All Apps and Add-ons

Conflict with other apps authentication key

pbalsley
Path Finder

I installed the "Splunk Add-on for Microsoft Cloud Services" app and it broke the Sophos scripts from downloading logs.

I saw this error in the _internal index:

ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" ValueError: unknown url type: __REST_CREDENTIAL__#Splunk_TA_microsoft-cloudservices#configs/conf-splunk_ta_ms_o365_server_ucc_system_snapshot

I disabled the app and Sophos scripts worked again.

After digging I found out that this app and others has their credentials global and not limited to their own app. A bit sloppy.

I fix this for the Sophos app I added a check to make sure the returned data is from sophos. So far works great.

Edit both files "sophos_alerts.py" and "sophos_events.py"

for i, c in entities.items():
if "central.sophos.com" in c['realm']: <----- add this line
return c['realm'],c['username'], c['clear_password']
raise Exception("No credentials have been found")

0 Karma

nickhills
Ultra Champion

Thanks for the note on this - you are correct!
I had overlooked this on 1.0.2, although my working copy has a fix.

I'll look to incorporate your suggestion too, as an additional control.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...