Qradar search from offense ID

5. RE: Qradar search from offense ID

Like

Posted Wed December 11, 2019 08:43 AM
Edited by System Admin Thu November 11, 2021 11:15 AM

Sorry, we were executing more than one query... wasn't taking on account. Here is the whole log.

2019-12-11 13:04:08,961 INFO [actions_component] Event: <qradar_search[] (id=203, workflow=s21_qradar_events_search_using_offense_id, user=user@company.com) 2019-12-11 13:04:08.635000> Channel: functions.qradar_search

2019-12-11 13:04:08,963 DEBUG [client] Received heart-beat

2019-12-11 13:04:09,065 DEBUG [decorators] decorated

2019-12-11 13:04:09,173 DEBUG [actions_component] Task: <function _call_the_task at 0x7fa940f16b18>

2019-12-11 13:04:09,176 DEBUG [decorators] Thread-3: _call_the_task

2019-12-11 13:04:09,178 INFO [qradar_search] qradar_query: SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES

2019-12-11 13:04:09,179 INFO [qradar_search] qradar_query_param1: DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, DOMAINNAME(domainid), QIDNAME(qid), STR(sourceip), STR(destinationip), STR(sourceport), STR(destinationport), CATEGORYNAME(category), STR(magnitude), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), UTF8(payload), RULENAME(creeventlist)

2019-12-11 13:04:09,180 INFO [qradar_search] qradar_query_param2: 38783

2019-12-11 13:04:09,180 INFO [qradar_search] qradar_query_param3: 18000

2019-12-11 13:04:09,181 INFO [qradar_search] qradar_query_param4: None

2019-12-11 13:04:09,182 INFO [qradar_search] qradar_query_param5: None

2019-12-11 13:04:09,183 INFO [qradar_search] qradar_query_range_start: 0

2019-12-11 13:04:09,183 INFO [qradar_search] qradar_query_range_end: 5

2019-12-11 13:04:09,184 DEBUG [qradar_search] Connection to 172.31.4.206 using user

2019-12-11 13:04:09,185 INFO [qradar_search] Running query: SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, DOMAINNAME(domainid), QIDNAME(qid), STR(sourceip), STR(destinationip), STR(sourceport), STR(destinationport), CATEGORYNAME(category), STR(magnitude), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), UTF8(payload), RULENAME(creeventlist) FROM events WHERE INOFFENSE(38783) LAST 18000 MINUTES

2019-12-11 13:04:09,186 INFO [decorators] [qradar_search] StatusMessage: starting...

2019-12-11 13:05:44,030 ERROR [qradar_search] 'ascii' codec can't encode character u'\xf3' in position 894: ordinal not in range(128)

2019-12-11 13:05:44,112 ERROR [actions_component] <task[functionworker] (<function _call_the_task at 0x7fa940f16b18>, <qradar_search[functions.qradar_search] (id=203,
workflow=s21_qradar_events_search_using_offense_id, user=user@company.com) 2019-12-11 13:04:08.635000> qradar_query={u'content': u'SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES', u'format': u'text'}, qradar_query_range_end=5, qradar_query_range_start=0, qradar_query_param3=u'18000', qradar_query_param2=u'38783', qradar_query_param1=u"DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, DOMAINNAME(domainid), QIDNAME(qid), STR(sourceip), STR(destinationip), STR(sourceport), STR(destinationport), CATEGORYNAME(category), STR(magnitude), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), UTF8(payload), RULENAME(creeventlist)")> (<class 'resilient_circuits.action_message.FunctionException_'>):

Traceback (most recent call last):

File "/usr/lib/python2.7/site-packages/fn_qradar_integration/components/qradar_search.py", line 83, in _qradar_search_function

timeout=timeout)

File "/usr/lib/python2.7/site-packages/fn_qradar_integration/util/qradar_utils.py", line 253, in ariel_search

response = ariel_search.perform_search(query)

File "/usr/lib/python2.7/site-packages/fn_qradar_integration/util/SearchWaitCommand.py", line 114, in perform_search

result = self.get_search_result(search_id)

File "/usr/lib/python2.7/site-packages/fn_qradar_integration/util/qradar_utils.py", line 165, in get_search_result

events = function_utils.fix_dict_value(events)

File "/usr/lib/python2.7/site-packages/fn_qradar_integration/util/function_utils.py", line 39, in fix_dict_value

event[key] = str(event[key])

UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3' in position 894: ordinal not in range(128)

Original Message

6. RE: Qradar search from offense ID

Like

Yongjian Feng

Posted Wed December 11, 2019 10:10 AM

This is something else. This time it looks like the function integration has trouble to handle some unicode or something.

When the function was developed, we took a short cut. We need to display the events we get back from QRadar in a datatable, so we need to convert any non-string object in the event dictionary into str. The short cut we took has trouble to handle a non-string object that contains some unicode content.

A jira ticket will be created to track this issue.

Thanks,

Yongjian

------------------------------
Yongjian Feng
------------------------------

Original Message

Original Message:
Sent: Wed December 11, 2019 08:42 AM
From: Aitor Vivanco Sata Cruz
Subject: Qradar search from offense ID