IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Script Execution for Artifact Rules

  • 1.  Script Execution for Artifact Rules

    Posted Thu January 14, 2021 07:23 AM
    We wrote below simple script on Resilient Customization Setting Script tab for the Artifact DNS value type, however we getting error as 


    Script 
    import requests
    proxies = {
    "http": "http://192.168.1.24:8081",
    "https": "http://192.168.1.24:8081",
    }
    r = requests.get(artifact.value, proxies=proxies, verify=False)

    Output from Resilient 
    Script contain illegal import request 

    When we change to import re then getting permission error, please refer below screenshots for the reference

    ------------------------------
    Sunil I B
    ------------------------------


  • 2.  RE: Script Execution for Artifact Rules

    Posted Thu January 14, 2021 07:55 AM
    Edited by Burak Karaduman Thu January 14, 2021 07:55 AM
    Hello,

    You cannot import 'requests' library in resilient scripts. The lib whitelist like link in below.

    https://www.ibm.com/support/knowledgecenter/SSBRUQ_39.0.0/doc/playbook/python2_and_3.html

    • array
    • base64
    • bs4
    • calendar
    • collections
    • datetime (equivalent to the Python 2 java.util.Date module)
    • email
    • enum
    • hashlib
    • html
    • html2text
    • json
    • random
    • re
    • regex
    • string
    • time
    • xml
    In addition, the following Python built-ins are available for Python 3 scripts only:
    • all()
    • any()
    • bytearray()
    • bytes()
    • classmethod
    • staticmethod
    • type()
    The following restrictions apply to both Python 2 and 3 scripts:
    • You cannot import Python libraries, including os, subprocess, sys, and threading.
    • Access to the network or filesystem is not allowed for security reasons.


    ------------------------------
    Burak Karaduman
    ------------------------------



  • 3.  RE: Script Execution for Artifact Rules

    Posted Thu January 14, 2021 08:15 AM
    We tried using re whitelist list still getting different error, our request is simple whenever artifact got DNS Name, then we need to send to our proxy server. 

    In OS level able to achieve one line or OS Level python script working fine, however not working in Resilient, any suggestion for the attached erorr or code level, 

    We using Menu Item Rule instead of Automatic, whenever we found DNS Name, then send to proxy server, In our proxy it will be blocked using proxy policy rules. 

    OS Level
    http_proxy=http://<IP>:<Port> wget <URL> 

    OS Python Script
    import re

    proxies = {
    "http": "http://192.168.1.24:8081",
    "https": "http://192.168.1.24:8081",
    }
    r = re.get("http://toscrape.com", proxies=proxies

    ------------------------------
    Sunil I B
    ------------------------------



  • 4.  RE: Script Execution for Artifact Rules

    Posted Thu January 14, 2021 09:49 AM
    Hello,

    The lib 're' is a regex library. You cannot make web requests via 're' lib. You can do it externally with using function and workflow.

    ------------------------------
    Burak Karaduman
    ------------------------------



  • 5.  RE: Script Execution for Artifact Rules

    Posted Thu January 14, 2021 10:15 AM
    We already created package and install using pip, so we need to create another package, or how to make use of existing package,

    Is it possible to do like create only new python script on top of existing package, then make use of existing destination, could you please share right approach.

    ------------------------------
    Sunil I B
    ------------------------------



  • 6.  RE: Script Execution for Artifact Rules

    Posted Thu January 14, 2021 10:24 AM
    Hello,

    We cannot install any libs for internal resilient script. The python env that you try to write a script in GUI cannot be changed from users. You should make an integration for your purpose. If you didnt, you should read the playbook designer guide,

    ------------------------------
    Burak Karaduman
    ------------------------------



  • 7.  RE: Script Execution for Artifact Rules

    Posted Tue January 19, 2021 11:23 AM
    We followed everything using playbook designer guide, our function executed successfully, however looks proxy request never execute, please refer the attached python scripts and output from app log

    On our logs and action status shows success, but never passed to our proxy server. 

    """Function: """
    try:
    # Get the function parameters:
    dns_name = kwargs.get("dns_name") # text
    log = logging.getLogger(__name__)


    log.info("\nargs:",args,"\n\nkwargs:",kwargs)
    log.info("dns_name: %s", dns_name)



    # PUT YOUR FUNCTION IMPLEMENTATION CODE HERE
    # yield StatusMessage("starting...")

    proxies = {
    "http": "http://192.x.x.x:8081",
    "https": "http://192.x.x.x:8081",
    }
    r = requests.get("dns_name", proxies=proxies)
    r1 = requests.get("http://toscrape.com", proxies=proxies)

    log.info("\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@output")

