IBM QRadar SOAR

 View Only

Release Of The New Python 3 Scripting Engine

By Ryan Gordon posted Fri December 18, 2020 11:18 AM

  

Overview

The v38.2 release of Resilient SOAR includes the new Python 3 scripting feature which enables security developers to create Python 3 scripts as a part of an incident or case response right in the UI. Scripting in Resilient is not new and until now developers could write scripts using our Python 2 scripting engine. On 1 January 2020, Python 2 officially reached end-of-life. The Resilient implementation of Python 2 is based on a technology called Jython which does remain supported however, the need arose for a more modern runtime to execute scripts.

The newly released python 3 scripting runtime is designed to expose everything that is available with our python 2 implementation as well as exposing some new capabilities which will be discussed throughout this post.

Functionality

Native Unicode Support

No longer need to/nor able to use the unicode() keyword
Note: If you intend to use the unicode keyword in scripts for cross-compatible scripts, consider simply mapping unicode to str

unicode = str
unicode("Test"+"test")

Support for importing more modules

One of the biggest improvements introduced by the new python 3 runtime is the ability to import more modules during script invocation. Previously only 2 modules were exposed in the Python 2 implementation : re and java.util.Date. Importation restrictions do still remain which are covered in the restrictions section. In addition, the Python 3 scripting runtime maintains a list of modules which have been approved for importation in a script.

Supported Modules:

  • json
  • datetime
  • beautifulsoup
  • xml
  • collections
  • html2txt

For a full list visit the knowledge centre

Runtime Restrictions

There are different catagories of restrictions which are enforced on the runtime to minimize the potential for it to be used as a vector in an attack. The mechanisms used to implement the runtime restrictions have been vetted by the IBM Ethical Hacking team during an internal pentesting session.

  • Script module importation restrictions: Specific modules are approved and prohibited for use
  • Environment restrictions: No network access or access to the file or operating system

The following are additional restrictions which are configurable:

  • Time restrictions: 5 seconds per script invocation
  • Script length restrictions: 50000 lines per script
  • Script memory restrictions: 64MB per script invocation
  • Parallel scripts restrictions: 20 scripts limit on parallel execution

Custom classes of Exceptions are raised when one of these restrictions are breached such as a ResilientSecurityException when a script attempt to import a restricted module, a ResilientExecutionLimitException when the script exceeds either the line limit or time restrictions or a ResilientMemoryLimitException when the script exceeds the memory limit.

Experience

Differentiation between python 2 and 3 scripts

Improved Logging and Debugging information

The UI script result window, logs and modals which showed for rules now includes a stack trace which has been modified to hide the location of the file system while still giving a trace of the issue to help track down the source of an exception. Exception tracebacks in the python 3 runtime include a reference to where the error happened in the script as well as a trace of calls which led to the error.

Logging for the scripting service now includes more statistics for each script invocation such as the time the script took to run, the CPU time usage for the script, the RAM usage for the script and also the number of lines executed by the script. The last statistic excludes lines executed in modules to better track how much of the user defined script was executed.

Repository of sample scripts

Provided on our public Github organisation is a revamp to the resilient-scripts repository. This revamp includes scripting examples for the new python 3 scripting feature to give examples of how to use the new features.

Visit the example script repository for some examples to get started.

In-product scripting UI updates, help and examples

Python 2 is currently still supported by in-product scripting and while Python 3 is now the default for new scripts it remains possible to use Python 2 and change the type between 2 and 3 at will. Scripts created in either Python 2 or 3 now coexist on the Scripts page and are differentiated by a newly exposed UI colum which shows the scripts language. Additionally a help link is exposed on the Scripts page which links to the repository of sample scripts referenced above.

Updating the Script Language for a script can be done from the script editor page when editing a script where a dropdown select option is exposed for the Language field in the script editor.

Getting started with in-product scripting in either python 2 or 3 requires some knowledge of how the feature represents an incident or a task with the use of context objects. The knowledge centre is the location where much of the Resilient and Cloud Pack for Security information is stored. This includes resources for in-product scripting on the feature itself, the use of scripting context objects and their exposed methods. The Scripts page in the customization settings now includes a link to the knowledge centre with a focus on in-product scripting information.

Conclusion

The new Python 3 scripting runtime enables security developers to use a more modern and supported version of python as a part of their response plan. As of v38.2 you should be able to avail of the python 3 scripting option when you create a new script or edit an existing one.

Special Thanks to Bastian Graebener for his help in preparing the blog.


#Resilient
1 comment
54 views

Permalink

Comments

Thu March 18, 2021 05:23 AM

Note: Python 3 is not available in CP4S and should be the Q3 or Q4 2021 CP4S release.