IBM Security QRadar SOAR

 View Only
  • 1.  Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Thu March 28, 2019 10:58 AM
    Hi,

    For stopping a resilient during less than 15 minutes (what the built-in gadget permits), is possible to create a function in python that calls time.spleep() method for stopping the whole worfklow desired time using an input for specifying minutes, seconds...

    Next link contains a function that implements this functionality:
    Resilient - Security

    I have some doubts regarding what happens when we do that:

    -What happens with the queue on the message destination where the function is subscribed? (2nd time Sleeper function is called it will be queued and executed when first one finishes or is independent?)

    -What if the same workflow containing Sleeper is called multiple times? Will the execution of the second call have to wait until the first one finishes or is independent?

    -Should we use a message destination with NOT Expected Acknowledgement to avoid those problems?


    If someone has experimented with a similar function and/or problems and can help would be great.

    Regards,
    Dídac.

    ------------------------------
    Didac Cornet
    ------------------------------


  • 2.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Thu March 28, 2019 03:00 PM
    Hi Dídac

    I am writing a Timer function that will be available in the fn_utilities package in the Resilient Community Apps.
    It will provide a little more functionality than the sleep function that you posted here. It will periodically wake up and
    check to see if the calling workflow is still running and will end execution if the workflow has terminated.
    Included will be an example workflow that calls the Timer function twice using a parallel gateway (working on
    this at the moment). A rule can be defined that uses activity fields that allows the user to enter the time to sleep
    (In seconds, hours, minutes, or days). Each call to the Timer function will run in it's own thread.

    How you define your workflow determines whether the first one is waits till finished if you are calling it multiple times.
    You can call the Timer function multiple times serially or in parallel (using the parallel gateway).

    Hopefully this function will be available within the next few weeks.

    AnnMarie Norcross

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Mon April 08, 2019 05:02 PM
    Regarding the message queue, does it mean that the message will be there until the end of code execution ? It means that if we have one integration service to execute it, it'll prevent other executions ?

    Or you were able to implement a different mechanism like thread ?

    ------------------------------
    Clément Fouque
    ------------------------------



  • 4.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Tue April 09, 2019 12:44 PM
      |   view attached
    Hi Clément 

    Attached is a screen shot of a workflow that will be included in fn_utilities with the Timer function.  It shows
    two calls to the Timer function in parallel.  Resilient-circuits will create a separate thread for each
    function call instance. 

    If you string your workflow function calls in series (all in one line) it will execute each function sequentially
    in one thread.

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Mon April 15, 2019 09:56 AM
    The Timer function is now available on the App Exchange in Utility Functions for Resilient V1.0.7.

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 6.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Mon April 15, 2019 12:53 PM
    Wonderful ! Thank you !

    ------------------------------
    Clément Fouque
    ------------------------------



  • 7.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Thu May 16, 2019 04:48 AM
    Hello,

    I'm using the Timer  function provided in fn_utils_1.0.7. The goal is to execute a Worfklow with 2 main branches:
    • branch 1: routine A (Timer1 in screenshot. It takes 10 seconds to finish)
    • branch 2: a timeout routine if routine A not finished within an specified time (Timer 2 and Notes in screenshot. It starts time counter at the same time as Timer1, and passed 30 seconds, it does actions or not depending on the WF status. If upper branch finished successfully -> do nothing; else: send awareness that something was wrong.)

    Here the WF example:



    The goal is when Timer1 finished (10s), the Workflow finishes too so when Timer2 executes after some '
    wf_check_interval' or at its maximum (30s), the Workflow appear as 'terminated' and execute the action in 'If WF has terminated'. But always the Timer2 executes, it returns 'terminated' = False.

    I'm asssuming that Parallel Gateways are the ones I need for finishing the Workflow once one of the two branches finishes but the Workflow keeps running until branch 2 is finished. 

    I cannot see what could be wrong or if I'm not using the timer for what it was thought for... Any help is appreciated.


    Regards,
    Dídac

    This is the output on circuits:
    2019-05-16 08:09:27,681 INFO [actions_component] Event: <timer[] (id=XX, workflow=test_timer, user=XXX) 2019-05-16 08:09:27.207000> Channel: functions.timer
    2019-05-16 08:09:27,888 INFO [timer] generic_helpers_time: 10s
    2019-05-16 08:09:27,889 INFO [timer] generic_helpers_epoch: None
    2019-05-16 08:09:28,091 INFO [actions_component] Event: <timer[] (id=XX, workflow=test_timer, user=XXX) 2019-05-16 08:09:27.217000> Channel: functions.timer
    2019-05-16 08:09:28,297 INFO [timer] generic_helpers_time: 30s
    2019-05-16 08:09:28,298 INFO [timer] generic_helpers_epoch: None
    2019-05-16 08:09:29,637 INFO [decorators] [timer] StatusMessage: Sleeping for 5s. 0/10s complete.
    2019-05-16 08:09:30,683 INFO [decorators] [timer] StatusMessage: Sleeping for 15s. 0/30s complete.
    2019-05-16 08:09:34,731 INFO [decorators] [timer] StatusMessage: Sleeping for 5s. 5/10s complete.
    2019-05-16 08:09:39,837 INFO [decorators] [timer] StatusMessage: Total sleep time 10 seconds complete.
    2019-05-16 08:09:39,838 INFO [timer] RESULTS: {'wf_terminated': False, 'wf_status': {'instance_id=XX': 27129, 'status': 'running', 'start_date': 1557994166303, 'end_date': None, 'reason': None, 'is_terminated': False}, 'wf_terminate_reason': None}
    2019-05-16 08:09:39,840 INFO [timer] > Complete
    2019-05-16 08:09:45,783 INFO [decorators] [timer] StatusMessage: Sleeping for 15s. 15/30s complete.
    2019-05-16 08:10:00,944 INFO [decorators] [timer] StatusMessage: Total sleep time 30 seconds complete.
    2019-05-16 08:10:00,945 INFO [timer] RESULTS: {'wf_terminated': False, 'wf_status': {'instance_id=XX': 27129, 'status': 'running', 'start_date': 1557994166303, 'end_date': None, 'reason': None, 'is_terminated': False}, 'wf_terminate_reason': None}
    2019-05-16 08:10:00,947 INFO [timer] > Complete
    2019-05-16 08:10:03,573 INFO [actions_component] Event: <add_note[] (id=XX, workflow=test_timer, user=XXX) 2019-05-16 08:10:03.210000> Channel: functions.add_note
    2019-05-16 08:10:03,780 INFO [add_note] note_content: NOT TERMINATED
    2019-05-16 08:10:04,805 INFO [decorators] [add_note] StatusMessage: Note added to Incident '<incident_id=XX>'.




    ------------------------------
    Dídac Cornet
    ------------------------------



  • 8.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Tue May 21, 2019 03:24 PM
    Hi  Dídac,

    I hope I am understanding correctly what you are asking? 

    So your diagram contains one workflow and under normal execution the workflow will not
    terminate till after the second parallel gateway and both branches are finished executing. 
    (Each branch is executed in it's own thread.)  If the user hits the "terminate" button from
    workflow status menu while executing the first branch, the second branch will get workflow
    status "terminated".

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 9.  RE: Pause / Sleep function for delaying WorkFlows less than 15 minutes

    Posted Fri May 24, 2019 08:39 AM
    Hi AnnMarie,

    Thanks for your answer.


    Regards,

    Dídac.

    ------------------------------
    Didac Cornet
    ------------------------------