IBM Security QRadar SOAR

 View Only
  • 1.  Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Tue August 16, 2022 06:41 PM
    Can someone please clarify what this error message means?

    ------------------------------
    Mark Aksen
    ------------------------------


  • 2.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Wed August 17, 2022 04:01 AM
    The error message means a playbook cycle is detected when running a playbook. For example, a playbook uses sub-playbook A , sub-playbook A uses sub-playbook B, sub-playbook B uses sub-playbook C and sub-playbook C uses sub-playbook A, then there is a cycle, A -> B -> C -> A, in this playbook design, which will cause an infinite loop and this error message is thrown during runtime. The solution is to remove the cycle from your playbook design, for example do not use sub-playbook A in sub-playbook C in the above case. We will also enhance this with detecting cycle during the design time in the future release.

    ------------------------------
    Gilbert Liao
    ------------------------------



  • 3.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Wed August 17, 2022 09:41 AM
    In my case, I am receiving this error even though I am only ever using a single playbook i.e. there are no sub-playbooks involved. Any idea what else may be triggering it?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 4.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Wed August 17, 2022 11:57 AM
    And am seeing this error in the client.log file: 

    14:26:47.442 [Action ack handler] ERROR [workflow, playbook] c.r.w.WorkflowCommandRollbackHandler - Workflow cycle encountered: A cycle occurred during workflow execution
    14:26:47.454 [Action ack handler] INFO  [] com.co3.broker.AcknowledgementProcessor - Logging action invocation error:
    com.resilient.workflow.exceptions.WorkflowCycleException: com.resilient.workflow.camunda.NodeCycleException: A cycle occurred during workflow execution
        at com.resilient.workflow.WorkflowCommandRollbackHandler.translate(WorkflowCommandRollbackHandler.java:61)
        at com.resilient.workflow.WorkflowEngineManager$WorkflowEngineCommandExecutor.executeCommand(WorkflowEngineManager.java:65)
        at com.resilient.workflow.WorkflowEngineManager.signal(WorkflowEngineManager.java:332)
        at com.co3.broker.AcknowledgementProcessor.completeMessage(AcknowledgementProcessor.java:310)
        at com.co3.broker.AcknowledgementProcessor.processAckMessage(AcknowledgementProcessor.java:271)
        at com.co3.broker.AcknowledgementProcessor.processMessage(AcknowledgementProcessor.java:67)
        at com.co3.broker.GenericProcessor.establishContextAndProcessMessage(GenericProcessor.java:136)
        at com.co3.broker.GenericProcessor.lambda$processMessageAndRetry$3(GenericProcessor.java:124)
        at com.co3.broker.GenericProcessor$$Lambda$1185/0x000000002c0ca610.run(Unknown Source)
        at net.jodah.failsafe.Functions.lambda$toSupplier$10(Functions.java:240)
        at net.jodah.failsafe.Functions$$Lambda$683/0x000000004403cc00.get(Unknown Source)
        at net.jodah.failsafe.Functions.lambda$get$0(Functions.java:48)
        at net.jodah.failsafe.Functions$$Lambda$684/0x000000004403d000.get(Unknown Source)
        at net.jodah.failsafe.RetryPolicyExecutor.lambda$supply$0(RetryPolicyExecutor.java:62)
        at net.jodah.failsafe.RetryPolicyExecutor$$Lambda$685/0x000000004403b550.get(Unknown Source)
        at net.jodah.failsafe.FallbackExecutor.lambda$supply$0(FallbackExecutor.java:43)
        at net.jodah.failsafe.FallbackExecutor$$Lambda$686/0x000000004403b9b0.get(Unknown Source)
        at net.jodah.failsafe.Execution.executeSync(Execution.java:129)
        at net.jodah.failsafe.FailsafeExecutor.call(FailsafeExecutor.java:376)
        at net.jodah.failsafe.FailsafeExecutor.run(FailsafeExecutor.java:210)
        at com.co3.broker.GenericProcessor.processMessageAndRetry(GenericProcessor.java:124)
        at com.co3.broker.GenericProcessor.processMessages(GenericProcessor.java:158)
        at com.co3.broker.GenericProcessor.access$100(GenericProcessor.java:29)
        at com.co3.broker.GenericProcessor$1.runImpl(GenericProcessor.java:74)
        at com.co3.broker.GenericProcessor$1.lambda$run$0(GenericProcessor.java:62)
        at com.co3.broker.GenericProcessor$1$$Lambda$466/0x000000002c008430.call(Unknown Source)
        at com.resilient.guice.ResilientGuiceUtils.lambda$callVoidInRequestScope$0(ResilientGuiceUtils.java:52)
        at com.resilient.guice.ResilientGuiceUtils$$Lambda$162/0x000000003ddd5540.call(Unknown Source)
        at com.google.inject.servlet.ServletScopes$4.call(ServletScopes.java:450)
        at com.resilient.guice.ResilientGuiceUtils.callInRequestScope(ResilientGuiceUtils.java:73)
        at com.resilient.guice.ResilientGuiceUtils.callVoidInRequestScope(ResilientGuiceUtils.java:56)
        at com.co3.broker.GenericProcessor$1.run(GenericProcessor.java:62)
        at java.lang.Thread.run(Thread.java:825)


    ------------------------------
    Mark Aksen
    ------------------------------



  • 5.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Thu August 18, 2022 01:51 PM
    Not only cycle involving sub-workflows, but even a cycle in the current workflow itself.

    For example, let's suppose you've tried to implement a loop inside your workflow, you'll get a message like this, even if your loop is perfectly designed to not enter en endless loop.

    There are non-elegant ways to bypass this, for example, adding a step in the middle calling some dummy function (fx), but the right thing to be done here is to redesign your workflow.


    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------



  • 6.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Thu August 18, 2022 03:52 PM
    The functionality of this part of the playbook is as follows - we are trying to run multiple Splunk searches based on a list of values. In other words, say there is a Python list with 10 distinct values (we are currently representing this in the form of a playbook property whose value is dictionary and in dictionary, value is a list.). 
    We do a "for loop" inside the playbook, using a (1) condition point (check if list is non empty) -> (2) calling Splunk -> (3) updating list of values -> back to (1). 

    Note - we have also represented the list by pulling from values in data table (Data Table Utils: Get Rows)
    How would you advise in implementing this logic (running Splunk searches across a list of values) in a Resilient playbook?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 7.  RE: Understanding error message: "Playbook was terminated by the system due to a cycle."

    Posted Fri August 19, 2022 10:40 PM
    Hi Mark

    My suggestion, if your list is relatively small (< 100 elements) is to trigger sub workflows based on an event, instead of a for loop.

    For example, let's suppose that you have this list of 10 elements that you must process.

    Instead of a for loop, add them to a datatable, one by one.

    And then, define a rule using the datatable scope. Each time you insert a new element into the datatable, call a workflow (also defined in the datatable scope), and then you process each element in a different workflow instance.

    What will happen in this approach is that all these datatable scope workflows will run in parallel, which is way faster than in a loop. 

    The problem with this "fork" approach is that SOAR does not have (AFAIK) a "join" mechanism, so there's nothing you can do if one of these workflows, for some reason, fails.

    But at least, you won't get the error you're getting.


    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------