All Apps and Add-ons

Cybereason for Splunk - no data coming through, no errors in logs

chrispols
Engager

Hi,
I've done a clean Splunk Enterprise 7.1 install on CentOS 7 and Splunk itself is working correctly.

Following the instructions for installing Cybereason for Splunk to my existing Cybereason instance using credentials that I'm working on, there is no data being pulled in, and I can find no errors anywhere. Health dashboard just has no data. I have install the Input Add on as well as per instructions.

Any ideas if there is anything wrong? I can see the server contacting the Cybereason instance every 300 seconds as configured, but can't tell what it's pulling in (nothing if I believe what's in the index).

Is there a special CR user I need to be connecting with (API user?) or should any user be fine?

Any help would be great.
Thanks
Chris

0 Karma

chrispols
Engager

@pkellyz , my issue was the account I was using had MFA enabled. Once I used a non-api account with MFA disabled, it worked fine. So @timm747747 was correct for my issue.,@pkellyz, the problem I had was the user had MFA enabled. I had another non-api user account with no MFA and all worked perfectly fine. I haven't done anything with it since though.

pkellyz
Explorer

Thank you!

0 Karma

pkellyz
Explorer

@chrispols Did you even figure out what was going on with your Cybereason app for Slunk? If so, where did you receive assistance? I'm getting a bit of a runaround from Cybereason support and I'm at my wits end.

Mine was setup and working but stopped working. I assumed the most likely cause was a changed password on the user account used in the modular input. I created a dedicated API user in the Cybereason dashboard to prevent this from happening in the future and updated the creds in the app.

However I am getting an error in the logs:

message="unknown Exception No JSON object could be decoded:

I assumed this means the data being returned by the API isn't valid. CR support is telling me it's an authentication issue! (????)

Anything you can provide or suggest is appreciated.

timm747747
Path Finder

Any user should be fine as long as you don't have MFA setup for the user in CR. I have the IA setup on my HF, the App on my SH's and the TA on my indexers. I don't use the "api user".

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...