IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

VirusTotal app.config

  • 1.  VirusTotal app.config

    Posted Mon October 30, 2023 10:13 AM
      |   view attached

    Hello,

    I'm getting the following error when configuring VirusTotal application, could anyone help please? 

    I have also attached a screenshot of the configuration.

    The last test failed

    Error: running selftest for App.

    Details

    ------------------------ Running selftest with IBM SOAR ------------------------ - Getting app.configs ------------------------ Testing PAM Plugin details ------------------------ - Running pam plugin selftest Unknown error while running PAM Plugin selftest: 'NoneType' object has no attribute 'selftest' ------------------------ Testing REST connection to SOAR ------------------------ - WARNING: No certificate file specified. Only allows the connections that are trusted by operating system. - Checking if we can authenticate a REST connection with '5d1d5314-ef68-4231-a611-e289121dbd9c' to '192.168.100.120' Unverified HTTPS requests (cafile=false). ------------------------ Successfully connected via REST! ------------------------ ------------------------ Testing STOMP connection to SOAR ------------------------ - Checking if we can authenticate a STOMP connection with '5d1d5314-ef68-4231-a611-e289121dbd9c' to '192.168.100.120' ------------------------ Instantiating instance of resilient-circuits and starting it... ------------------------ 2023-10-30 14:08:07,212 INFO [app] [MainThread] Configuration file: /etc/rescircuits/app.config 2023-10-30 14:08:07,213 INFO [app] [MainThread] Resilient server: 192.168.100.120 2023-10-30 14:08:07,213 INFO [app] [MainThread] Resilient api key id: 5d1d5314-ef68-4231-a611-e289121dbd9c 2023-10-30 14:08:07,220 INFO [app] [MainThread] Resilient org: 2023-10-30 14:08:07,220 INFO [app] [MainThread] Logging Level: INFO 2023-10-30 14:08:07,220 INFO [app] [MainThread] App Config plugin: NoneType 2023-10-30 14:08:07,224 WARNING [co3] [MainThread] Unverified HTTPS requests (cafile=false). 2023-10-30 14:08:07,378 INFO [co3base] [MainThread] Using org name: 2023-10-30 14:08:07,843 INFO [rest_helper] [MainThread] IBM Security QRadar SOAR version: v48.0.8529 2023-10-30 14:08:08,904 INFO [app] [MainThread] Components auto-load directory: (none) 2023-10-30 14:08:09,435 INFO [component_loader] [MainThread] Loading 1 components 2023-10-30 14:08:09,436 INFO [component_loader] [MainThread] 'fn_virustotal.components.virustotal.FunctionComponent' loading 2023-10-30 14:08:09,985 WARNING [actions_component] [resilient_circuits] Unverified STOMP TLS certificate (cafile=false) 2023-10-30 14:08:09,986 INFO [selftest] [MainThread] - Waiting for subscription to message destination. Sleeping for 2 seconds 2023-10-30 14:08:10,004 INFO [stomp_component] [resilient_circuits] Connect to 192.168.100.120:65001 2023-10-30 14:08:10,005 INFO [actions_component] [resilient_circuits] 'fn_virustotal.components.virustotal.FunctionComponent' function 'virustotal' registered to 'fn_virustotal' 2023-10-30 14:08:10,006 INFO [app] [resilient_circuits] Components loaded 2023-10-30 14:08:10,008 INFO [app] [resilient_circuits] App Started 2023-10-30 14:08:10,112 INFO [actions_component] [resilient_circuits] STOMP attempting to connect 2023-10-30 14:08:10,112 INFO [stomp_component] [resilient_circuits] Connect to Stomp... 2023-10-30 14:08:10,113 INFO [client] [resilient_circuits] Connecting to 192.168.100.120:65001 ... 2023-10-30 14:08:10,168 INFO [client] [resilient_circuits] Connection established 2023-10-30 14:08:10,325 INFO [client] [resilient_circuits] Connected to stomp broker [session=ID:resilient.localdomain-40161-1698227109777-4:15, version=1.2] 2023-10-30 14:08:10,326 INFO [stomp_component] [resilient_circuits] Connected to failover:(ssl://192.168.100.120:65001)?maxReconnectAttempts=3,startupMaxReconnectAttempts=3 2023-10-30 14:08:10,326 INFO [stomp_component] [resilient_circuits] Client HB: 0 Server HB: 15000 2023-10-30 14:08:10,326 INFO [stomp_component] [resilient_circuits] No Client heartbeats will be sent 2023-10-30 14:08:10,327 INFO [stomp_component] [resilient_circuits] Requested heartbeats from server. 2023-10-30 14:08:10,329 INFO [actions_component] [resilient_circuits] STOMP connected. 2023-10-30 14:08:10,431 INFO [actions_component] [resilient_circuits] resilient-circuits has started successfully and is now running... 2023-10-30 14:08:10,432 INFO [actions_component] [resilient_circuits] Subscribe to message destination 'fn_virustotal' 2023-10-30 14:08:10,432 INFO [stomp_component] [resilient_circuits] Subscribe to message destination actions.201.fn_virustotal 2023-10-30 14:08:11,989 INFO [actions_component] [resilient_circuits] SelftestTerminateEvent, exiting resilient-circuits ------------------------ Successfully connected via STOMP! ------------------------ ------------------------ Running selftest for: 'fn-virustotal' ------------------------ fn-virustotal: HTTPSConnectionPool(host='virustotal.com', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) {'state': 'failure', 'reason': '"HTTPSConnectionPool(host=\'virustotal.com\', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)\')))"'} selftest: failure selftest output: {'state': 'failure', 'reason': '"HTTPSConnectionPool(host=\'virustotal.com\', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)\')))"'} Elapsed time: 0.337000 seconds ERROR: running selftest for App. Error Code: 1



