IBM Security QRadar SOAR

 View Only

  • 1.  Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Wed April 12, 2023 08:11 AM

    Hi Community Members,

    I am porting over my existing workflow (using pre-process-script for function Call Rest API) into a playbook.

    I am currently facing issue with the below highlighted in red. 

    I can see that "Task" (Node #9) is being added to my case incident id. However, when it reaches the function for Call Rest API (Node #15), it does not seem to be running/executing.

    My function input is selected as Script which is the same as my pre-process script using workflows (it is tested to be working).

    My playbook status seems to be in "Running" infinitely (waited for 1.5 hours and still the same) and I suspect it somehow stuck at Node 15. 

    Anyone faced the same issue?

    Regards,
    Samson



    ------------------------------
    Samson G
    ------------------------------


  • 2.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Thu April 13, 2023 09:10 AM

    Hi Samson,

    I note there are 2 scripts in the playbook. It's possible that the scripts may be failing but are failing silently. Can you enclose the script code in a try/except block ?

    E.g.

    try: 
  # script code goes here
except Exception as ex:
  incident.addNote("An error occured while trying to run the script: " + str(ex))


    This way if there is an error in the script node then it will be added as a note to the incident - this may prove useful for debugging.
    We have recently observed that playbooks may appear to run indefinitely if script nodes fail silently - we are looking into this.
    In the meantime the above workaround should help I hope.

    Walter Higgins
    IBM QRadar SOAR



    ------------------------------
    WALTER HIGGINS
    ------------------------------

    Original Message


  • 3.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Mon April 17, 2023 04:31 AM
    Edited by Samson G Mon April 17, 2023 04:38 AM

    Hi Walter,

    I have removed all other possible tasks/script and added an end point right after Node 15.

    It seems that the playbook is still running indefinitely and stucked at Node 15. I have also checked that my API weren't accessed when using Playbooks. However, it works using Workflows (same exact pre-process script).

    I am using "Script" in Function inputs. I enclosed the try/except block but seems like nothing appeared in incident notes.

    Regards,
    Samson



    ------------------------------
    Samson G
    ------------------------------

    Original Message


  • 4.  RE: Playbook shows running infinitely but no error: Utilities: Call REST API not executing after Task

    Posted Tue April 18, 2023 05:29 AM

    Hi Samson,

    If you have admin privileges and access to the SOAR server I recommend taking a look at the log file ( /usr/share/co3/log/client.log file ). The log file may be able to provide more information on the status of the running playbook (look for Error messages).



    ------------------------------
    WALTER HIGGINS
    ------------------------------

    Original Message