Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SentinelOne Applications Channel No Longer Populating Events

ericnewman
Explorer
‎02-22-2024 01:40 PM

We've been collecting data with the inputs add-on (Input Add On for SentinelOne App For Splunk) for several years now.  The applications channel has always been a bit problematic with the collection process running for several days but now we haven't seen any data since Monday February 19th around 5:00 PM. It's February 22nd and we generally see applications data every day.

We started seeing errors on February 16th

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="223" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

And have seen a few errors since then

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="cannot unpack non-iterable NoneType object" error_type="<class 'TypeError'>" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="<class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'>" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"

After noting the following in the release notes

Improvements
...
-- Applications input uses a new S1 API endpoint to reduce load on ingest.

we upgraded the add-on from version 5.19 to version 5.20.

Now we're seeing the following messages in the sentinelone-modularinput.log

2024-02-22 13:40:02,171 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="630" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=saving_checkpoint msg='not saving checkpoint in case there was a communication error' start=1708026001000 items_found=0 channel=applications
2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="599" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=calling_applications_channel status=start start=1708026001000 start_length=13 start_type=<class 'str'> end=1708630801000 end_length=13 end_type=<class 'str'> checkpoint=1708026001.525169 channel=applications
2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="580" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications last_execution=1708026001.525169
2024-02-22 13:40:01,525 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="565" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications type=<class 'dict'>

It appears that the input is running but we're not seeing any events.  We also noted the following in the documentation for version 5.2.0.

sourcetypeSentinelOne APIDescription
...  
sentinelone:channel:applicationsweb/api/v2.1/installed-applicationsDeprecated
sentinelone:channel:applicationsweb/api/v2.1/installed-applicationsDeprecated

Does this mean that the input has been deprecated?

If so, what does the statement "Applications input uses a new S1 API endpoint to reduce load on ingest." in the release notes mean?  And why is the Applications channel still an option when creating inputs through the Splunk IU?

Any information you can provide on the application channel would be greatly appreciated.

__PRESENT

Input Add On for SentinelOne App For Splunk
Thumbnail of Input Add On for SentinelOne App For Splunk
Input Add On for SentinelOne App For Splunk
View in Splunkbase
Labels (3)
0 Karma
Reply

mstanton
Observer
‎11-21-2024 08:07 AM

We started seeing this recently as well.  Also the various S1 Splunk integrations do not understand or permit having the IA and App on the same instance so Victoria experience doesn't work properly.  This is also the case for the various scalyr dataset add ons, cannot create inputs because it complains about being on a search head.

 

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...