IBM Security QRadar SOAR

 View Only
  • 1.  about Action Processor support in Playbook Desginer

    Posted Fri August 20, 2021 12:55 AM
    In the SOAR V42 document center, 

    title: Converting rules to playbooks
    excerpt from description:
    "There is no direct correlation in the playbook for any message destination invoked directly from the rule or workflow. Instead, you can create a function to provide the message destination."

    So I created a playbook which has a function. The function  simply specifies the message destination which are monitored by an action processor.

    ---
    By executing the playbook, its trigger was propagated to the action processor but it failed with the following message:

    2021-08-20 02:21:25,592 INFO [actions_component] Event: <action[] (id=60, workflow=playbook_e42302d5_c4cb_4f2e_ab8b_5998f0ec998a, user=jpresadmin@example.com) 2021-08-20 02:21:22.435000> Channel: functions.action
    2021-08-20 02:21:25,594 ERROR [action_message] FunctionResult must be a dictionary. 'NoneType' may cause the workflow to fail.

    ---
    If I try it from message destination in rule, it succeeded.

    2021-08-20 03:52:37,075 INFO [actions_component] Event: <名前解決[] (id=117, workflow=None, user=jpresadmin@example.com) 2021-08-20 03:52:33.852000> Channel: actions.action
    2021-08-20 03:52:37,076 INFO [nslookup] inc_id: 2142, ip_address: 9.68.70.91

    So I feel we're unable to invoke action processors in a playbook designed from playbook designer. I wonder how action processors will be treated in the SOAR future environments.


    ------------------------------
    Yohji Amano
    ------------------------------


  • 2.  RE: about Action Processor support in Playbook Desginer

    Posted Mon August 23, 2021 08:27 AM
    Does the action processor return data? I would expect it to work if no data is returned. Is this a custom implemented action processor or something downloaded and being used?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: about Action Processor support in Playbook Desginer

    Posted Mon August 23, 2021 07:56 PM
    Ben thank you for the response.

    The action processor does not return data. I'm not sure the origin but the action processor was the one someone created.

    I tried the followings: but has not succeeded.
     - comment out return statement in action processor
     - "Expect Acknowledgement" attribute of message destination : "No"

    #/usr/bin/env python
    from circuits import Component, Debugger
    from circuits.core.handlers import handler
    from resilient_circuits.actions_component import ResilientComponent, ActionMessage
    import os
    import time
    import logging
    import requests
    import datetime
    import co3 as resilient
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    import os.path
    
    LOG = logging.getLogger(__name__)
    CONFIG_DATA_SECTION = 'nslookup'
    
    class nslookupComponent(ResilientComponent):
        def __init__(self, opts):
            super(nslookupComponent, self).__init__(opts)
            self.options = opts.get(CONFIG_DATA_SECTION, {})
            LOG.info(self.options)
            self.channel = "actions." + self.options.get("queue", "nslookup")
            self.temp_dir = self.options.get("temp_dir","/tmp")
    
        @handler()
        def _nslookup(self, event, *args, **kwargs):
            if not isinstance(event, ActionMessage):
                return
            artifact = event.message["artifact"]
            inc_id = str(artifact["inc_id"])
            ip_address = str(artifact["value"])
            LOG.info("inc_id: %s, ip_address: %s" % (inc_id, ip_address))
            searchtime = datetime.datetime.now()
            temp_file = "%s/nslookup-%s-%s.txt" % (self.temp_dir, ip_address,    
            searchtime.strftime("%Y%m%d%H%M%S"))
            resilient_client = self.rest_client()
            os.system('/usr/bin/nslookup %s | /usr/bin/unix2dos > %s' % (ip_address, temp_file))
            path = '/incidents/%s/attachments' % (inc_id)
            resilient_client.post_attachment(path, temp_file)
            time.sleep(5)
            if os.path.exists(temp_file):
               os.remove(temp_file)
            # return "Submitted"
    ​


    ------------------------------
    Yohji Amano
    ------------------------------



  • 4.  RE: about Action Processor support in Playbook Desginer

    Posted Tue August 24, 2021 08:14 AM
    I see. It is the Resilient Action framework itself generating this error. The framework knows that this is a Function and expects a FunctionResult that contains map data which is the result of the function.

    I think you have two options:

    1) Use the new Atomic Function template release just recently: https://community.ibm.com/community/user/security/blogs/shane-curtin1/2021/06/28/release-of-v411-ibm-security-soar-python-librarie. Since you have the code, using it in the new template style should be straightforward.
    2) Try to retrofit the existing code to return the FunctionResult as expected. You'll have to take a look in the Resilient Python libraries to see what the data structure is supposed to be. It may not be difficult once you figure it out.

    My personal suggestion is to use the new Function templates as that keeps your code up to date with the frameworks.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: about Action Processor support in Playbook Desginer

    Posted Thu August 26, 2021 07:57 PM
    Thank you for the suggestions.
    I tried 2).
    By referring to some function samples, I thought the following may be fit.

    from resilient_circuits import FunctionResult
       :
    results = {"msg":"Submitted"}
    
    # or return
    yield FunctionResult(results)​
    The above did not work either.

    So 1) would be the possible solution. I understood that the existing action processors might be re-written to be fit to function template if needed to use in playbook designer.

    ------------------------------
    Yohji Amano
    ------------------------------