IBM Security QRadar SOAR

Since the introduction of the Python3 scripting engine in QRadar SOAR, the utility and practicality of the existing Python2 scripting engine has diminished. The reasons to develop and migrate your scripts to Python3 are numerous, including increased package support and a more robust Python environment for your script logic.

But now the imperative to migrate your Python2 scripts is upon us. IBM QRadar SOAR V49 (expected in Q2 2023) will no longer run Python2 scripts. The good news is: converting your existing scripts to Python3 is straightforward. This article will provide guidance on the conversation effort and offer a few hints about where Python2 logic needs to be modified.

Scripts

Thankfully, it's easy to identify which scripts are running Python2. Navigate to the Scripts tab under Customizations Settings. The list view shows which scripts are running Python2.

Workflows and Playbooks

Unfortunately, there is no easy way to determine which workflows or playbooks with function pre-processing and post-processing scripts are running Python2. This review will need to be performed manually by accessing each function and reviewing the scripting engine used. Again, changing the language to Python3 in most cases will be the only change you'll need to make.

Conversion Hints

There are a few language differences to be aware of. I have not encountered a lot of differences. But here are a few to review.

java.util.Date

This java package is used in scripts to get the current date and time either as an epoch value such as 1679755201000 or in string format, such as 'Fri 24 14:38:16 GMT 2023'. In either case, this package does not exist in Python3 and will need to be changed to either the Python time or datetime packages. Below are a few examples of the equivalent logic:

Producing the current epoch value in Python2:

import java.util.Date as Date
now = Date()

Or

now = Date().getTime()

Or

now = Date().time

Should become:

from time import time
now = int(time()*1000) # milliseconds

Note the multiplication by 1000 to produce the equivalent epoch value in milliseconds.

Producing a string representation of the current date and time is possible using datetime as follows:

from datetime import datetime
now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") # '2023-03-24 11:28:34'

Converting a string representation of a date and time to epoch value is possible as follows:

start_time = int(datetime.strptime("2023-03-25 14:00:20", "%Y-%m-%d %H:%M:%S").strftime('%s'))*1000 # epoch in milliseconds

iteritems

The iteritems() method provides the ability to iterate over a dictionary using a syntax such as:

for k, v in results['content'].iteritems():

This syntax should be changed to items() for Python3:

for k, v in results[‘content’].items():

print

The syntax for the print state changed in Python3 to conform to all other functions, using parenthesis to enclose arguments.

This syntax:

print 'something'

Should be changed to:

print('something') # new syntax with parenthesis

The print statement is largely unused in workflow/playbook scripts. In general, if you're using print for debugging, use the log.info() or log.debug() statements instead.

unicode

One of the biggest differences between Python2 and 3 is the way strings and unicode strings are handled. In Python2, one needed to specifically identify unicode strings using the u' ' prefix. And string and unicode variable concatenation was not possible. 

In Python3, all strings are unicode. So there's no need to distinguish between unicode strings and normal strings. Luckily, Python3 accepts strings using the u' ' prefix and ignores its interpretation. 

However, the unicode function:

unicode_str = unicode(’something’)

will need to be removed:

unicode_str = 'somthing' # removed unicode conversion

Syntax such as this: