Installation

Having trouble with SSL Certificates while trying to integrate Trellix with Splunk

Berfomet96
Explorer

Hello everyone, I hope you guys can help me figure this out since I've been thinking a lot about it since yesterday.

I'm by no means an expert in Splunk. However, I've been tasked with integrating Trellix EDR log files into Splunk. I found an app in the splunkbase site (https://splunkbase.splunk.com/app/6480) that could be the answer to my task. I installed the app in the heavy forwarder as I have done before while integrating Rapid 7 logs and followed the brief guide provided by the author of the guide.

However, this is where the problems start. After I configured input settings, I didn't recieve a single log file. I checked the logs and found out that the problem had something to do with SSL Certificates.

 

ERROR pid=7210 tid=MainThread file=base_modinput.py:log_error:309 | Error in input_module_trellix_edr_input.get_threats() - line 127 : HTTPSConnectionPool(host='api.soc.us-east-1.mcafee.com', port=443): Max retries exceeded with url: /ft/api/v2/ft/threats?sort=-lastDetected&filter=%7B%22severities%22:%20%5B%22s0%22,%20%22s1%22,%20%22s2%22,%20%22s3%22,%20%22s4%22,%20%22s5%22%5D,%20%22scoreRange%22:%20%5B30%5D%7D&from=1686690509938&limit=10000&skip=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))

 

 I immediately started googling that error and found out that it was probably an outdated SSL Certificate. Thing is, when I connected to the heavy forwarder through SSH and tried to update the python SSL Certificates through pip I found out that you couldn't do that in a splunk server. I found a workaround that implied that I could somehow disable the SSL check, I spend hours looking at the most suspicious .py files but couldn't find where that check was made (It also didn't help that I know next to nothing of python). I also tried playing with the settings of the input, trying out different regions, etc, but it was all for naught. Ultimately, I started thinking that it was a problem caused by outdated SSL Certificates hardcoded in the app (don't really know if that's possible)

I ended up deciding to contact support. It was at that time that I noticed that this app wasn't supported by Splunk and that I had to contact the developer of the app if I wanted any kind of support. I did some research on mister "Martin Ohl" and found out that he no longers works at Trellix (no wonder why the app never had an update). I went to Trellix's support page and couldn't find a support email so I started dwelling in their support and FAQ web. I could not find any single post or hint about a possible integration with any SIEM not just Splunk.

So I thought that posting my case in the Splunk Community Forums was my best bet. I'd appreciate any hint, insight or even an anecdote about a similar case. If anyone has managed to integrate Trellix into Splunk It'd be a lot of help if you could share your experience. Or even if someone knows how to deal with the SSL Certificates thing.

I'll be uploading a pdf file with more detail about the error log I recieved. Thanks in advance.

Labels (3)
Tags (2)
0 Karma
1 Solution

PavelP
Motivator

Hello @Berfomet96 

double check that your system has both an issuing CA and a mcafee (=trellix) CA:

you can download them here:

USERTrust RSA Certification Authority https://ssl-tools.net/subjects/cd30d24c343a82ab1f0570158ad7a107762992e9 

McAfee OV SSL CA 2: https://ssl-tools.net/subjects/f9e20cf9be7fd75c16fbd6144aca78546e526e06 

Google for "add trusted ca certificates linux" to find a step by step instruction depending on your linux distro.

View solution in original post

0 Karma

PavelP
Motivator

Hello @Berfomet96 

double check that your system has both an issuing CA and a mcafee (=trellix) CA:

you can download them here:

USERTrust RSA Certification Authority https://ssl-tools.net/subjects/cd30d24c343a82ab1f0570158ad7a107762992e9 

McAfee OV SSL CA 2: https://ssl-tools.net/subjects/f9e20cf9be7fd75c16fbd6144aca78546e526e06 

Google for "add trusted ca certificates linux" to find a step by step instruction depending on your linux distro.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@Berfomet96 - Ask the generic support for Trellix to provide their public cert for API.

 

Once they provide it, you should find it, someone in the Splunk community will be able to help you find where in the Python code of the App to make changes and where to put the certificate inside the App.

 

I hope this helps!!! Consider upvoting!!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...