Aplura Checking In! I was able to reproduce on Splunk Cloud 10.x. It looks to be a problem with missing package components due to upgrade of the UA Parsing package. Upgrades of the TA would work, but not net-new installs. I'm working to fix it up, should have a new build out "this month". I'll triple confirm working on Splunk Cloud 10 prior to release 😄 FYI -> Job Inspector -> search.log has the "missing modules" notifications and small stacktrace.  Thanks for letting us know! ... View more

Hello! 1. What version of Splunk are you using (Cloud or Enterprise and version number), and what version of the App? 2. Do you have multiple apps installed? TA/App/IA ?    These will help pin point the issue. This is a Python import error, but the files should all be there. In the latest version, that variable is only found in "bin/vmware_cbc_api_test_conn.py", which tests the connection to VMWare CBC. That variable is in turn imported from "lib/cbc_sdk/__init__.py". This tells me there is a possible library import issue. Note: Only 1 (ONE) of TA/App/IA should be installed on a server. Do not install TA and IA, the IA contains all the TA information. ... View more

Good Salutations! That error is indicating that credentials cannot be found. It can typically happen when there are multiple SentinelOne Apps installed on the same instance (App, IA, TA).  If there is more than one installed, remove the ones not for that tier (App => SearchHeads, IA=> HF/IDM, TA=>IDX). These should be fully removed, "rm rf" if you will, not just disabled. Removed.  Once removed, re-configure the app and try again.  Thanks! ... View more

@CyberESIArch:: @bowesmana is correct. Update both the macro and eventtype sentinelone_base_index for searching/typing/tagging to take place correctly. The setting in sentinelone_settings.conf is used to drive the dropdown (and not have to parse the eventtype or macro). It has "the authority" of what is supposed to be configured. You can contact S1 and initiate a feature update request to allow multiple indexes in the dropdown. ... View more

Hello! I know this is an older post, but, I just tried the latest version of getwatchlist in Splunk Cloud, and your query works as expected now. Thanks! ... View more

We are working on a release for Cloud. Stay tuned, thanks! ... View more

Those two specifically are NOT designed to avoid the ingest of similar data over time. They were designed as a "pull all each time" to account for finding "missing" or other similar types of searches that require the entire data set of agents each time.  I have entered an issue into the project to investigate what can be done at those scales for the applications endpoint. I'm not sure we can do anything without S1 changing endpoint supports, but we will take a look and try. You should be able to up the bulk_import_limit to 2,000,000 and see if that helps pull in the data and get it all. Additionally, it is multi-threaded. If you have a sufficiently beefy HF, find the bin/s1_client.py file in the app root.  Update line line 186 per below p = mp.Pool(10) CHANGE IT TO p = mp.Pool(50) This will increase the amount of available threads to the paginator, and you should see an increase in ingest.  Keep increasing it as you see fit, and document it was changed. On an app upgrade, it will be overwritten. We cannot make that configurable, as it might violate Splunk Cloud requirements. ... View more

So  the Agents and Applications are non-timestamp aware data ingest, by design. Agents might be running more than 1 hour, causing a backup, but should not run for days. Adjust your interval to 86400 for both agents and applications and see if it calms down and doesn't duplicate the data. Applications API doesn't support time: https://usea1-partners.sentinelone.net/api-doc/api-details?category=agents&api=applications Agents can support time, but the design was not to. This allows for lookup building for other data, even if the agents have been created or updated past the checkpoint time. https://usea1-partners.sentinelone.net/api-doc/api-details?category=agents&api=get-agents Threats should be time-aware, and "respect" the checkpoint. ... View more

Good afternoon @guarisma ! Unfortunately, the "rank" field is deprecated in version 2.1 of the SentinelOne API. v5.1.X of the Splunk Integration uses v2.1 of the API, hence the discrepancy. Please direct further questions to SentinelOne support for follow up. Thank you! ... View more

@nickmdps  Apologies for the delay. That app (DA-ESS-cbresponse) is deprecated. Please use https://splunkbase.splunk.com/app/5624/ . Thanks! ... View more

@robayersApologies for the delay, but that should be fixed in the latest release. Thanks! ... View more

Yes, it is. We are currently in the process of upgrading for Python 3 and Splunk 8. No exact timeframe yet . Thanks! ... View more

Each application (authentication, network traffic, etc...) has a README.md that contains the documentation for the application. ... View more

Thank you for the suggestion. I can add it as an improvement. ... View more

Version 3.0.5 is not available for download via Cloud. The apps have since been upgraded to v3.0.9 and are allowed for Splunk Cloud. Thanks! ... View more

@andreibanaru v1.1.1 was released to fix that bug. Thanks. ... View more

Please try v1.1.x. The excessive memory usage can occur when pulling very large datasets on a first run. It's a race condition, ie can't pull all the events, so can't write out the checkpoint because it fails. Then trys to pull all the events again... and so we go. v1.1.x addresses this. Curious: Do you have the Netskope for Web product? ... View more

This bug is also present in v1.1.0, so it will be fixed in v1.1.1. ... View more

v1.1.0 and v1.0.5 do contain this bug. The macro behind the dropdown was reconfigured, but this dropdown was missed. Look for a new maintenance release to fix this. The app will also change from "Host Input" to something more clear, as it was intended to be the source Netskope tenant. The macro should be changed to: [netskope_configured_inputs] definition = tstats count where sourcetype=netskope:* by host | fields host Thanks! ... View more

@andreibanaru What is the version you are using? ... View more