IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

A script failed

  • 1.  A script failed

    Posted Wed October 21, 2020 12:12 AM
    Hi everyone,

    My Resilient fails to run a script that is triggered by another rule and workflow.
    Rule① triggered → Rule① executes Workflow① → Workflow① modifies Field① → Rule② triggered by modified Field① → Rule② executes Script① → Failed to execute Script①... :(
    Is there someone who faces the same situation, or is it a known issue?


    <Error Message>
    An error occurred while processing the action acknowledgement. Additional information: Rule 'MDR - TACTICS判定' is unable to update the Incident 'SOCP00702221139' because: Access denied ("java.io.FilePermission" "/usr/share/java/resilient/resilient-scripting.jar/Lib/../LICENSE.txt" "read")




    ------------------------------
    YUSUKE TOYAMA
    ------------------------------


  • 2.  RE: A script failed

    Posted Wed October 21, 2020 12:05 PM

    I have started seeing the same errors coming from one of my scripts that is called when incidents are created through the REST interface.  I see the following stack trace in the resilient-scripting.log

    10:15:41.976 [qtp-228722953-14526] WARN v=unknown c.r.s.rest.ExceptionMapperBase - Error executing script, 'Access denied ("java.io.FilePermission" "/usr/share/java/resilient/resilient-scripting.jar/Lib/../LICENSE.txt" "read")' on line number 34 com.resilient.scripting.exception.AccessControlScriptingException: Script access control error at com.resilient.scripting.python.PythonScriptEvaluator.wrapAndRethrowKnownException(PythonScriptEvaluator.java:149) at com.resilient.scripting.python.PythonScriptEvaluator.wrapAndRethrow(PythonScriptEvaluator.java:176) at com.resilient.scripting.python.PythonScriptEvaluator.evaluate(PythonScriptEvaluator.java:214) at com.resilient.scripting.impl.ScriptingServiceBase.execute(ScriptingServiceBase.java:275) at com.resilient.scripting.rest.PythonREST.execute(PythonREST.java:65) at sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) ...


    It seems like a transient issue as I have not yet been able to consistently reproduce it.  I am running 38.1.71.



    ------------------------------
    David Vasil
    ------------------------------



  • 3.  RE: A script failed

    Posted Thu October 22, 2020 11:58 AM
    Hi Yusuke and David,

    This is something we'd like to understand better so that we can come up with a solution or workaround. Is it possible for you to share your Python script with me? No need to share anything private or sensitive. You can private message me as well rather than posting publicly.

    Thanks

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 4.  RE: A script failed

    Posted Thu October 22, 2020 01:12 PM
    Edited by Sean Mc Cann Thu October 22, 2020 01:46 PM


  • 5.  RE: A script failed

    Posted Fri October 23, 2020 06:49 AM
    Thank you for providing me with your scripts. We have identified the problem and are working on a fix for version 39.0. The issue occurs when using the re module in Python 2, particularly under heavy load.

    In version 38.2 we released support for Python 3 which you might want to try out, as we do not see this issue when using Python 3. There are also some nice alternatives to regex depending on your use case such as html2text and Beautiful Soup. More details can be found in the IBM Knowledge Center https://www.ibm.com/support/knowledgecenter/SSBRUQ_38.0.0/doc/playbook/python2_and_3.html 

    Again, thanks for your help in identifying this issue.

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 6.  RE: A script failed

    Posted Mon October 26, 2020 02:36 AM
    Thank you for the valuable information.
    I'd love to try out the Python 3 language mode and whether or not to work well with the regex script.

    This is an additional question, so please let me know if you know it.
    Python 3 will be available for workflow pre-process and post-process.
    At that time, does the function body of AppHost and workflow have to be the same version of the language?
    I'm wondering if I have to modify the Python2 series functions I've created so far to Python3 series.

    ------------------------------
    YUSUKE TOYAMA
    ------------------------------



  • 7.  RE: A script failed

    Posted Tue October 27, 2020 07:32 AM
    You can use Python 2 in your function and Python 3 in your pre- and post- scripts, you do not need to modify your existing functions.

    The pre- and post- scripts could also be different versions if you want, they do not have to match.

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 8.  RE: A script failed

    IBM Champion
    Posted Tue October 27, 2020 02:52 PM
    @Sean Mc Cann I'm also consistently seeing this error when running this line in a post-processor:


    email_body_cleaned_decoded = email_body_cleaned.decode('utf-8', errors='ignore')   # Testing encoding issues.
    An error occurred while processing the action acknowledgement. Additional information: Post-processing script for Function '[Utility] Email File (.eml) Parser' from Workflow '[Utility] Email File (.eml) Parser' was unable to complete because: Access denied ("java.io.FilePermission" "/usr/share/java/resilient/resilient-scripting.jar" "read")


    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------



  • 9.  RE: A script failed

    Posted Wed October 28, 2020 02:19 PM
    Hey Jared,

    As I mentioned on our call, this error is slightly different to one above as the error message does not contain ../LICENSE.txt
    The error you are seeing happens when using encode/decode in python 2. We are aware of this issue but as of yet have not got around to fixing it.

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 10.  RE: A script failed

    Posted Thu November 12, 2020 01:18 PM
    A fix for this is included in the upcoming v39.0 so you should not see this error anymore after you upgrade. Thanks again for bringing it to our attention!

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 11.  RE: A script failed

    Posted Fri July 30, 2021 07:13 AM
    Hi Sean

    We are on Resilient 39.2.17 and in our post-process code (engine Python 2) we don't have any encode() - decode() function. Still we have the same error as Jared:

    Post-processing script for Function 'Utilities: Email Parse' from Workflow 'Mail Analysis ' was unable to complete because: Access denied ("java.io.FilePermission" "/usr/share/java/resilient/resilient-scripting.jar" "read")​

    Any suggestions on how to solve this ?
    Also, I am looking at V39 Changelog and I don't see any info about this corrected issue.

    Thanks

    ------------------------------
    Lucian Sipos
    ------------------------------