IBM Security QRadar SOAR

 View Only
  • 1.  clone playbook with activation form

    Posted Mon October 24, 2022 04:26 AM
    I failed to copy those playbooks which have activation form. Is it a bug or not implemented yet?
    My soar versions are as follows:
       soar: 46.2
       resilient-sdk: 46.0.3461
    # resilient-sdk clone -pb playbook01 clone_playbook01
      :
    Traceback (most recent call last):
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 745, in put
        response = super(SimpleClient, self).put(uri, payload, co3_context_token, timeout)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3base.py", line 634, in put
        BasicHTTPException.raise_if_error(response)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3base.py", line 80, in raise_if_error
        raise BasicHTTPException(response)
    resilient.co3base.BasicHTTPException: 'resilient' API Request FAILED:
    Response Code: 400
    Reason: Unknown Reason. {"success":false,"title":null,"message":"Playbook input form contains invalid field types: playbook_2fe9ed93_458c_4e7e_9093_ca76fc44a43a.","hints":[],"error_code":"generic"}
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/root/venv/soarqit/bin/resilient-sdk", line 33, in <module>
        sys.exit(load_entry_point('resilient-sdk==46.0.3461', 'console_scripts', 'resilient-sdk')())
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/app.py", line 183, in main
        cmd_clone.execute_command(args)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/cmds/clone.py", line 213, in execute_command
        add_configuration_import(new_export_data, CmdClone.res_client)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/util/sdk_helpers.py", line 469, in add_configuration_import
        confirm_configuration_import(result, result.get("id"), res_client)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient_sdk/util/sdk_helpers.py", line 496, in confirm_configuration_import
        res_client.put(uri, result)
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 747, in put
        _raise_if_error(ex.get_response())
      File "/root/venv/soarqit/lib/python3.6/site-packages/resilient/co3.py", line 218, in _raise_if_error
        raise SimpleHTTPException(response)
    resilient.co3.SimpleHTTPException: :  {"success":false,"title":null,"message":"Playbook input form contains invalid field types: playbook_2fe9ed93_458c_4e7e_9093_ca76fc44a43a.","hints":[],"error_code":"generic"}​


    ------------------------------
    Yohji Amano
    ------------------------------


  • 2.  RE: clone playbook with activation form

    Posted Tue October 25, 2022 08:36 AM
    Activation forms are unfortunately not yet supported by the SDK, however, they will be supported with the v47 release of the SDK (targeted for November). In the meantime, there is a workaround: remove the activation form from the original playbook. Use the SDK to clone that playbook, and then manually reenter the activation form on the original playbook and the cloned playbook.

    ------------------------------
    Christopher Chang
    ------------------------------



  • 3.  RE: clone playbook with activation form

    Posted Tue October 25, 2022 07:22 PM
    Christopher, thank you for your reply and suggestions.
    I'll wait for V47 and refer to the workaround for the time being.

    ------------------------------
    Yohji Amano
    ------------------------------