IBM Security QRadar SOAR

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Hi @Jared Fagel.

Thank you very much for this reference, this will help me a lot for the succeeding projects. Also kindly disregard my inquiry in other post, I already figure out for the API key authentication, this is due to permission issue of service account.

Regards​

------------------------------
Marc Lainez
------------------------------

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez
------------------------------

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

I'm a bit confused @Sev Cu,

Once you codegen, you should not have to modify componentsdir

Additionally, looking at your entry_points, that is not the expected creation. It should have been dynamically built like this example:
https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/setup.py​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Thu August 27, 2020 09:59 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Hi @Jared Fagel.

Sorry for confusion, I just reuse the previous custom app not sure if it was generated thru​ codegen. I try to follow the instruction in the given link(https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk) then just copy all the .py under components and modify some stuff like LICENSE etc. Still I was unable to subscribe to the Message Destination that I created. At this time I didn't modify the componentsdir in app config.  Below is the sample app.log

The custom app should be triggered Manual using the Resilient Rules

2020-08-28 17:44:52,273 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:52,385 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,438 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,496 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:52,542 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:52,592 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,594 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:52,672 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:52,679 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:52,863 DEBUG [filelock] Attempting to release lock 140267670355080 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:52,863 INFO [filelock] Lock 140267670355080 released on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:53,618 INFO [app] Configuration file: /home/soarintegration/.resilient/app.config
2020-08-28 17:44:53,619 INFO [app] Resilient server: ibm-resilient
2020-08-28 17:44:53,619 INFO [app] Resilient user: admin@example.com
2020-08-28 17:44:53,619 INFO [app] Resilient org: TEST
2020-08-28 17:44:53,620 INFO [app] Logging Level: DEBUG
2020-08-28 17:44:53,621 DEBUG [actions_component] create idle timer
2020-08-28 17:44:53,622 WARNING [co3] Unverified HTTPS requests (cafile=false).
2020-08-28 17:44:53,625 DEBUG [connectionpool] Starting new HTTPS connection (1): ibm-resilient:443
2020-08-28 17:44:53,940 DEBUG [connectionpool] https://ibm-resilient:443 "POST /rest/session HTTP/1.1" 200 None
2020-08-28 17:44:53,942 DEBUG [co3] {
"orgs": [
{
"id": 201,
.
.
.
.
"effective_system_permissions": [],
"is_saml": false,
"is_ldap": false
}
2020-08-28 17:44:54,090 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:54,202 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,251 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,355 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:54,410 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:54,459 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,461 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:54,536 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:54,543 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:54,730 DEBUG [filelock] Attempting to release lock 140533014711320 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:54,730 INFO [filelock] Lock 140533014711320 released on /home/soarintegration/.resilient/resilient_circuits.lock

Thanks

------------------------------
Marc Lainez
------------------------------

Original Message:
Sent: Thu August 27, 2020 10:51 AM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

I'm a bit confused @Sev Cu,

Once you codegen, you should not have to modify componentsdir

Additionally, looking at your entry_points, that is not the expected creation. It should have been dynamically built like this example:
https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/setup.py​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Thu August 27, 2020 09:59 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Actually my problem is the custom app was unable to trigger, if I click the Action in the resilient then choose the Rule where the message destination resides. If I modify the app.config and filled the value of  componentsdir the custom app will be triggered but twice.

Thanks

------------------------------
Marc Lainez
------------------------------

Original Message:
Sent: Fri August 28, 2020 05:57 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

Sorry for confusion, I just reuse the previous custom app not sure if it was generated thru​ codegen. I try to follow the instruction in the given link(https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk) then just copy all the .py under components and modify some stuff like LICENSE etc. Still I was unable to subscribe to the Message Destination that I created. At this time I didn't modify the componentsdir in app config.  Below is the sample app.log