    ------------------------------
    Dany El-Nghaywe
    ------------------------------


  • 2.  RE: VirusTotal app.config

    Posted Tue October 31, 2023 09:04 AM

    Hi -

    The VirusTotal endpoint is a publicly available endpoint, with a managed, CA-signed certificate. Thus we generally don't expose the ability to bypass certificate verification for scenarios like this. The error that you're seeing is telling us that you are getting back a self-signed certificate, which could only be happening if you are using a proxy. Are you running this through a proxy? If so, you should try to enable SSL pass through on your proxy.

    That said, there is a temporary workaround to bypass verification all together. You can set verify=false in the [fn_virustotal] section of the config. This is NOT RECOMMENDED in a production environment. Best to properly configure your proxy to pass through the proper certificate. But if you can't, then the above workaround is acceptable for testing purposes.



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 3.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 04:49 AM

    Hi Bo,

    I'm not using a proxy for this. When discussing the temporary solution, can you please tell me the correct parameter name to set to "false"? I've attempted using "verify=false," but it didn't work. It seems like the parameter name might be incomplete.



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 4.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 09:03 AM

    Hi -

    I'm sorry I wasn't more clear, however, I don't know what else I can suggest. The value verify is the proper configuration name. It would look something like

    [fn_virustotal]
    ...
    verify=false
    
    [resilient]
    ...

    I have confirmed on my end that a) verify is a real parameter which will do what I think it does and also b) it is generally not necessary for this app. 

    In the absence of any other remediation, I think you should confirm that you have proper internet access to the Virustotal API. Can you try a curl command from the AppHost to https://virustotal.com/api/v3 :

    $ curl https://virustotal.com/api/v3/ip_addresses/8.8.8.8
    {
        "error": {
            "message": "X-Apikey header is missing",
            "code": "AuthenticationRequiredError"
        }
    }

    if you see a response like the one above, then you are properly accessing the endpoint. If you don't, then you will have some networking issues, likely a firewall or proxy in the way.

    If you are able to properly access the endpoint, then I am at a loss as to what the solution would be... 

    Please let me know what you find. And if you can, please send me the app version number, app host version, and more. 

    Best of luck!



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 5.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 09:20 AM

    Hey,

    I have tried to change the host value to the actual SOAR IP address 192.168.100.120

    I've got the following error:

    2023-11-02 10:34:38,149 WARNING [connection] [MainThread] Certificate did not match expected hostname: 192.168.100.120. Certificate: {'subject': ((('commonName', 'resilient.localdomain'),),), 'issuer': ((('commonName', 'resilient.localdomain'),),), 'version': 3, 'serialNumber': '3E9B967E', 'notBefore': 'May 16 12:58:37 2023 GMT', 'notAfter': 'May 15 12:58:37 2024 GMT', 'subjectAltName': (('DNS', 'resilient.localdomain'),)}

    2023-11-02 10:34:38,150 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='192.168.100.120', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(CertificateError("hostname '192.168.100.120' doesn't match 'resilient.localdomain'"))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...

    It looks like the IP address does not resolve to the hostname.

    How can i fix it?



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 6.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 10:01 AM

    Hi Dany -

    I'm sorry, I don't follow. The connection to SOAR was working fine before, correct?

    Can you please send me the App version you are using?



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 7.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 10:09 AM

    Correct but i tried to change the host value to the actual IP address of the SOAR hoping it would maybe fix the issue.

    I'm using AppHost version 1.12.1.530
     



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 8.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 10:12 AM

    Ah sorry - the version of the VirusTotal app



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 9.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 10:19 AM

    It is version 1.1.0



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 10.  RE: VirusTotal app.config

    Posted Thu November 02, 2023 10:49 AM

    Ok -

    So I've just read through your support case and I see that there you've posted logs there that are different from what you originally posted here. Can you please rephrase your issue, with as much logs as you can provide, and the configuration that you last saw the issue with? Because I think otherwise we're going in circles around the wrong thing...



