IBM Security QRadar SOAR

 View Only
  • 1.  Default python libraries...

    Posted Mon June 10, 2019 11:28 AM
    Hello.

    This isn't a support question, more of a enhancement / question why certain items aren't included within the web UI python implementation.

    Currently, the only two modules that can be leveraged are the Java Data and RE modules, which is really limiting. Within the email parser or scripts, it would be much more useful if we could leverage libraries like JSON or time/datetime. Is there any plans for the future to embed more default libraries within the web UI python?

    Thanks :)

    ------------------------------
    Nathan Getty
    ------------------------------


  • 2.  RE: Default python libraries...

    Posted Tue June 11, 2019 03:16 AM
    Hi Nathan,

    To protect the application and the operating system of the server there are only a couple of libraries you can import. You can obviously use an external Python script to import what you need to support your use case. It might be wise to create an idea requesting the libraries you'd like to leverage. Product Management are constantly assessing our customer's ideas to see what can be added to future versions of the product.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 3.  RE: Default python libraries...

    Posted Tue June 11, 2019 04:31 AM
    I would have found html2text very useful for stripping tags from some data.  It should be fairly safe in terms of not interfering with the OS or core of Resilient, I would think...

    ------------------------------
    Edwin Bolton
    ------------------------------



  • 4.  RE: Default python libraries...

    Posted Mon August 19, 2019 04:34 AM
    Hi Ben,
    Do you have a full list of libraries that we can import?

    BR,
    Alex

    ------------------------------
    Alexander Saulenko
    ------------------------------



  • 5.  RE: Default python libraries...

    Posted Mon August 19, 2019 07:21 AM
    Hello Nathan,

    It's definitely prudent to assess the considered limitations of our Web UI scripting facility, thanks for initiating a discussion about the capabilities available. I hope I can address some of your concerns.

    From the Playbook Designers Guide document:
    The scripting feature supports Python 2.7 only, and has the following language feature and security limitations in place to prevent unwanted actions:
    • You can import the java.util.Date Java language class.
    • You can import the re (regular expressions) module using the command:
    import re
    • You cannot import python libraries, including os, subprocess, sys, and threading.
    • Network access is not allowed in order to prevent unwanted or unauthorized access to the network.
    • Access to the underlying file system is not allowed to prevent unwanted or unauthorized access to the file system.
    Accessing a variety of incident data, you use scripts to add objects, such as tasks notes, and a row in a data table. A script only modifies or acts on the object that triggered the rule or its parent object. For the email message object, it also can modify its associated incident (if there is one).

    We realise that this limits what is achievable in a UI python script but reducing the security risk which managing functionality is of paramount importance to us. Thanks again for your interest.

    ------------------------------
    Sean OGorman
    ------------------------------



  • 6.  RE: Default python libraries...

    Posted Tue August 20, 2019 03:47 AM
    Hello,

    My two cents for this thread: I absolutely understand your concern regarding limiting access to the local filesystem and networking capabilities but not having access even to libraries like datetime is really inconvenient.

    I have myself described this issue in a one of your Customer Success Forums (the name might be wrong, sorry). I provided a real-life example where as part of the pre-process script of a function we need to perform some date manipulation operations like getting the current time and subtract a fix period of time. Even though this was possible using the only Java class that you can import, it was really cumbersome and not convenient at all.

    My understanding is that the pre and post processing scripts are meant to be some kind of "glue" between the external Python code and the Resilient Workflows and help with code re-usability. However, by not allowing to import virtually any library, this task becomes really tricky.

    If you could provide an explanation as of why libraries like datetime are also not allowed, it would be really appreciated.

    Thanks in advance for your reply.

    Regards,

    ------------------------------
    Carlos Ortigoza
    ------------------------------



  • 7.  RE: Default python libraries...

    Posted Tue August 20, 2019 08:50 AM
    Hello Carlos,

    Thank you for your interest and for providing a specific example of why we take such a conservative approach. Many libraries that seem benign initially can, on reflection, actually can not be thought as such. They can often have non-obvious code vectors that can do unsafe things at the system level. In the case of datetime, for instance, it imports the sys library. It doesn't use it for anything that's unsafe, but allowing "import datetime" would require us to allow "import sys" which would create real security issues. In order to allow it, we would have to then selectively enable things in the sys library while blocking the unsafe protocols that were imported. That makes this set of tasks not only non-trivial but rather critical. It would be very difficult to achieve a "pre-import" security level with total confidence that all introduced vulnerabilities had been addressed. We certainly take no joy in limiting our customers capability in any way but unfortunately the potential cost of this flexibility could be much greater.

    Your understanding of the scripting functionality as a "glue" between workflows & code and platform is broadly accurate and we hope that by focusing on extending general functionality in the external code, a balance in general can be struck between flexibility and security when interacting with the IBM Resilient SOAR Platform. Thanks again for stimulating the discussion on this topic, please refer to our Customer Success Team for specific use cases that we can assist you with.

    ------------------------------
    Sean OGorman
    ------------------------------



  • 8.  RE: Default python libraries...

    Posted Tue August 20, 2019 09:23 AM
    Good Morning Gentleman!

    Thank you for all of the responses. I understand that importing libraries that import other functions may infact impose risk upon IBM as these libraries can be used to called function which can induce harm. However, the lack of these libraries also hinders organiztions customization abilities within the platform. 

    For me, the email parsing script works well, but we have to modify how all of our alerts are sent, and using RE isn't the most reliable tool. 

    What if we could offload these scripts / processes to an integration server that our organization controls (like circuits) this way the risk is with the customer and not with the vendor?

    Thoughts?

    ------------------------------
    Nathan Getty
    ------------------------------