Summary
process_event() in all three alert action helpers always returns 0 (success), regardless of whether the OpenCTI API calls succeeded or failed. When register() or send_stix_bundle() throws an exception, the error is logged but create_incident() returns None, and process_event() still returns 0.
This means Splunk's sendmodalert framework always reports a clean exit, making it impossible for users to detect alert action failures through Splunk's built-in alert status monitoring.
Affected Files
TA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_incident_helper.pyTA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_incident_response_helper.pyTA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_sighting_helper.py
Current Behavior
def create_incident(helper, event):
...
try:
splunk_app_connector.send_stix_bundle(bundle=bundle)
except Exception as ex:
helper.log_error(f"...")
return # ← returns None (failure swallowed)
def process_event(helper, *args, **kwargs):
...
for event in events:
create_incident(helper, event)
return 0 # ← always successExpected Behavior
process_event() should track failures and return a non-zero exit code if any event failed:
def process_event(helper, *args, **kwargs):
helper.set_log_level(helper.log_level)
helper.log_info("Alert action create_incident started.")
errors = 0
events = helper.get_events()
for event in events:
helper.log_debug("event={}".format(json.dumps(event)))
try:
create_incident(helper, event)
except Exception:
errors += 1
if errors > 0:
helper.log_error(f"{errors} of {len(events)} events failed")
return 1
return 0This would also require create_incident() to re-raise or propagate exceptions instead of swallowing them.
Impact
Users have no way to detect that alert actions are silently failing. Splunk's Triggered Alerts page shows "success" even when nothing was created in OpenCTI. This was observed in a customer escalation (ref: OCTI1-3113).
Summary
process_event()in all three alert action helpers always returns0(success), regardless of whether the OpenCTI API calls succeeded or failed. Whenregister()orsend_stix_bundle()throws an exception, the error is logged butcreate_incident()returnsNone, andprocess_event()still returns0.This means Splunk's
sendmodalertframework always reports a clean exit, making it impossible for users to detect alert action failures through Splunk's built-in alert status monitoring.Affected Files
TA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_incident_helper.pyTA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_incident_response_helper.pyTA-opencti-add-on/bin/ta_opencti_add_on/modalert_opencti_create_sighting_helper.pyCurrent Behavior
Expected Behavior
process_event()should track failures and return a non-zero exit code if any event failed:This would also require
create_incident()to re-raise or propagate exceptions instead of swallowing them.Impact
Users have no way to detect that alert actions are silently failing. Splunk's Triggered Alerts page shows "success" even when nothing was created in OpenCTI. This was observed in a customer escalation (ref: OCTI1-3113).