IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Need help with the Microsoft Exchange (fn_Exchange) function

    Posted Mon April 29, 2019 03:32 PM
    I have been able to use the Exchange Send Mail function with no problem, but am getting the following error when using the Exchange Find Email function. The exchange account I am using should have the correct permissions and my folder path appears correct, but I get an error related to the date format.



    2019-04-26 12:36:33,847 ERROR [actions_component] <task[functionworker] (<function _call_the_task at 0x7f031829e7d0>, <exchange_find_emails[functions.exchange_find_emails] (id=38, workflow=example_of_exchange_find_emails, user=test.test@test.com) 2019-04-26 18:36:33.153000> exchange_folder_path=u'Top of Information Store/Inbox', exchange_end_date=1556240400000, exchange_start_date=1556028000000, exchange_num_emails=None, exchange_has_attachments=None, exchange_message_subject=u'Example Subject', exchange_search_subfolders=True, exchange_message_body=None, exchange_order_by_recency=None, exchange_sender=u'adminaccount@test.com, exchange_email=u'adminaccount@test.com', exchange_email_ids=u'test.test@test.com')> (<class 'resilient_circuits.action_message.FunctionException_'>): FunctionException_: <Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/fn_exchange/components/exchange_find_emails.py", line 67, in _exchange_find_emails_function
    exchange_num_emails, exchange_search_subfolders)
    File "/usr/local/lib/python2.7/site-packages/fn_exchange/util/exchange_utils.py", line 149, in get_emails
    start_date = EWSDateTime.from_datetime(datetime.datetime.fromtimestamp(start_date/1000, tz=tz))
    File "/usr/local/lib/python2.7/site-packages/exchangelib/ewsdatetime.py", line 117, in from_datetime
    raise ValueError("%r must be a datetime instance" % d)
    ValueError: EWSDateTime(2019, 4, 23, 14, 0, tzinfo=<StaticTzInfo 'Etc/GMT'>) must be a datetime instance
    >
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 856, in processTask
    raise value.extract()
    Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 617, in _dispatcher
    event_handlers = self._cache[(event.name, channels)]
    KeyError: ('exception', ('*',))



    ------------------------------
    Ryan Terry
    ------------------------------


  • 2.  RE: Need help with the Microsoft Exchange (fn_Exchange) function

    Posted Wed May 01, 2019 07:49 PM
    Hi Ryan,

    We're using exchange_lib library from pypi for this integration. The error you're getting is from exchange_lib EWSDate.from_datetime method. It seems that epoch date (function input exchange_start_date) isn't being converted to datetime object properly.

    I'm not seeing any code changes in this part of the exchange_lib or our function. I've reviewed our code and did a quick test with a script in command line and I'm not sure why this wouldn't be working for you.

    Can you let us know what version of Python you're running and also what is the output of pip freeze command?

    Thank you,
    Tamara

    ------------------------------
    Tamara Zlender
    ------------------------------

    Original Message


  • 3.  RE: Need help with the Microsoft Exchange (fn_Exchange) function

    Posted Thu May 02, 2019 12:25 PM
    Python 2.7.15

    -bash-4.2$ pip freeze
    DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
    asn1crypto==0.24.0
    beautifulsoup4==4.6.3
    bs4==0.0.1
    cached-property==1.5.1
    cachetools==2.0.1
    certifi==2017.7.27.1
    cffi==1.11.5
    chardet==3.0.4
    circuits==3.2
    configparser==3.5.0
    cryptography==2.4.2
    defusedxml==0.5.0
    dnspython==1.16.0
    enum34==1.1.6
    et-xmlfile==1.0.1
    exchangelib==1.12.2
    filelock==2.0.12
    fn-apility==1.0.0
    fn-exchange==1.0.0
    fn-ioc-parser==1.0.0
    fn-phish-ai==1.0.0
    fn-qradar-integration==1.0.1
    fn-url-void==1.0.0
    fn-urlhaus==1.0.0
    fn-urlscanio==1.0.0
    fn-utilities==1.0.5
    fn-xforce==1.0.0
    future==0.17.1
    idna==2.6
    ioc-parser==0.9.1
    ipaddress==1.0.22
    isodate==0.6.0
    jdcal==1.4
    Jinja2==2.10
    json2html==1.2.1
    keyring==9.1
    lxml==4.2.5
    MarkupSafe==1.0
    meld3==1.0.2
    ntlm-auth==1.2.0
    openpyxl==2.5.12
    pbr==3.1.1
    pdfminer==20140328
    phish-ai-api==1.7
    py==1.4.33
    pycparser==2.19
    Pygments==2.3.1
    pyOpenSSL==18.0.0
    PyPDF2==1.26.0
    PySocks==1.6.7
    pytest==3.0.7
    python-dateutil==2.8.0
    pytz==2017.2
    pywinrm==0.3.0
    requests==2.18.4
    requests-mock==1.3.0
    requests-ntlm==1.1.0
    requests-toolbelt==0.8.0
    resilient==30.0.111
    resilient-circuits==32.0.126
    resilient-lib==32.0.0
    reversinglabs-ticloud-mwp-function==1.0.1
    six==1.10.0
    stomp.py==4.1.18
    stompest==2.3.0
    supervisor==3.0
    tzlocal==1.5.1
    urllib3==1.22
    xmltodict==0.11.0

    ------------------------------
    Ryan Terry
    ------------------------------

    Original Message


  • 4.  RE: Need help with the Microsoft Exchange (fn_Exchange) function

    Posted Mon May 06, 2019 03:22 PM
    Hi Ryan,

    I was able to reproduce your issue. It's related to a recent change in exchange_lib.
    To continue using the fn_exchange integration please downgrade to exchangelib==1.12.1.
    pip uninstall exchangelib

pip install exchangelib==1.12.1​
    We'll support the latest version of exchange lib in the next release.

    Best,
    Tamara

    ------------------------------
    Tamara Zlender
    ------------------------------

    Original Message


  • 5.  RE: Need help with the Microsoft Exchange (fn_Exchange) function

    Posted Tue May 21, 2019 04:29 PM
    This worked. Thanks Tamara.

    ------------------------------
    Ryan Terry
    ------------------------------

    Original Message


Related Content