IBM Security QRadar SOAR

 View Only
  • 1.  fn_elasticsearch 1.0.7 does not work

    Posted Tue July 06, 2021 06:44 AM
    Hello all

    We tried to install fn_elasticsearch (latest version, 1.0.7) on Apphost. After we filled-in the config file with our data, we launched a sample workflow on an Artifact.


    By looking at logs file, we currenctly have this error (401):

    2021-07-06 10:33:42,741 DEBUG [connectionpool] Starting new HTTP connection (1): host:port
    2021-07-06 10:33:42,751 DEBUG [connectionpool] http://host:port "GET / HTTP/1.1" 401 177
    2021-07-06 10:33:42,752 WARNING [base] GET http://host:port/ [status:401 request:0.011s]
    2021-07-06 10:33:42,752 DEBUG [base] > None
    2021-07-06 10:33:42,752 DEBUG [base] < {"error":{"root_cause":[{"reason":"Forbidden by ***","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"Forbidden by ***","due_to":["OPERATION_NOT_ALLOWED"],"status":401}}
    2021-07-06 10:33:42,846 ERROR [actions_component] Traceback (most recent call last):
    File "/opt/app-root/lib/python3.6/site-packages/resilient_circuits/actions_component.py", line 75, in _on_task
    yield result.get()
    File "/usr/lib64/python3.6/multiprocessing/pool.py", line 644, in get
    raise self._value
    File "/usr/lib64/python3.6/multiprocessing/pool.py", line 119, in worker
    result = (True, func(*args, **kwds))
    File "/opt/app-root/lib/python3.6/site-packages/resilient_circuits/decorators.py", line 100, in _call_the_task
    raise val
    resilient_circuits.action_message.FunctionException_: 
    Traceback (most recent call last):
    File "/opt/app-root/lib/python3.6/site-packages/fn_elasticsearch/components/fn_elasticsearch_query.py", line 121, in _fn_elasticsearch_query_function
    es_instance_info = es.info()
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/client/utils.py", line 152, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/client/__init__.py", line 286, in info
    "GET", "/", params=params, headers=headers
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/transport.py", line 415, in perform_request
    raise e
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/transport.py", line 388, in perform_request
    timeout=timeout,
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/connection/http_requests.py", line 204, in perform_request
    self._raise_error(response.status_code, raw_data)
    File "/opt/app-root/lib/python3.6/site-packages/elasticsearch/connection/base.py", line 323, in _raise_error
    status_code, error_message, additional_info
    elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, {'root_cause': [{'reason': 'Forb*** 'due_to': ['OPERATION_NOT_ALLOWED']}], 'reason': 'Forb*** 'due_to': ['OPERATION_NOT_ALLOWED'], 'status': 401}, 'Forbidden by ***')
    ​

    In a previous version of fn_elasticsearch, using the same parameters in app.config, all was ok.
    Also, from a log of the previous version, we noted that the host URL was composed differently:

    2021-07-06 11:33:47,620 DEBUG [connectionpool] http://host:port "GET /es_index_key/_search HTTP/1.1" 200 528
    2021-07-06 11:33:47,621 INFO [base] GET http://host:port/es_index_key/_search [status:200 request:0.034s]​

    Here we have the full URL with port, es_index included, while in the new elasticsearch version there is only the url and port.

    It is possible that the new function is bugged from this point of view ?

    Thanks

    ------------------------------
    Lucian Sipos
    ------------------------------


  • 2.  RE: fn_elasticsearch 1.0.7 does not work

    Posted Wed July 07, 2021 01:58 AM
    Hi Lucian,

    Two things to try:
    1. In the app.config file replace the the13th string to "cafile = false"
    2. What permissions are granted to the API key from the 11th string? Try to set it to "all permissions". Maybe you have faced the issue due to a lack of permissions for the API key?

    BR,
    Alexander.

    ------------------------------
    Alexander Saulenko
    ------------------------------



  • 3.  RE: fn_elasticsearch 1.0.7 does not work

    Posted Wed July 07, 2021 03:29 AM
    Hi Alexander

    I did what you said but the results (logs) are the same.
    Can someone confirm that version 1.0.7 works for them ? Even not on Apphost but on simple circuits.

    Thanks

    ------------------------------
    Lucian Sipos
    ------------------------------