SentinelOne Applications Channel No Longer Populat...

ericnewman · ‎02-22-2024

We've been collecting data with the inputs add-on (Input Add On for SentinelOne App For Splunk) for several years now. The applications channel has always been a bit problematic with the collection process running for several days but now we haven't seen any data since Monday February 19th around 5:00 PM. It's February 22nd and we generally see applications data every day.

We started seeing errors on February 16th

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="223" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

And have seen a few errors since then

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

After noting the following in the release notes

Improvements
...
-- Applications input uses a new S1 API endpoint to reduce load on ingest.

we upgraded the add-on from version 5.19 to version 5.20.

Now we're seeing the following messages in the sentinelone-modularinput.log

2024-02-22 13:40:02,171 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="630" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=saving_checkpoint msg='not saving checkpoint in case there was a communication error' start=1708026001000 items_found=0 channel=applications
2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="599" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=calling_applications_channel status=start start=1708026001000 start_length=13 start_type=<class 'str'> end=1708630801000 end_length=13 end_type=<class 'str'> checkpoint=1708026001.525169 channel=applications
2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="580" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications last_execution=1708026001.525169
2024-02-22 13:40:01,525 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="565" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications type=<class 'dict'>

It appears that the input is running but we're not seeing any events. We also noted the following in the documentation for version 5.2.0.

sourcetype	SentinelOne API	Description
...
sentinelone:channel:applications	web/api/v2.1/installed-applications	Deprecated

sentinelone:channel:applications

web/api/v2.1/installed-applications

Deprecated

Does this mean that the input has been deprecated?

If so, what does the statement "Applications input uses a new S1 API endpoint to reduce load on ingest." in the release notes mean? And why is the Applications channel still an option when creating inputs through the Splunk IU?

Any information you can provide on the application channel would be greatly appreciated.

__PRESENT

mstanton · ‎11-21-2024

We started seeing this recently as well. Also the various S1 Splunk integrations do not understand or permit having the IA and App on the same instance so Victoria experience doesn't work properly. This is also the case for the various scalyr dataset add ons, cannot create inputs because it complains about being on a search head.

SentinelOne Applications Channel No Longer Populating Events

heavy forwarder

Linux

modular input

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform