Archive
Highlighted

iSight Partners ThreatScape app not receiving any data

Path Finder

I have installed the iSight Partners ThreatScape app in Splunk ( latest version ) however i am not getting any data for the app.
The app has been installed correctly as i can see the indexes the app has created. I have also set the correct API keys and selected all the feeds i need.
I thought it may be a proxy issue however the host is able to connect to api.isightpartners.com without an issue.
The app has now been installed for more than a day and the index remains empty. Is there any way to 'debug' an app or view app specific logs?

0 Karma
Highlighted

Re: iSight Partners ThreatScape app not receiving any data

Path Finder

Worth mentioning that my Splunk Instance is running on Windows ( Dev instance ) .

0 Karma
Highlighted

Re: iSight Partners ThreatScape app not receiving any data

Path Finder

I think i tracked down the error in the logs which appears to be :
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetchindicators.py. Script must be located inside $SPLUNKHOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetchindicators.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch
iocs.py. Script must be located inside $SPLUNKHOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch
iocs.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetchvulnerabilities.py. Script must be located inside $SPLUNKHOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_vulnerabilities.py 15"

Those scripts its trying to launch are located in the splunkhome\etc\apps\iSIGHTPartnersThreatScape_App\bin

I have registered the paths using splunks envars command/batch script.

0 Karma
Highlighted

Re: iSight Partners ThreatScape app not receiving any data

Path Finder

got it working by changing the script path in inputs.conf ( app specific ) to [script://$SPLUNKHOME\etc\apps\iSIGHTPartnersThreatScapeApp\bin\fetchindicators.py 15]

View solution in original post

0 Karma