All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SentinelOne Application Risk channel stopped ingesting events

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 01:31 AM

We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events.

It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in.

I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.

sentinelone-risk-events.png

Labels (1)
Labels
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-09-2024 01:39 AM

After further digging I have found the following

2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelone_app_for_splunk.5.2.2b20240416" host=<redacted> sourcetype=sentinelone_app_for_splunk:error source=sentinelone:input:782b6c37-3fdb-3385-b3d5-272bf1df0837  error_message="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_type="<class 'requests.exceptions.RetryError'>" error_arguments="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_filename="s1_client.py" error_line_number="365" input_guid="782b6c37-3fdb-3385-b3d5-272bf1df0837" input_name="cves"
0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:15 AM

@aplura_llc_supp  could you take a look please.

0 Karma
Reply

davidoff96
Path Finder
‎07-08-2024 09:43 AM

Just a heads up, this add-on has been archived and a new version of it exists:

https://splunkbase.splunk.com/app/5435

That may be the issue. What is confusing is there aren't even any errors/warnings or anything in the logs. What search where you using, and does anything stand out, like a 404/401 error or anything

0 Karma
Reply

breakfixrepeat
Loves-to-Learn Lots
‎07-08-2024 10:00 AM

That's my mistake, I had selected the wrong app when I made the post. I've now updated the OP to the correct app in question - https://splunkbase.splunk.com/app/5433

I'm confused myself, I'm not seeing anything that points to an api issue in the logs. The only thing is that this is a relatively new api endpoint for the app and may not have had all the kinks ironed out.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...