IBM Security QRadar SOAR

 View Only
  • 1.  Email parsing Functions pending (with no results)

    Posted Wed February 19, 2020 10:50 AM
    Hello, 

    i'm using IBM resilient V34 with multiple organizations, i tried to install multiple funtions from IBM XForce hub.

    When running a workflow for email parsing i have this error: 
     
    resilient-circuits run command result:

    2020-02-19 16:41:19,069 ERROR [actions_component] <Connect[*] ()> (<class 'stompest.error.StompProtocolError'>): StompProtocolError: <Cannot handle command: ERROR [expected=CONNECTED, headers={u'message': u'User name [asabri@dataprotect.ma] or password is invalid.', u'content-type': u'text/plain'}]>
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 659, in _dispatcher
    value = event_handler(event, *eargs, **ekwargs)
    File "/usr/local/lib/python2.7/site-packages/resilient_circuits/stomp_component.py", line 173, in connect
    connectedTimeout=self._connected_timeout)
    File "/usr/local/lib/python2.7/site-packages/stompest/sync/client.py", line 129, in connect
    self._connect(headers, versions, host, heartBeats, connectedTimeout)
    File "/usr/local/lib/python2.7/site-packages/stompest/sync/client.py", line 142, in _connect
    self.session.connected(frame)
    File "/usr/local/lib/python2.7/site-packages/stompest/protocol/session.py", line 216, in connected
    (self.version, self._server, self._id, (self._serverSendHeartBeat, self._serverReceiveHeartBeat)) = stompest.protocol.commands.connected(frame, versions=self._versions)
    File "/usr/local/lib/python2.7/site-packages/stompest/protocol/commands.py", line 226, in connected
    _checkCommand(frame, [StompSpec.CONNECTED])
    File "/usr/local/lib/python2.7/site-packages/stompest/protocol/commands.py", line 317, in _checkCommand
    raise StompProtocolError('Cannot handle command: %s [expected=%s, headers=%s]' % (frame.command, ', '.join(commands), frame.headers))

    2020-02-19 16:41:19,070 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
    2020-02-19 16:41:19,074 INFO [actions_component] 'fn_qradar_integration.components.qradar_add_reference_set_item.FunctionComponent' function 'qradar_add_reference_set_item' registered to 'fn_qradar_integration'
    2020-02-19 16:41:19,075 INFO [app] Components loaded
    2020-02-19 16:41:22,232 ERROR [actions_component] <load_all_success[loader] ( )> (<class 'circuits.core.manager.TimeoutError'>): TimeoutError: <>
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 851, in processTask
    value = parent.throw(value.extract())
    File "/usr/local/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 599, in subscribe_to_queues
    yield self.wait("Connected", timeout=30)

    the email and password i specified in app.config are correcte.

    Can anyone help. Thank you

    ------------------------------
    Ayman Sabri
    ------------------------------


  • 2.  RE: Email parsing Functions pending (with no results)

    IBM Champion
    Posted Mon February 24, 2020 01:52 PM
    Double check the credentials under the [resilient] section of your app.config, it's definitely an error related to it not being able to authenticate. The account you list should be able to login to the Resilient UI.

    See here.

    User name [asabri@dataprotect.ma] or password is invalid.


    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 3.  RE: Email parsing Functions pending (with no results)

    Posted Tue February 25, 2020 03:31 AM
    Hello, 

    I can authenticate with this account , i'm sure the username and password are correct.

    ------------------------------
    Ayman Sabri
    ------------------------------



  • 4.  RE: Email parsing Functions pending (with no results)

    Posted Tue February 25, 2020 07:22 AM
    Not sure if this will help. Check the Message Destinations in the UI and ensure that they have the account asabri@dataprotect.ma as able set as a User:



    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Email parsing Functions pending (with no results)

    Posted Fri February 28, 2020 08:17 AM
    Hello, 

    The user is added there but still have the same issue :(

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 6.  RE: Email parsing Functions pending (with no results)

    IBM Champion
    Posted Fri February 28, 2020 10:58 AM
    Edited by Jared Fagel Fri February 28, 2020 10:57 AM
    I recommend you open a case with IBM Support on this, they can help you further troubleshoot the issue.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 7.  RE: Email parsing Functions pending (with no results)

    Posted Fri October 09, 2020 02:13 PM
    Hi Ayman,

    Curious if you ever found a resolution to this issue as I am having a very similar problem.

    ------------------------------
    JONATHAN TOMASULO
    ------------------------------



  • 8.  RE: Email parsing Functions pending (with no results)

    IBM Champion
    Posted Fri October 09, 2020 06:28 PM
    What is your specific issue? it may be worth creating your own topic.

    From Ayman's original post, we see the log shows an invalid user/name or password while connecting to Resilient over STOMP.

    StompProtocolError: <Cannot handle command: ERROR [expected=CONNECTED, headers={u'message': u'User name [asabri@dataprotect.ma] or password is invalid.', u'content-type': u'text/plain'}]>

    The credentials come from this section of the app.config:
    [resilient]
    # Basic service connection
    host=YOUR_INSTANCE.resilientsystems.com
    port=443
    email=EMAIL@DOMAIN.com
    password=PASSWORD_OR_CRYPT_REFERENCE
    org=YOUR_ORG

    You can also use API authentication in this section, rather than the legacy username/password.

    See more here: https://www.ibm.com/support/knowledgecenter/en/SSBRUQ_38.0.0/doc/Integration_Server/config_file.html

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 9.  RE: Email parsing Functions pending (with no results)

    Posted Sun October 11, 2020 10:13 PM
    Hi Jared,

    Thank you very much for the response.

    I actually was able to figure it out. The time zone on the server was not set correctly so when I logged in the server I got a timeout value on my session which the server was noting as already expired so it was logging me back out immediatly. Soon as I got the time zone set correctly everything started working.

    ------------------------------
    JONATHAN TOMASULO
    ------------------------------