All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SentinelOne Application Risk channel stopped ingesting events

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 01:31 AM

We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events.

It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in.

I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.

sentinelone-risk-events.png

Labels (1)
Labels
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-09-2024 01:39 AM

After further digging I have found the following

2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelone_app_for_splunk.5.2.2b20240416" host=<redacted> sourcetype=sentinelone_app_for_splunk:error source=sentinelone:input:782b6c37-3fdb-3385-b3d5-272bf1df0837  error_message="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_type="<class 'requests.exceptions.RetryError'>" error_arguments="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_filename="s1_client.py" error_line_number="365" input_guid="782b6c37-3fdb-3385-b3d5-272bf1df0837" input_name="cves"
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:15 AM

@aplura_llc_supp  could you take a look please.

0 Karma
Reply

davidoff96
Path Finder
‎07-08-2024 09:43 AM

Just a heads up, this add-on has been archived and a new version of it exists:

https://splunkbase.splunk.com/app/5435

That may be the issue. What is confusing is there aren't even any errors/warnings or anything in the logs. What search where you using, and does anything stand out, like a 404/401 error or anything

0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:00 AM

That's my mistake, I had selected the wrong app when I made the post. I've now updated the OP to the correct app in question - https://splunkbase.splunk.com/app/5433

I'm confused myself, I'm not seeing anything that points to an api issue in the logs. The only thing is that this is a relatively new api endpoint for the app and may not have had all the kinks ironed out.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...