IBM Security QRadar SOAR

 View Only

  • 1.  Windows Credentials Manager Key Integration

    Posted Mon January 27, 2020 03:22 PM
    I am trying to install a Windows session of Resilient-Circuits to test some integrations I am building. I got everything installed and was able to connect to the server when the password was in clear text. I attempted to change this to use the Windows Credentials Manager Key Vault, and was able to get it added, but now that I did that when I attempt to run circuits now I get an unauthorized when it is attempting to access the stored key (below is the log). Has anyone hit this wall and figure out why this may be unauthorized even though I was able to put it in as the same user?

    Thanks!

    2020-01-27 15:08:58,253 INFO [filelock] Lock 2006373846880 released on C:\Users\Administrator\.resilient\resilient_circuits_lockfile
    Traceback (most recent call last):
    File "C:\Python37\Scripts\resilient-circuits-script.py", line 11, in <module>
    load_entry_point('resilient-circuits==35.0.203', 'console_scripts', 'resilient-circuits')()
    File "c:\python37\lib\site-packages\resilient_circuits\bin\resilient_circuits_cmd.py", line 669, in main
    config_file=args.config_file)
    File "c:\python37\lib\site-packages\resilient_circuits\bin\resilient_circuits_cmd.py", line 90, in run
    app.run(**kwargs)
    File "c:\python37\lib\site-packages\resilient_circuits\app.py", line 333, in run
    application = App(*args, **kwargs)
    File "c:\python37\lib\site-packages\resilient_circuits\app.py", line 181, in __init__
    self.do_initialization()
    File "c:\python37\lib\site-packages\resilient_circuits\app.py", line 207, in do_initialization
    self.action_component = Actions(self.opts)
    File "c:\python37\lib\site-packages\resilient_circuits\actions_component.py", line 262, in __init__
    super(Actions, self).__init__(opts)
    File "c:\python37\lib\site-packages\resilient_circuits\actions_component.py", line 88, in __init__
    self._get_fields()
    File "c:\python37\lib\site-packages\resilient_circuits\actions_component.py", line 140, in _get_fields
    client = self.rest_client()
    File "c:\python37\lib\site-packages\resilient_circuits\actions_component.py", line 163, in rest_client
    return get_resilient_client(self.opts)
    File "c:\python37\lib\site-packages\resilient_circuits\rest_helper.py", line 40, in get_resilient_client
    resilient_client = resilient.get_client(opts)
    File "c:\python37\lib\site-packages\resilient\co3.py", line 163, in get_client
    api_key_secret=opts["api_key_secret"])
    File "c:\python37\lib\site-packages\resilient\co3base.py", line 162, in set_api_key
    BasicHTTPException.raise_if_error(response)
    File "c:\python37\lib\site-packages\resilient\co3base.py", line 62, in raise_if_error
    raise BasicHTTPException(response)
    resilient.co3base.BasicHTTPException: Unauthorized:

    ------------------------------
    Nick Mumaw
    ------------------------------


  • 2.  RE: Windows Credentials Manager Key Integration

    Posted Tue January 28, 2020 08:22 AM
    Hi Nick

    Are you running resilient-circuits from the same account that you ran res-keyring to store the credentials?

    In a command window what is the output from this command:
    keyring  --list-backends

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message


  • 3.  RE: Windows Credentials Manager Key Integration

    Posted Tue January 28, 2020 12:16 PM
    Yes. I haven't left the CMD instance that I installed, set the res-key, and attempted to run resilient-circuits.

    ------------------------------
    Nick Mumaw
    ------------------------------

    Original Message


  • 4.  RE: Windows Credentials Manager Key Integration

    Posted Thu January 30, 2020 12:06 PM
    Hi Nick,

    Can you post the output of this command:

    keyring --list-backends

    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message


  • 5.  RE: Windows Credentials Manager Key Integration

    Posted Mon February 24, 2020 01:04 PM
    I apologize in the serious delay. Here is the output of what you requested.

    C:\Windows\system32>keyring --list-backends
    keyring.backends.chainer.ChainerBackend (priority: 0)
    keyring.backends.fail.Keyring (priority: 0)
    keyring.backends.Windows.WinVaultKeyring (priority: 5)

    ------------------------------
    Nick Mumaw
    ------------------------------

    Original Message


  • 6.  RE: Windows Credentials Manager Key Integration
    Best Answer

    Posted Mon February 24, 2020 03:24 PM
    Hi Nick,

    That output looks correct for running on Windows.

    Just checking the steps that you have taken:

    Do you have api_key_secret defined in app.config something like this:
    api_key_secret=^my_key_secret

    You have run res-keyring and it prompts you to enter the value for:
    api_key_secret: ^my_key_secret

    At the cmd prompt execute: resilient-circuits run

    And then you get the Unauthorized: message?

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message


  • 7.  RE: Windows Credentials Manager Key Integration

    Posted Tue February 25, 2020 09:35 AM
    I don't know if this was the problem all along (probably since I didn't really change anything), but embarrassingly enough I ran res-keyring (I want to say again, but maybe not) and after setting the password I ran it again and it is working just fine.

    Thanks for the help!

    ------------------------------
    Nick Mumaw
    ------------------------------

    Original Message


  • 8.  RE: Windows Credentials Manager Key Integration

    Posted Tue February 25, 2020 09:46 AM
    Great...Glad to hear it now works!

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message