IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Action and Workflow Status

  • 1.  Action and Workflow Status

    Posted Mon August 17, 2020 05:42 AM

    Hello, 

    I'm configuring Resilient on a test environment to achieve some automation along with QRadar.

    I configured an MSSP enviroment and I've imported a couple of offenses from Qradar to see how I can automate things on both sides.

    I configured some integrations, from X-Force to IP info to see if I can Automatically lookup IP addresses against botent/Command and Control servers.

    I'm encountering some issues, everytime I perform an action or a Workflow, they just simply get stuck, even the rules does.

    If I click on "actions" on the top-right corner and then "Action Status" or "Wokflow status", every action, workflow or rule is on a "Suspended" status.

    With that being said, how can I check what's wrong with this actions? 

    What is the best path to follow in order to achieve what I'm looking for? I just want to configure a function that: given an offense from QRadar, if one of the Ip's is related to some botnet, notify me, if not close the offense and the incident. Is that possible?



    ------------------------------
    Alessandro Di Liberto
    ------------------------------


  • 2.  RE: Action and Workflow Status

    IBM Champion
    Posted Mon August 17, 2020 02:13 PM
    From KC:

    A Suspended workflow can occur when the incident closes before the workflow completes. Reopening an incident resumes the workflow. You can permanently terminate a workflow if it is suspended and you do not plan to reopen the incident.


    Are the incidents closed?

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 3.  RE: Action and Workflow Status

    Posted Tue August 18, 2020 03:19 AM

    Hello Jared, 

    No, the incidents are opened, I'm using Offenses from QRadar, imported via the Qradar integration app. 



    ------------------------------
    Alessandro Di Liberto
    ------------------------------



  • 4.  RE: Action and Workflow Status

    Posted Tue August 18, 2020 07:15 AM
    It should never be the case that a workflow status is Suspended if an Incident is open. If you can provide some screenshots or details about how to get into this situation it could shed some light on what is going on.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Action and Workflow Status

    Posted Wed August 19, 2020 03:25 AM

    Hello Ben, thank you for the answer.

    Below there are 2 Screenshots, one shows the actions and the other one the related workflow. Basically, once I try to execute an action, this goes into suspended status immediately and then in timeout after 2-3 days.



    ------------------------------
    Alessandro Di Liberto
    ------------------------------



  • 6.  RE: Action and Workflow Status

    IBM Champion
    Posted Wed August 19, 2020 12:09 PM
    Where do you see "Suspended" ? I only see "Running" and "Pending" listed.

    "Pending" means it's waiting for a response from the app host / integration server.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 7.  RE: Action and Workflow Status

    Posted Fri August 21, 2020 04:25 AM

    Hello Jared, 

    Yes, now it's on a Running/Pending status but no value is returning, I checked the Integration Server and resilient circuits is running fine, even testing those components.


    [integration@resilient ~]$ resilient-circuits selftest -l fn-ipinfo
    fn-ipinfo:
    Gathered IP Info Access token
    Sending query to IpInfo
    selftest: success, Elapsed time: 0.000000 seconds



    ------------------------------
    Alessandro Di Liberto
    ------------------------------



  • 8.  RE: Action and Workflow Status

    IBM Champion
    Posted Fri August 21, 2020 01:27 PM
    Hi @Alessandro Di Liberto,

    The tests do not actually connect to the Resilient web UI to my knowledge.

    ​​I'd imagine your server is not properly connected if no actions are running. Open a ticket with IBM Resilient support to troubleshoot.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 9.  RE: Action and Workflow Status

    Posted Mon August 24, 2020 03:07 AM
    Hello Jared, the Integration Server is currently running on the same Resilient machine, I don't think this is a connection issue.

    ------------------------------
    Alessandro Di Liberto
    ------------------------------



  • 10.  RE: Action and Workflow Status

    Posted Wed August 26, 2020 08:23 AM
    A pending function means that the integration server has not connected to Resilient to process the message and return the result. I suggest looking in the circuits logs on the integration server and ensure it is connecting to Resilient, listening on the correct message destinations and processing the messages.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 11.  RE: Action and Workflow Status

    Posted Thu August 27, 2020 06:34 AM

    Hello Ben, 

    This should affect every integration installed. The QRadar Integration is working fine, I can do Ariel Searches, reference set searches ecc..



    ------------------------------
    Alessandro Di Liberto
    ------------------------------



  • 12.  RE: Action and Workflow Status

    Posted Thu August 27, 2020 10:07 AM
    It sounds like some integrations are working and some aren't. In any case a pending status means that the integration has not responded to the request from resilient. The place to look for issues of that sort is in the circuits logs. It could be the integration never was listening for the messages (the specific message destination). It could be the user/api key does not have permission to read from the message destination, it could be the integration failed trying to process the message or return a result. All of those things would show up in the circuits logs.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------