All Apps and Add-ons

Has anyone been able to configure TTP_Impersonation or TTP_Attachment?

nick405060
Motivator

Hi guys,

For the Mimecast TA, we have configured all eight of the inputs the exact same way. Six are ingesting. TTP_Impersonation and TTP_Attachment are not. Does anyone have any insights on how I can get these two to ingest? App version is 3.1.3 running on Splunk 7.2.0, Linux

rrustong
Explorer

I was able to get the TTP_Impersonation input working in my environment after a small modification to the python code. The original code has a POST payload to only grab events that are tagged as Malicious. I'm not sure what causes an Impersonation event to be tagged as malicious, but it does not seem that any of mine are, thus none are pulled into Splunk.

I commented out line 42 and removed the comma from line 41 in $SPLUNK_HOME/etc/apps/TA-mimecast-for-splunk/bin/mimecast/request/ttp_ip.py to result in this payload (lines 12 and 11 respectively in this code snippet):

        request_body = {
            'meta': {
                'pagination': {
                    'pageSize': 100
                },
                'accountCode': account_code
            },
            'data': [
                {
                    'from': start_time,
                    'to': end_time
                    #'taggedMalicious': True
                }
            ]
        }

This is for app version 3.1.3. Note that app upgrades will most likely break this "fix", so keep that in mind for upgrades down the road if implementing this change.

I do not have any TTP_Attachment policies currently set up, so I'm not sure what might be happening with that input.

0 Karma

nick405060
Motivator

This solution also looked promising, but I edited the file as you specified, rebooted, and it did not start ingesting TTP_Impersonation or TTP_Attachment. Additionally, it then gave me this error message regarding TTP_URL (which had previously been working fine):

Search peer 1SPL-INF01-DC1 has the following message: Unable to initialize modular input "mimecast_ttp_url" defined inside the app "TA-mimecast-for-splunk": Introspecting scheme=mimecast_ttp_url: script running failed (exited with code 1).
0 Karma

rrustong
Explorer

I'm not sure why editing the ttp_ip.py file would impact the TTP_Url input, it seems that you may have something else going wrong as well.

0 Karma

slincoln
New Member

I had the same issue. The fix for me was to switch the API endpoint of the last two from api.mimecast.com to us-api.mimecast.com. After this, both inputs started ingesting data.

0 Karma

nick405060
Motivator

Did not work for me. I was already on us-api; I tried switching to api.mimecast.com without any luck.

0 Karma

slincoln
New Member

I forgot to mention, I also set the intervals of the three TTP inputs different from one another by a minute or so, from the troubleshooting logs it looked like it was attempting too many connections at once and timing out.

0 Karma

nick405060
Motivator

Damn, was hopeful when I read this comment, but still no luck doing this

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...