The custom app should be triggered Manual using the Resilient Rules

2020-08-28 17:44:52,273 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:52,385 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,438 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,496 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:52,542 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:52,592 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,594 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:52,672 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:52,679 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:52,863 DEBUG [filelock] Attempting to release lock 140267670355080 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:52,863 INFO [filelock] Lock 140267670355080 released on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:53,618 INFO [app] Configuration file: /home/soarintegration/.resilient/app.config
2020-08-28 17:44:53,619 INFO [app] Resilient server: ibm-resilient
2020-08-28 17:44:53,619 INFO [app] Resilient user: admin@example.com
2020-08-28 17:44:53,619 INFO [app] Resilient org: TEST
2020-08-28 17:44:53,620 INFO [app] Logging Level: DEBUG
2020-08-28 17:44:53,621 DEBUG [actions_component] create idle timer
2020-08-28 17:44:53,622 WARNING [co3] Unverified HTTPS requests (cafile=false).
2020-08-28 17:44:53,625 DEBUG [connectionpool] Starting new HTTPS connection (1): ibm-resilient:443
2020-08-28 17:44:53,940 DEBUG [connectionpool] https://ibm-resilient:443 "POST /rest/session HTTP/1.1" 200 None
2020-08-28 17:44:53,942 DEBUG [co3] {
"orgs": [
{
"id": 201,
.
.
.
.
"effective_system_permissions": [],
"is_saml": false,
"is_ldap": false
}
2020-08-28 17:44:54,090 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:54,202 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,251 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,355 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:54,410 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:54,459 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,461 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:54,536 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:54,543 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:54,730 DEBUG [filelock] Attempting to release lock 140533014711320 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:54,730 INFO [filelock] Lock 140533014711320 released on /home/soarintegration/.resilient/resilient_circuits.lock

Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Thu August 27, 2020 10:51 AM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

I'm a bit confused @Sev Cu,

Once you codegen, you should not have to modify componentsdir

Additionally, looking at your entry_points, that is not the expected creation. It should have been dynamically built like this example:
https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/setup.py​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Thu August 27, 2020 09:59 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

In addition I'm using Resilient v38

------------------------------
Marc Lainez
------------------------------

Original Message:
Sent: Fri August 28, 2020 06:46 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Actually my problem is the custom app was unable to trigger, if I click the Action in the resilient then choose the Rule where the message destination resides. If I modify the app.config and filled the value of  componentsdir the custom app will be triggered but twice.

Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Fri August 28, 2020 05:57 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

Sorry for confusion, I just reuse the previous custom app not sure if it was generated thru​ codegen. I try to follow the instruction in the given link(https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk) then just copy all the .py under components and modify some stuff like LICENSE etc. Still I was unable to subscribe to the Message Destination that I created. At this time I didn't modify the componentsdir in app config.  Below is the sample app.log

The custom app should be triggered Manual using the Resilient Rules

2020-08-28 17:44:52,273 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:52,385 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,438 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,496 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:52,542 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:52,592 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,594 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:52,672 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:52,679 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:52,863 DEBUG [filelock] Attempting to release lock 140267670355080 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:52,863 INFO [filelock] Lock 140267670355080 released on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:53,618 INFO [app] Configuration file: /home/soarintegration/.resilient/app.config
2020-08-28 17:44:53,619 INFO [app] Resilient server: ibm-resilient
2020-08-28 17:44:53,619 INFO [app] Resilient user: admin@example.com
2020-08-28 17:44:53,619 INFO [app] Resilient org: TEST
2020-08-28 17:44:53,620 INFO [app] Logging Level: DEBUG
2020-08-28 17:44:53,621 DEBUG [actions_component] create idle timer
2020-08-28 17:44:53,622 WARNING [co3] Unverified HTTPS requests (cafile=false).
2020-08-28 17:44:53,625 DEBUG [connectionpool] Starting new HTTPS connection (1): ibm-resilient:443
2020-08-28 17:44:53,940 DEBUG [connectionpool] https://ibm-resilient:443 "POST /rest/session HTTP/1.1" 200 None
2020-08-28 17:44:53,942 DEBUG [co3] {
"orgs": [
{
"id": 201,
.
.
.
.
"effective_system_permissions": [],
"is_saml": false,
"is_ldap": false
}
2020-08-28 17:44:54,090 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:54,202 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,251 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,355 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:54,410 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:54,459 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,461 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:54,536 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:54,543 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:54,730 DEBUG [filelock] Attempting to release lock 140533014711320 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:54,730 INFO [filelock] Lock 140533014711320 released on /home/soarintegration/.resilient/resilient_circuits.lock

Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Thu August 27, 2020 10:51 AM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

I'm a bit confused @Sev Cu,

Once you codegen, you should not have to modify componentsdir

Additionally, looking at your entry_points, that is not the expected creation. It should have been dynamically built like this example:
https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/setup.py​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Thu August 27, 2020 09:59 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------

Hi @Sev Cu, maybe open a case on that? I've not seen that before, and they log output you provided did not show that and looked unrelated.

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Fri August 28, 2020 06:50 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

In addition I'm using Resilient v38

------------------------------
Marc Lainez

Original Message:
Sent: Fri August 28, 2020 06:46 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Actually my problem is the custom app was unable to trigger, if I click the Action in the resilient then choose the Rule where the message destination resides. If I modify the app.config and filled the value of  componentsdir the custom app will be triggered but twice.

Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Fri August 28, 2020 05:57 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

Sorry for confusion, I just reuse the previous custom app not sure if it was generated thru​ codegen. I try to follow the instruction in the given link(https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk) then just copy all the .py under components and modify some stuff like LICENSE etc. Still I was unable to subscribe to the Message Destination that I created. At this time I didn't modify the componentsdir in app config.  Below is the sample app.log

The custom app should be triggered Manual using the Resilient Rules

2020-08-28 17:44:52,273 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:52,385 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,438 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,496 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:52,542 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:52,592 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:52,594 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:52,672 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:52,679 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:52,863 DEBUG [filelock] Attempting to release lock 140267670355080 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:52,863 INFO [filelock] Lock 140267670355080 released on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:53,618 INFO [app] Configuration file: /home/soarintegration/.resilient/app.config
2020-08-28 17:44:53,619 INFO [app] Resilient server: ibm-resilient
2020-08-28 17:44:53,619 INFO [app] Resilient user: admin@example.com
2020-08-28 17:44:53,619 INFO [app] Resilient org: TEST
2020-08-28 17:44:53,620 INFO [app] Logging Level: DEBUG
2020-08-28 17:44:53,621 DEBUG [actions_component] create idle timer
2020-08-28 17:44:53,622 WARNING [co3] Unverified HTTPS requests (cafile=false).
2020-08-28 17:44:53,625 DEBUG [connectionpool] Starting new HTTPS connection (1): ibm-resilient:443
2020-08-28 17:44:53,940 DEBUG [connectionpool] https://ibm-resilient:443 "POST /rest/session HTTP/1.1" 200 None
2020-08-28 17:44:53,942 DEBUG [co3] {
"orgs": [
{
"id": 201,
.
.
.
.
"effective_system_permissions": [],
"is_saml": false,
"is_ldap": false
}
2020-08-28 17:44:54,090 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
2020-08-28 17:44:54,202 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,251 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,355 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/message_destinations HTTP/1.1" 200 None
2020-08-28 17:44:54,410 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/functions HTTP/1.1" 200 None
2020-08-28 17:44:54,459 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
2020-08-28 17:44:54,461 DEBUG [actions_component] Reset idle timer
2020-08-28 17:44:54,536 DEBUG [connectionpool] https://ibm-resilient:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
2020-08-28 17:44:54,543 INFO [app] Components auto-load directory: (none)
2020-08-28 17:44:54,730 DEBUG [filelock] Attempting to release lock 140533014711320 on /home/soarintegration/.resilient/resilient_circuits.lock
2020-08-28 17:44:54,730 INFO [filelock] Lock 140533014711320 released on /home/soarintegration/.resilient/resilient_circuits.lock

Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Thu August 27, 2020 10:51 AM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

I'm a bit confused @Sev Cu,

Once you codegen, you should not have to modify componentsdir

Additionally, looking at your entry_points, that is not the expected creation. It should have been dynamically built like this example:
https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/setup.py​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Thu August 27, 2020 09:59 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi @Jared Fagel.

I would like to request your assistance again, I encountered an issue with the same custom app, I create new environment and install the custom app. When I modify the app.config and modify this item "componentsdir=/usr/local/lib/python3.6/site-packages/rc_phantomcyber/components"​ the app was run 2x but if I remove this item the app connector will not run anymore.

I would like to know if there's something that i missed to configure. Below is the entry point in my setup.py
entry_points={
    # Register the component with resilient_circuits
    "resilient.circuits.components": ["PhantomActions = rc_phantomcyber.components.phantomactions:PhantomActions"],
    "resilient.circuits.configsection": [
    "gen_config = rc_phantomcyber.components.gen_config:config_section_data"]
}
Thanks

------------------------------
Marc Lainez

Original Message:
Sent: Wed August 19, 2020 12:16 PM
From: Jared Fagel
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Did you use the Python Resilient SDK to build custom action via codegen ? This is how you do this.

https://github.com/ibmresilient/resilient-python-api/tree/master/resilient-sdk

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Wed August 19, 2020 06:27 AM
From: Marc Lainez
Subject: Resilient Custom Action unable to instantiate events, ActionMessage

Hi All.

I'm new in custom action development in Resilient. We would like to request your assistance on this.
We have an existing app connector and that was interacting to Resilient v28 and other automation tools, what it does is it will get the Resilient incident and send it to other automation tools. It was triggered manually by clicking the actions in resilient. We build/upgrade new resilient v37 and install the existing app connector. The script is running(.py file) however it always meet this condition:
@handler()
def run_x_action(self, event, *args, **kwargs):
"""
The string passed to @handler must match the action name in Resilient
"""

if not isinstance(event, ActionMessage):
    print('return')
    return
That cause to not run the whole script.
Please let me know what's maybe the problem

Thanks

------------------------------
Marc Lainez
------------------------------