IBM Security QRadar SOAR

 View Only
  • 1.  Resilient-Circuits Not Running

    Posted Mon March 28, 2022 03:06 AM
    Hi guys, as you can see in the attachments below, I have configured the app.config to run my resilient-circuits. However, when I run the command: #resilient-circuits run, I keep on getting this error message and I do not know what it means and how to fix it. Any help would be deeply appreciated.

    App.Config

    App.Config

    Resilient-Circuits
    ​​

    ------------------------------
    Dany El-Nghaywe
    ------------------------------


  • 2.  RE: Resilient-Circuits Not Running
    Best Answer

    Posted Tue March 29, 2022 02:35 AM
    Hi Dany,

    "Unauthorized" is coming from SOAR so tail /usr/share/co3/logs/client.log at the time that Circuits runs and look for an error. From the error, it suggests that the API key is not allowed to authenticate against the CBM organisation. This could be because the API password has expired, there is an IP ban, if it is an MSSP organisation a configuration push hasn't been invoked.

    There could be some other reasons but you should check the log and also the UI. Are you sure the API secret is correct? What if you regenerate it and then use the new API secret in the app.config?

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 3.  RE: Resilient-Circuits Not Running

    Posted Tue March 29, 2022 05:21 PM
    Hi @BEN WILLIAMS,

    Can you help me with sort of similar issue? I have newly insta​lled Resilient Circuit server but unable to run the circuit through command. Below are the logs in DEBUG mode:
    Please let me know where am I going wrong.

    ##########################################
    [integration@vclabu18 .resilient]$ /usr/bin/resilient-circuits run
    /usr/lib/python2.7/site-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
    from cryptography.utils import int_from_bytes

    ------------------------
    Environment:
    Python Version: 2.7.5 (default, Aug 7 2019, 00:51:29)
    [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

    Installed packages:

    argparse: 1.4.0
    backports.functools-lru-cache: 1.6.4
    backports.ssl-match-hostname: 3.5.0.1
    beautifulsoup4: 4.9.3
    blivet: 0.61.15.74
    Brlapi: 0.6.0
    bs4: 0.0.1
    cachetools: 2.1.0
    certifi: 2021.10.8
    cffi: 1.15.0
    chardet: 4.0.0
    chrome-gnome-shell: 0.0.0
    circuits: 3.2.2
    configobj: 4.7.2
    configparser: 4.0.2
    coverage: 3.6b3
    cryptography: 3.3.2
    cupshelpers: 1.0
    decorator: 3.4.0
    di: 0.3
    entrypoints: 0.3
    enum34: 1.1.10
    ethtool: 0.8
    filelock: 3.2.1
    firstboot: 19.5
    fros: 1.0
    futures: 3.1.1
    idna: 2.10
    iniparse: 0.4
    initial-setup: 0.3.9.44
    ipaddress: 1.0.16
    IPy: 0.75
    javapackages: 1.0.0
    Jinja2: 2.11.3
    keyring: 18.0.1
    kitchen: 1.1.1
    langtable: 0.0.31
    lxml: 3.2.1
    MarkupSafe: 1.1.1
    ntplib: 0.3.2
    pathtools: 0.1.2
    perf: 0.1
    pip: 19.3.1
    policycoreutils-default-encoding: 0.1
    pycparser: 2.21
    pycups: 1.9.63
    pycurl: 7.19.0
    pygobject: 3.22.0
    pygpgme: 0.3
    pyinotify: 0.9.4
    pykickstart: 1.99.66.21
    pyliblzma: 0.5.3
    pyparted: 3.9
    pysmbc: 1.0.13
    PySocks: 1.7.1
    Python: 2.7.5
    python-augeas: 0.5.0
    python-linux-procfs: 0.4.9
    python-meh: 0.25.3
    python-nss: 0.16.0
    pytz: 2016.10
    pyudev: 0.15
    pyxattr: 0.5.1
    PyYAML: 3.10
    requests: 2.26.0
    requests-mock: 1.9.3
    requests-toolbelt: 0.9.1
    resilient: 44.0.2810
    resilient-circuits: 44.0.2810
    resilient-lib: 44.0.2810
    schedutils: 0.4
    SecretStorage: 2.3.1
    seobject: 0.1
    sepolicy: 1.1
    setroubleshoot: 1.1
    setuptools: 44.1.1
    six: 1.9.0
    slip: 0.4.0
    slip.dbus: 0.4.0
    soupsieve: 1.9.6
    stompest: 2.3.0
    subprocess32: 3.2.6
    urlgrabber: 3.10
    urllib3: 1.26.9
    watchdog: 0.10.7
    wsgiref: 0.1.2
    yum-langpacks: 0.4.2
    yum-metadata-parser: 1.1.4
    ###############
    No handlers could be found for logger "filelock"
    2022-03-29 13:50:50,420 INFO [app] Configuration file: app.config
    2022-03-29 13:50:50,423 INFO [app] Resilient server: 10.10.6.48
    2022-03-29 13:50:50,423 INFO [app] Resilient user: kothai.nachiya@XXX
    2022-03-29 13:50:50,424 INFO [app] Resilient org: XXX (**ORG name is verified)
    2022-03-29 13:50:50,424 INFO [app] Logging Level: DEBUG
    2022-03-29 13:50:50,425 DEBUG [actions_component] create idle timer
    2022-03-29 13:50:50,426 WARNING [co3] Unverified HTTPS requests (cafile=false).
    2022-03-29 13:50:50,430 DEBUG [retry] Converted retries value: Retry(total=0, connect=None, read=False, redirect=None, status=None) -> Retry(total=Retry(total=0, connect=None, read=False, redirect=None, status=None), connect=None, read=None, redirect=0, status=None)
    2022-03-29 13:50:50,431 WARNING [connectionpool] Connection pool is full, discarding connection: 10.10.6.48. Connection pool size: 10
    2022-03-29 13:50:50,431 DEBUG [_api] Attempting to release lock 140540010142928 on /home/integration/.resilient/resilient_circuits_lockfile
    2022-03-29 13:50:50,431 DEBUG [_api] Lock 140540010142928 released on /home/integration/.resilient/resilient_circuits_lockfile
    Traceback (most recent call last):
    File "/usr/bin/resilient-circuits", line 11, in <module>
    load_entry_point('resilient-circuits==44.0.2810', 'console_scripts', 'resilient-circuits')()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/bin/resilient_circuits_cmd.py", line 404, in main
    config_file=args.config_file)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/bin/resilient_circuits_cmd.py", line 85, in run
    app.run(**kwargs)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 231, in run
    application = App(*args, **kwargs)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 70, in __init__
    self.do_initialization()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 102, in do_initialization
    self.action_component = Actions(self.opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 317, in __init__
    super(Actions, self).__init__(opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 108, in __init__
    self._get_fields(fn_names=self.fn_names)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 157, in _get_fields
    client = self.rest_client()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 219, in rest_client
    return get_resilient_client(self.opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/rest_helper.py", line 47, in wrapper
    return func(opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/rest_helper.py", line 90, in get_resilient_client
    resilient_client = resilient.get_client(opts)
    File "/usr/lib/python2.7/site-packages/resilient/co3.py", line 166, in get_client
    userinfo = resilient_client.connect(opts["email"], opts["password"])
    File "/usr/lib/python2.7/site-packages/resilient/co3.py", line 322, in connect
    ret = super(SimpleClient, self).connect(email, password, timeout)
    File "/usr/lib/python2.7/site-packages/resilient/co3base.py", line 189, in connect
    return self._connect(timeout=timeout)
    File "/usr/lib/python2.7/site-packages/resilient/co3base.py", line 236, in _connect
    timeout=timeout)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 590, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
    File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
    File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 691, in urlopen
    timeout_obj = self._get_timeout(timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 334, in _get_timeout
    return Timeout.from_float(timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 179, in from_float
    return Timeout(read=timeout, connect=timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 103, in __init__
    self._connect = self._validate_timeout(connect, "connect")
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 146, in _validate_timeout
    "int, float or None." % (name, value)
    ValueError: Timeout value connect was Timeout(connect=None, read=None, total=None), but it must be an int, float or None.


    ------------------------------
    Nishant Kumar
    ------------------------------



  • 4.  RE: Resilient-Circuits Not Running

    Posted Wed March 30, 2022 05:32 AM
    Hi Nishant,

    On the face of it it looks like there's a problem with the app.config but we have seen this with older versions of Python. We support python 2.7.9 and higher, see https://www.ibm.com/docs/en/sqsp/40?topic=prerequisites-resilient-integration-server

    Preferably, 3.6.4 and higher should be used -> https://www.ibm.com/docs/en/sqsp/44?topic=prerequisites-integration-server

    Upgrade Python to 2.7.9 or higher and test again please.


    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 5.  RE: Resilient-Circuits Not Running

    Posted 22 days ago
    Can you help me with sort of similar issue? I have a newly installed Resilient Circuit server but unable to run the circuit through command. Below are the logs in DEBUG mode:
    Please let me know where am I going wrong.

    ##########################################
    [integration@vclabu18 .resilient]$ /usr/bin/resilient-circuits run
    /usr/lib/python2.7/site-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
    from cryptography.utils import int_from_bytes

    ------------------------
    Environment:
    Python Version: 2.7.5 (default, Aug 7 2019, 00:51:29)
    [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

    Installed packages:

    argparse: 1.4.0
    backports.functools-lru-cache: 1.6.4
    backports.ssl-match-hostname: 3.5.0.1
    beautifulsoup4: 4.9.3
    blivet: 0.61.15.74
    Brlapi: 0.6.0
    bs4: 0.0.1
    cachetools: 2.1.0
    certifi: 2021.10.8
    cffi: 1.15.0
    chardet: 4.0.0
    chrome-gnome-shell: 0.0.0
    circuits: 3.2.2
    configobj: 4.7.2
    configparser: 4.0.2
    coverage: 3.6b3
    cryptography: 3.3.2
    cupshelpers: 1.0
    decorator: 3.4.0
    di: 0.3
    entrypoints: 0.3
    enum34: 1.1.10
    ethtool: 0.8
    filelock: 3.2.1
    firstboot: 19.5
    fros: 1.0
    futures: 3.1.1
    idna: 2.10
    iniparse: 0.4
    initial-setup: 0.3.9.44
    ipaddress: 1.0.16
    IPy: 0.75
    javapackages: 1.0.0
    Jinja2: 2.11.3
    keyring: 18.0.1
    kitchen: 1.1.1
    langtable: 0.0.31
    lxml: 3.2.1
    MarkupSafe: 1.1.1
    ntplib: 0.3.2
    pathtools: 0.1.2
    perf: 0.1
    pip: 19.3.1
    policycoreutils-default-encoding: 0.1
    pycparser: 2.21
    pycups: 1.9.63
    pycurl: 7.19.0
    pygobject: 3.22.0
    pygpgme: 0.3
    pyinotify: 0.9.4
    pykickstart: 1.99.66.21
    pyliblzma: 0.5.3
    pyparted: 3.9
    pysmbc: 1.0.13
    PySocks: 1.7.1
    Python: 2.7.5
    python-augeas: 0.5.0
    python-linux-procfs: 0.4.9
    python-meh: 0.25.3
    python-nss: 0.16.0
    pytz: 2016.10
    pyudev: 0.15
    pyxattr: 0.5.1
    PyYAML: 3.10
    requests: 2.26.0
    requests-mock: 1.9.3
    requests-toolbelt: 0.9.1
    resilient: 44.0.2810
    resilient-circuits: 44.0.2810
    resilient-lib: 44.0.2810
    schedutils: 0.4
    SecretStorage: 2.3.1
    seobject: 0.1
    sepolicy: 1.1
    setroubleshoot: 1.1
    setuptools: 44.1.1
    six: 1.9.0
    slip: 0.4.0
    slip.dbus: 0.4.0
    soupsieve: 1.9.6
    stompest: 2.3.0
    subprocess32: 3.2.6
    urlgrabber: 3.10
    urllib3: 1.26.9
    watchdog: 0.10.7
    wsgiref: 0.1.2
    yum-langpacks: 0.4.2
    yum-metadata-parser: 1.1.4
    ###############
    No handlers could be found for logger "filelock"
    2022-03-29 13:50:50,420 INFO [app] Configuration file: app.config
    2022-03-29 13:50:50,423 INFO [app] Resilient server: 10.10.6.48
    2022-03-29 13:50:50,423 INFO [app] Resilient user: kothai.nachiya@XXX
    2022-03-29 13:50:50,424 INFO [app] Resilient org: XXX (**ORG name is verified)
    2022-03-29 13:50:50,424 INFO [app] Logging Level: DEBUG
    2022-03-29 13:50:50,425 DEBUG [actions_component] create idle timer
    2022-03-29 13:50:50,426 WARNING [co3] Unverified HTTPS requests (cafile=false).
    2022-03-29 13:50:50,430 DEBUG [retry] Converted retries value: Retry(total=0, connect=None, read=False, redirect=None, status=None) -> Retry(total=Retry(total=0, connect=None, read=False, redirect=None, status=None), connect=None, read=None, redirect=0, status=None)
    2022-03-29 13:50:50,431 WARNING [connectionpool] Connection pool is full, discarding connection: 10.10.6.48. Connection pool size: 10
    2022-03-29 13:50:50,431 DEBUG [_api] Attempting to release lock 140540010142928 on /home/integration/.resilient/resilient_circuits_lockfile
    2022-03-29 13:50:50,431 DEBUG [_api] Lock 140540010142928 released on /home/integration/.resilient/resilient_circuits_lockfile
    Traceback (most recent call last):
    File "/usr/bin/resilient-circuits", line 11, in <module>
    load_entry_point('resilient-circuits==44.0.2810', 'mini militia mod apk')()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/bin/resilient_circuits_cmd.py", line 404, in main
    config_file=args.config_file)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/bin/resilient_circuits_cmd.py", line 85, in run
    app.run(**kwargs)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 231, in run
    application = App(*args, **kwargs)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 70, in __init__
    self.do_initialization()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/app.py", line 102, in do_initialization
    self.action_component = Actions(self.opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 317, in __init__
    super(Actions, self).__init__(opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 108, in __init__
    self._get_fields(fn_names=self.fn_names)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 157, in _get_fields
    client = self.rest_client()
    File "/usr/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 219, in rest_client
    return get_resilient_client(self.opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/rest_helper.py", line 47, in wrapper
    return func(opts)
    File "/usr/lib/python2.7/site-packages/resilient_circuits/rest_helper.py", line 90, in get_resilient_client
    resilient_client = resilient.get_client(opts)
    File "/usr/lib/python2.7/site-packages/resilient/co3.py", line 166, in get_client
    userinfo = resilient_client.connect(opts["email"], opts["password"])
    File "/usr/lib/python2.7/site-packages/resilient/co3.py", line 322, in connect
    ret = super(SimpleClient, self).connect(email, password, timeout)
    File "/usr/lib/python2.7/site-packages/resilient/co3base.py", line 189, in connect
    return self._connect(timeout=timeout)
    File "/usr/lib/python2.7/site-packages/resilient/co3base.py", line 236, in _connect
    timeout=timeout)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 590, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
    File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
    File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 691, in urlopen
    timeout_obj = self._get_timeout(timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 334, in _get_timeout
    return Timeout.from_float(timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 179, in from_float
    return Timeout(read=timeout, connect=timeout)
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 103, in __init__
    self._connect = self._validate_timeout(connect, "connect")
    File "/usr/lib/python2.7/site-packages/urllib3/util/timeout.py", line 146, in _validate_timeout
    "int, float or None." % (name, value)
    ValueError: Timeout value connect was Timeout(connect=None, read=None, total=None), but it must be an int, float or None.

    ------------------------------
    Muhammad Zeeshan
    ------------------------------



  • 6.  RE: Resilient-Circuits Not Running

    Posted Wed March 30, 2022 04:35 AM
    Hi Ben,

    I removed the IP ban and i generated a new API key (the previous one was expired/locked) and the issue was solved.

    Thanks!

    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 7.  RE: Resilient-Circuits Not Running

    Posted 22 days ago
    Hi Ben,
    I removed the IP ban and i generated a new API key (the previous one was expired/locked) and the issue was solved. Thanks!

    ------------------------------
    Muhammad Zeeshan
    ------------------------------