All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SentinelOne Application Risk channel stopped ingesting events

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 01:31 AM

We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events.

It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in.

I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.

sentinelone-risk-events.png

Labels (1)
Labels
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-09-2024 01:39 AM

After further digging I have found the following

2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelone_app_for_splunk.5.2.2b20240416" host=<redacted> sourcetype=sentinelone_app_for_splunk:error source=sentinelone:input:782b6c37-3fdb-3385-b3d5-272bf1df0837  error_message="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_type="<class 'requests.exceptions.RetryError'>" error_arguments="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_filename="s1_client.py" error_line_number="365" input_guid="782b6c37-3fdb-3385-b3d5-272bf1df0837" input_name="cves"
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:15 AM

@aplura_llc_supp  could you take a look please.

0 Karma
Reply

davidoff96
Path Finder
‎07-08-2024 09:43 AM

Just a heads up, this add-on has been archived and a new version of it exists:

https://splunkbase.splunk.com/app/5435

That may be the issue. What is confusing is there aren't even any errors/warnings or anything in the logs. What search where you using, and does anything stand out, like a 404/401 error or anything

0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:00 AM

That's my mistake, I had selected the wrong app when I made the post. I've now updated the OP to the correct app in question - https://splunkbase.splunk.com/app/5433

I'm confused myself, I'm not seeing anything that points to an api issue in the logs. The only thing is that this is a relatively new api endpoint for the app and may not have had all the kinks ironed out.

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...