/ta_thehive_create_alert/splunk_aoblib/rest_migration.py", line 38, in handleList
    AdminExternalHandler.handleList(self, confInfo)
  File "/opt/splunk/etc/apps/TA-thehive/bin/ta_thehive_create_alert/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper
    for entity in result:
  File "/opt/splunk/etc/apps/TA-thehive/bin/ta_thehive_create_alert/splunktaucclib/rest_handler/handler.py", line 118, in wrapper
    raise RestError(exc.status, exc.message)
RestError: REST Error [404]: Not Found -- HTTP 404 Not Found -- {"messages":[{"type":"ERROR","text":"Not Found"}]}
remg427 commented 5 years ago

Hello, thanks for the feedback. It seems to confirm that the issue is with the REST API calls. On a standard Splunk, the page does not load until the user has the capability "list_storage_passwords" which is not given by default to power users. As soon I give that capability to the user the page loads (this capability uses an endpoint to encrypt and store passwords into local/passwords.conf) Does your account on Splunk Cloud has the capability to "list_storage_passwords"?

To build the apps I have used the "Splunk Add-on Builder" from splunkbase. This app implements the full mechanism for creating/editing inputs. It includes the call to the REST API for encrypting/storing the passwords into passwords.conf. So it looks like app built with this add-on are not compatible with Splunk Cloud but this was not mentioned by the review of the app, was it? In particular, to be vetted for cloud, Splunk team requires to have only encrypted passwords, https url, etc. I used the add-on to help me being compliant with the requirements for Cloud deployment. I am confused.

Have you successfully deployed another app on splunk Cloud where there is that page for inputs? If yes I could analyse it to check what I am doing wrong.

traceflow commented 5 years ago

@remg427 your MISP42Splunk app is deployed on the same Splunk Cloud search head and the inputs worked flawlessly. Maybe you could check if there's a different in the MISP42Splunk app?

traceflow commented 5 years ago

Any updates on this issue?

remg427 commented 5 years ago

This needs capability "list_storage_password". This is a consequence of storing password on encrypted form in passwords.conf which is a requirement for getting app vetted for the cloud. Not sure splubk support will grant you this capability. If you have a chance to submit to support this "chicken & egg" issue. -- Sent with K-9 Mail.

traceflow commented 5 years ago

After contacting Splunk, I learned that a recent change of policy regarding inputs on Splunk Cloud search heads make the configuration of inputs directly on the search head impossible. However, there is a solution and it's the one they suggested. They have to install the Splunk app on the IDM and not the search head.

This is now the case for all Splunk apps requiring inputs, including MISP42Splunk. They did not disable our previous inputs from other apps, they simply don't accept them on the search heads from now on.

remg427 commented 5 years ago

Hello, thank you for this feedback. Do you have a copy of their policy? Can you still access the configuration tab? if yes I may port the config to this tab by foreseeing several instances (1,2, etc) so it will be possible to set the instance parameters

traceflow commented 5 years ago

Hey,

Just an update. So it turns out that Splunk arbitrarily decided to no longer allow Splunk Cloud clients to configure inputs on the search heads without notifying anyone. MISP42Splunk was installed before they suddenly take this decision. We asked them to make an exception and the inputs in the app are not used in the traditional way, still waiting for an answer. In the meantime I assume this issue can be closed as the TA definitely isn't the problem.

Thanks for the help!

remg427 commented 5 years ago

Hello, Thank for feedback and support I am going to check if coming back to a lookup table can be an option. The api keys will be still stored encrypted but the rest of config will be in plain text in the CSV file. Just to make it vetted for cloud and also to cope with some rights not granted by default to power users -- Sent with K-9 Mail.