    -----------------------


    2021-01-20 00:08:48,156 INFO [actions_component] Event: <web_marshal_url_proxy[] (id=7, workflow=web_marshal, user=sunil@techlab.com.my) 2021-01-19 16:08:47.954000> Channel: functions.web_marshal_url_proxy
    2021-01-20 00:08:48,156 DEBUG [stomp_component] Stomp message received
    2021-01-20 00:08:48,157 DEBUG [client] Received heart-beat
    2021-01-20 00:08:48,158 DEBUG [actions_component] success! None, <web_marshal_url_proxy[functions.web_marshal_url_proxy] (id=7, workflow=web_marshal, user=sunil@techlab.com.my) 2021-01-19 16:08:47.954000>
    2021-01-20 00:08:48,158 ERROR [action_message] FunctionResult must be a dictionary. 'NoneType' may cause the workflow to fail.
    2021-01-20 00:08:48,158 DEBUG [actions_component] Message: Completed
    2021-01-20 00:08:48,159 DEBUG [actions_component] Ack ID:resilient.localdomain-45699-1610428308961-3:2:385:1:1
    2021-01-20 00:08:48,159 DEBUG [actions_component] Result: None
    2021-01-20 00:08:48,160 DEBUG [stomp_component] ack_frame()
    2021-01-20 00:08:48,160 DEBUG [client] Sending ACK frame [headers={'id': u'ID:resilient.localdomain-32976-1610428190598-13:1'}, version=1.2]
    2021-01-20 00:08:48,173 DEBUG [stomp_component] Ack Sent
    2021-01-20 00:08:48,174 DEBUG [stomp_component] send()
    2021-01-20 00:08:48,174 DEBUG [client] Sending SEND frame [headers={'destination': u'/queue/acks.201.email_outbound', 'correlation-id': u'invid:526'}, body='{\n "message": "Comp...', version=1.2]

    ------------------------------
    Sunil I B
    ------------------------------

    Attachment(s)



  • 8.  RE: Script Execution for Artifact Rules

    Posted Wed January 20, 2021 06:43 AM
    Any help or suggestion on our issues, please refer the attached log from app.log & our python script

    ------------------------------
    Sunil I B
    ------------------------------



  • 9.  RE: Script Execution for Artifact Rules

    Posted Wed January 20, 2021 08:47 AM
    I don't have a specific answer, but...

    It sounds like this code:

    r = requests.get("dns_name", proxies=proxies)
    r1 = requests.get("http://toscrape.com", proxies=proxies)

    is not passing the HTTP request through the proxy? If you suspect that and you have an integration server running circuits you could create a small python program there outside of circuits and debug it using a debugger. That would be much easier than trying to debug that code from inside of circuits.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 10.  RE: Script Execution for Artifact Rules

    Posted Wed January 20, 2021 10:07 AM
    As stated in above thread, when we use only below lines on python script, it works perfectly without any issues, on the same thread on above request to use functions & actions instead of directly on scripts due to unsupported library requests on Resilient. 

    import requests


    proxies = {
    "http": "http://192.168.1.24:8081",
    "https": "http://192.168.1.24:8081",
    }
    r = requests.get("http://toscrape.com", proxies=proxies



    After converting above lines to Resilient way of functions, it never pass through to below lines, if you check the python script i attached we have various entries to write in log files like log.info("\nargs:",args,"\n\nkwargs:",kwargs), log.info("dns_name: %s", dns_name),  log.info("\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@output") it never printer in log files, so could you please suggest on this issue. 



    """Function: """
    try:
    # Get the function parameters:
    dns_name = kwargs.get("dns_name") # text
    log = logging.getLogger(__name__)


    log.info("\nargs:",args,"\n\nkwargs:",kwargs)
    log.info("dns_name: %s", dns_name)



    # PUT YOUR FUNCTION IMPLEMENTATION CODE HERE
    # yield StatusMessage("starting...")

    proxies = {
    "http": "http://192.x.x.x:8081",
    "https": "http://192.x.x.x:8081",
    }
    r = requests.get("dns_name", proxies=proxies)
    r1 = requests.get("http://toscrape.com", proxies=proxies)




    ------------------------------
    Sunil I B
    ------------------------------



  • 11.  RE: Script Execution for Artifact Rules

    IBM Champion
    Posted Wed January 20, 2021 11:09 AM
    Hi @Sunil I B,

    The app log you included earlier indicates your web_marshal_url_proxy function/workflow is failing due to a syntax error:
           2021-01-20 00:08:48,158 ERROR [action_message] FunctionResult must be a dictionary. 'NoneType' may cause the workflow to fail.

    Are you sure you've reloaded Resilient-Circuits with your updated code? Did the function load correctly there in the start-up messages?

    As a best practice, you should really have this at the top of your code:

    results = {
    "value": "not done"
    }

    Then at the end do:
    results["value"] = "done"

    If your code is failing, it may not be reaching the end dictionary. Additionally, you have no exception handling in your function other than what Resilient provides. I recommend adding your own error handling in without relying on the Resilient FunctionError() handling.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------