Error in 'sendalert' command: Alert script returned error code 5.

[schimpy]

Hello,

I am getting error Error in 'sendalert' command: Alert script returned error code 5. every time I invoke sendalert SPL command.

Fetching from MISP using mispgetioc is working perfectly fine but I am unable to invoke anything towards MISP. Every attempt is returned with the error above.

Inspecting the source code, this refers to the https://github.com/remg427/misp42splunk/blob/f256ce7cd9a5590811a3860864cc968caabb8571/misp42splunk/bin/misp_alert_create_event.py#L96

Do you have any suggestions how to troubleshoot this?

[remg427]

Hi Thank you using misp42. Is it version 4.0.2?

Have you tried from dasboard to check if example is working fine? Maybe one of mandatory fields is not provided Could you save your SPL as alert and add alert action create a misp event? You'll get the form with mandatory and optional parameters Also ensure your SPL returns at least one field starting with misp_ and ending with MISP attribute type eg misp_domain (domain) or misp_ip_dst (ip-dst) Hope it solves your issue -- Sent with K-9 Mail.

[schimpy]

Hello, I found the issue on permission level, Publisher role needed to be set on the integration account.