IBM Security QRadar SOAR

 View Only
  • 1.  Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Thu August 19, 2021 01:58 PM
    I have an email message based script that we are cutting over from python2 to the python3 code. I copied Generic email script (App Exchange v2.2.0) and made modifications to meet our needs. When I run the script against a sample email in our dev environment I get the following message

    Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    I placed log.debug() statements thorough the file and none of them drop output into the debug console. I've checked those incident fields and the are both marked as optional. I do note however they are mandatory arguments in calling certain functions, but this script to my knowledge does not call any functions in SOAR.

    ------------------------------
    Tyler Bennett
    ------------------------------


  • 2.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Fri August 20, 2021 07:29 AM
    I don't think the issue is running a Function because the error message above says 'Error Running Script'. 

    Is this error message coming if you run the script interactively or by taking an action on an Incident or other action in the UI?

    Additional information may show up in the /usr/share/co3/logs/client.log file that sheds light on the cause of the issue.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Fri August 20, 2021 10:42 AM
      |   view attached

    Right now its all in development. When I modified our rule to call the new python3 script instead of the python2 script, nothing happens. So I went to the script and manually ran the script against the email id in the inbox.

    When viewing the client.log I only get a long backtrace which doesn't mean much to me.

    10:37:39.697 [http-nio-443-exec-10] INFO  [] com.co3.web.rest.Co3ExceptionMapperBase - Mapping exception to REST
    com.co3.domain.exceptions.FieldsRequiredException: The following fields are required: 'cs_client_id','cs_cloud_url'
        at com.resilient.workflow.command.ExecuteFunctionCommand.validateRequiredInputs(ExecuteFunctionCommand.java:217)
        at com.resilient.workflow.command.ExecuteFunctionCommand.getInputs(ExecuteFunctionCommand.java:140)
        at com.resilient.workflow.command.ExecuteFunctionCommand.lambda$doExecute$1(ExecuteFunctionCommand.java:89)
        at com.resilient.workflow.command.ExecuteFunctionCommand$$Lambda$997/0x00000000b464a2b0.get(Unknown Source)
        at com.resilient.workflow.command.SendMessageOnCommitHelper.actionProcessingFinished(SendMessageOnCommitHelper.java:57)
        at sun.reflect.GeneratedMethodAccessor2189.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at com.google.common.eventbus.Subscriber.invokeSubscriberMethod(Subscriber.java:87)
        at com.google.common.eventbus.Subscriber$SynchronizedSubscriber.invokeSubscriberMethod(Subscriber.java:144)
        at com.google.common.eventbus.Subscriber$1.run(Subscriber.java:72)
        at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
        at com.google.common.eventbus.Subscriber.dispatchEvent(Subscriber.java:67)
        at com.google.common.eventbus.Dispatcher$PerThreadQueuedDispatcher.dispatch(Dispatcher.java:108)
        at com.google.common.eventbus.EventBus.post(EventBus.java:212)
        at com.ibm.resilient.common.event.Co3EventBus.post(Co3EventBus.java:30)
        at com.co3.tracking.ActionRunner.runActions(ActionRunner.java:24)
        at com.co3.web.rest.ActionFilter.filter(ActionFilter.java:19)
        at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1494)
        at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
        at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
        at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
        at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
        at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:286)
        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:276)
        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:181)
        at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
        at com.co3.json.serialize.OutputFormatServletFilter.doFilter(OutputFormatServletFilter.java:132)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.co3.web.servlet.Co3ServletFilterBase.handleAuthenticatedRequests(Co3ServletFilterBase.java:390)
        at com.co3.web.servlet.Co3ServletFilterBase.doFilterImpl(Co3ServletFilterBase.java:355)
        at com.co3.web.servlet.Co3ServletFilterBase.lambda$doFilterWithRetry$4(Co3ServletFilterBase.java:303)
        at com.co3.web.servlet.Co3ServletFilterBase$$Lambda$652/0x00000000ac180cb0.run(Unknown Source)
        at net.jodah.failsafe.Functions$10.call(Functions.java:252)
        at net.jodah.failsafe.SyncFailsafe.call(SyncFailsafe.java:145)
        at net.jodah.failsafe.SyncFailsafe.run(SyncFailsafe.java:81)
        at com.co3.web.servlet.Co3ServletFilterBase.doFilterWithRetry(Co3ServletFilterBase.java:303)
        at com.co3.web.servlet.Co3ServletFilterBase.doFilter(Co3ServletFilterBase.java:277)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.co3.web.filter.DbQueryLoggerFilter.doFilter(DbQueryLoggerFilter.java:32)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.co3.web.filter.HttpFilter.doFilter(HttpFilter.java:38)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.co3.web.filter.PreprocessRequestFilter.doFilter(PreprocessRequestFilter.java:41)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120)
        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:135)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
        at com.co3.tomcat.valves.RequestAccessLogValve.invoke(RequestAccessLogValve.java:80)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:772)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1782)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1741)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:822)
    


    ------------------------------
    Tyler Bennett
    ------------------------------



  • 4.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Fri August 20, 2021 05:19 PM
    OK. I was wrong. The error is coming while trying to run a Function

     at com.resilient.workflow.command.ExecuteFunctionCommand.validateRequiredInputs(ExecuteFunctionCommand.java:217)
    ​
    It looks like a workflow is running on the incident created from the email parsing script. That incident is starting a workflow. The workflow must set the inputs for the function. Take a look at how the workflow sets the input fields for the Function. Most likely it is using a script to do that from some properties on the incident. For some reason those properties aren't on the incident.

    If you don't want the workflow to run on the incident then modify the workflow or Rule that is starting the workflow.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Mon August 23, 2021 01:55 PM
    I'm not certain. Their is only one rule that runs this functionality, and it was disabled for testing. See the following

    This occurred even when just triggering the rule on a email inbox object. Does the new script run some sort of workflow/function to handle something. The old one did not have the same issues.

    I don't see any workflows relating to that, nor do I see functions that would appear related. Should I start tearing down the script to a minimal subset of functionality until I can figure out what's going on?

    ------------------------------
    Tyler Bennett
    ------------------------------



  • 6.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Mon August 23, 2021 01:56 PM
    Edited by Tyler Bennett Mon August 23, 2021 01:57 PM
    Is their a way to determine what functions/workflows are trying to be ran and figure out what's calling those?

    For the record, the only difference between prod/dev is the dev instance is modified to use the released python3 script, whereas prod is using the python2 script.

    ------------------------------
    Tyler Bennett
    ------------------------------



  • 7.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Mon August 23, 2021 05:10 PM
    You can use the Functional logging capabilities. Turn on for Workflow and Action. This puts additional debugging in the client.log file on the server that should help. This is accessed from the System Settings area.

    Ben




    ------------------------------
    Ben Lurie
    ------------------------------



  • 8.  RE: Error Running Script: The following fields are required: 'cs_client_id','cs_cloud_url'

    Posted Tue August 24, 2021 12:35 PM
    I ended up figuring out what was going on.

    The email parsing plugin was adding artifacts to the incident such as urls, and there was an automatic rule to upload IoC to the incident when an artifact type matches the fields. I've since modified that. Thank you very much for the assistance!

    ------------------------------
    Tyler Bennett
    ------------------------------