TA-thehive-cortex icon indicating copy to clipboard operation
TA-thehive-cortex copied to clipboard

Published 20 hours ago verified publisher icon LetMeR00t

[BUG] Splunk Alert with multiple rows/events leads to failure

Open marpoe opened this issue 9 months ago • 3 comments

Request Type

Bug

Work Environment

Problem Description

If my Splunk Alert consists of multiple events (rows) and the alert setting is set to "ES notable mode" the TA should create one TheHive Alert for each row

Steps to Reproduce

  1. Create a Splunk Alert
_time | url
2024-04-22 05:05:07 | www.test.com
2024-04-29 10:27:02 | www.test.com
2024-04-22 05:05:08 | www.test.com
2024-04-23 05:06:04 | www.test.com

image

  1. Run the Alert with Alert mode "ES notable mode" (1 alert per row). I tested the same with "Alert action mode" without a unique field.

  2. Verify log output

error=CreateError - Alert alert:splunk:scheduler_cG9lbGxtcmtAc2NoYWVmZmxlci5jb20_c2NoYWVmZmxlcl9zb2M__RMD549035e33c4aa98f7_at_1714477620_73377_<xxxxxx> already exists in organisation Test"

Possible Solutions

  • It loos like that the "reference field" has to be unique. Is there something what I've configured the wrong way?

image

marpoe avatar Apr 30 '24 12:04 marpoe

Ok, something to add: I saw it must be unique based on reference, source & type which can be filled based on the splunk alerts data.

The display name of the link will be cutted after some lenght what leads to the fact that it's unique. The link is working correctly

marpoe avatar Apr 30 '24 12:04 marpoe

Hello @marpoe Thank you for submitting your issue In order to check first if we can make it work otherwise, could you add in your search something like ‘| eval unique=123456789’ to get a new column in your result Then run the custom alert action with the Alert Action mode and set the Unique ID field parameter to « unique » See if it’s working like that first or not

LetMeR00t avatar May 02 '24 03:05 LetMeR00t

Hello @LetMeR00t - Thank you for your reply.

As you suggested, I've created the following entries by my splunk search

_time unique url
2024-04-29 10:27:02 123456789 www.test.com
2024-05-01 15:57:01 123456789 www.test.com
2024-04-23 05:06:04 123456789 www.test.com
2024-04-30 14:52:01 123456789 www.test.com

Alert setting: image

Result Log:

error=CreateError - Alert alert:splunk:123456789 already exists in organisation xxxxx"

Result TheHive:

image

The "unique" value will be used as reference in TheHive. Due to the fact, that I'm using the same value for all 4 events, the creation fails. By ensuring a real unique value everything will work. No issue anymore in my opinion, just something to be aware of.

marpoe avatar May 02 '24 06:05 marpoe

Hello, I'm sorry for the late response. Did you figured how to fix the issue or understand the root cause? If it still relevant today for you, I can work on this during July 2024. Thank you

LetMeR00t avatar Jun 29 '24 07:06 LetMeR00t

It's working by ensuring a unique value is present per row and the respective fieldname of this unique value is set in the alert action for "Unique ID field". No further action required, just to be aware of it. Thanks for your response & support!!

marpoe avatar Jul 01 '24 05:07 marpoe