IBM Security QRadar SOAR

 View Only

  • 1.  Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Thu April 08, 2021 10:32 AM
    When processing an inbound email with Generic Email Parsing Script (https://exchange.xforce.ibmcloud.com/hub/extension/4ba70106b6f2dfa77cb1e3c921db7ff5), if the email doesn´t have a From name besides the sender email the script crashes with the error:
    11:09:56.956 [Camel (camel-1) thread #525 - JmsConsumer[email-service.save-email-data]] ERROR [] c.c.e.EmailMessageIngesterImpl - Rule 'Inbound email processing' is unable to update the Email Message 'emailmessage-1163' because: AttributeError: Invalid field name: name   line 499, in addBasicInfoToIncident
com.co3.domain.exceptions.Co3IllegalStateException: Rule 'Inbound email processing' is unable to update the Email Message 'emailmessage-1163' because: AttributeError: Invalid field name: name
com.ibm.resilient.common.domain.exceptions.Co3IllegalArgumentException: Script execution failed with message 'AttributeError: Invalid field name: name​


    Important: I got this behavior when running the script on Python3 only.

    For instance:
    • If sender has a name, there is no problem:
    ...
    From: John Doe <johndoe@company.com>
    To: IBM Resilient <resilient@company.com>
    Subject: A subject
    ...

    • If sender has no name, it crashes in the function "addBasicInfoToIncident":
    ...
    From: <x1234@company.com>
    Subject: A subject
    To: <resilient@company.com>
    ...


    Apparently, under Python3 it is not enough checking if attribute emailmessage.from.name is not None, in the "addBasicInfoToIncident" function from the email parsing script:
      def addBasicInfoToIncident(self):
    """A method to perform basic information extraction from the email message.
    The email message sender address, including personal name if present, is set as the reporter field
    in the incident. An artifact is created from the email message subject with the type "Email Subject".
    No return value.
    """
    newReporterInfo = emailmessage.from.address
    if emailmessage.from.name is not None:
      newReporterInfo = u"{0} <{1}>".format(emailmessage.from.name, emailmessage.from.address)
      log.info(u"Adding reporter field \"{0}\"".format(newReporterInfo))
      incident.reporter = newReporterInfo

      if emailmessage.subject is not None:
        self.addUniqueArtifact(u"{0}".format(emailmessage.subject), "Email Subject", "")​

    As a workaround, I added a try/except block:

     def addBasicInfoToIncident(self):
   
    newReporterInfo = emailmessage.from.address
    try:
      if emailmessage.from.name is not None:
        newReporterInfo = u"{0} <{1}>".format(emailmessage.from.name, emailmessage.from.address)
        log.info(u"Adding reporter field \"{0}\"".format(newReporterInfo))
        incident.reporter = newReporterInfo
  
        if emailmessage.subject is not None:
          self.addUniqueArtifact(u"{0}".format(emailmessage.subject), "Email Subject", "Suspicious email subject")
    except:
      log.error(u"Error getting emailmessage.from.name")
      pass​


    Regards, 
    Guido.














    ------------------------------
    Guido Bernat
    ------------------------------


  • 2.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Mon April 12, 2021 06:54 AM
    Hi Guido,

    Thank you for posting this issue and workaround. I think what may be useful for your workaround is to use hasattr() https://www.programiz.com/python-programming/methods/built-in/hasattr to check if name exists before trying to access it, that way you wont need to try/except.
    if hasattr(emailmessage.from, 'name'):

    There are also some changes to the 'from' keyword in python 3 in v40 we needed to make in order to avoid a clash with the from keyword in python 3. You can find some details here https://www.ibm.com/docs/en/rsoa-and-rp/40?topic=scripts-python-2-python-3-differences it is being replaced by 'sender'. This will impact you when upgrading to v40.

    I will do some investigation into the issue you see with from.name being empty and see if we can fix that in an upcoming release.

    Thanks again,

    ------------------------------
    Sean Mc Cann
    ------------------------------

    Original Message


  • 3.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Mon April 12, 2021 09:34 AM
    Hi Sean,
    I will replace try/except with hasttr. I agree it is more intention revealing.

    And thank you for the timely warning about from/sender, we're updating to v40 soon!


    Thanks!



    ------------------------------
    Guido Bernat
    ------------------------------

    Original Message


  • 4.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Mon April 12, 2021 09:58 AM
    Guido,

    Also forgot to mention, we have a Python 3 version of the built in email script that we have adapted to work in Python 3. It uses 'sender' so maybe you'll adopt this one when moving to v40. You can find it in our resilient scripting github repo along with some other scripting examples. We will be updating this script soon to handle the sender name being missing.

    Thanks,

    ------------------------------
    Sean Mc Cann
    ------------------------------

    Original Message


  • 5.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Tue April 13, 2021 07:51 AM
    Thank you for your post and workaround. We've queued up work to resolve this situation in the next release.

    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


  • 6.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted Tue April 13, 2021 09:37 AM
    Thank you both for your quick and helpful responses!

    Best regards,

    ------------------------------
    Guido Bernat
    ------------------------------

    Original Message