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 11.  RE: VirusTotal app.config

    Posted Fri November 03, 2023 05:25 AM

    Dear -

    I encountered a different output here due to changing the host value to the actual SOAR API address. This adjustment caused some issues. In contrast, in the support case, I had the SOAR hostname configured. IBM Support provided the following explanation: "When you use the IP address, the application will not connect. This is a security feature common in most SSL clients. The hostname is not listed in the SSL certificates' Common Name or Subject Alternate Names"

    Additionally, in my usual practice of configuring a freshly installed app on AppHost, I typically set the cafile to false. However, this also doesn't seem to fix make this app work as expected. IBM Support also noted "Normally, setting cafile=false isntructs the app to bypass this check, but it seems not to be working for this community app. Since the application is not developed by IBM, it's advisable to inquire within the community for further assistance on this matter."

    With the current configuration:

    [fn_virustotal]
    api_token = $API_Token
    polling_interval_sec = 60
    max_polling_wait_sec = 600

    [resilient]
    api_key_id = #API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    #cafile = /etc/rescircuits/cert.cer
    cafile = false
    host = resilient.localdomain
    port = 443
    org = 

    I'm currently getting the following output:

    Current Pod Status:
    PodStatus(conditions=[PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-03T08:52:15Z, message=null, reason=null, status=True, type=Initialized, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-03T08:52:17Z, message=null, reason=null, status=True, type=Ready, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-03T08:52:17Z, message=null, reason=null, status=True, type=ContainersReady, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-03T08:52:12Z, message=null, reason=null, status=True, type=PodScheduled, additionalProperties={})], containerStatuses=[ContainerStatus(containerID=containerd://c7cf598ff1e5d8e2a4243a1cdc1e1bf286fb248d24919c5191a6b6d0dbf72d47, image=quay.io/ibmresilient/fn_virustotal:1.1.0, imageID=quay.io/ibmresilient/fn_virustotal@sha256:31febf3bf6e1edb652bbcc076caeb87d53ee7da9d830478cc2cd7fb332ad5525, lastState=ContainerState(running=null, terminated=null, waiting=null, additionalProperties={}), name=80d76705-32b3-4f0e-820e-f51e86faa9f5, ready=true, restartCount=0, started=true, state=ContainerState(running=ContainerStateRunning(startedAt=2023-11-03T08:52:17Z, additionalProperties={}), terminated=null, waiting=null, additionalProperties={}), additionalProperties={})], ephemeralContainerStatuses=[], hostIP=192.168.100.121, initContainerStatuses=[ContainerStatus(containerID=containerd://717ca6418a5e0aa29c0f5ca2371a4246806c0e306443c7a7cd1d4195a9933303, image=quay.io/ibmresilient/apps-operator:1.12.1.530, imageID=quay.io/ibmresilient/apps-operator@sha256:77b1036879a0f55ba1585442faf23a70e836c66cd6ec4809ed201fcf5f7eba63, lastState=ContainerState(running=null, terminated=null, waiting=null, additionalProperties={}), name=protected-secrets-provision, ready=true, restartCount=0, started=null, state=ContainerState(running=null, terminated=ContainerStateTerminated(containerID=containerd://717ca6418a5e0aa29c0f5ca2371a4246806c0e306443c7a7cd1d4195a9933303, exitCode=0, finishedAt=2023-11-03T08:52:14Z, message=null, reason=Completed, signal=null, startedAt=2023-11-03T08:52:13Z, additionalProperties={}), waiting=null, additionalProperties={}), additionalProperties={})], message=null, nominatedNodeName=null, phase=Running, podIP=10.42.0.126, podIPs=[PodIP(ip=10.42.0.126, additionalProperties={})], qosClass=BestEffort, reason=null, startTime=2023-11-03T08:52:12Z, additionalProperties={})
    Logs:

    ------------------------
    Environment:
    Python Version: 3.9.16 (main, Dec 21 2022, 10:57:18) 
    [GCC 8.5.0 20210514 (Red Hat 8.5.0-17)]

    Installed packages:

    beautifulsoup4: 4.12.2
    bs4: 0.0.1
    cachetools: 5.3.1
    certifi: 2023.5.7
    cffi: 1.15.1
    charset-normalizer: 3.1.0
    circuits: 3.2.2
    cryptography: 41.0.1
    decorator: 5.1.1
    Deprecated: 1.2.14
    filelock: 3.12.0
    fn-virustotal: 1.1.0
    idna: 3.4
    importlib-metadata: 6.6.0
    jaraco.classes: 3.2.3
    jeepney: 0.8.0
    Jinja2: 3.1.2
    jwcrypto: 1.4.2
    keyring: 23.13.1
    MarkupSafe: 2.1.3
    more-itertools: 9.1.0
    pip: 23.1.2
    pycparser: 2.21
    pyOpenSSL: 23.2.0
    PySocks: 1.7.1
    pytz: 2023.3
    requests: 2.31.0
    requests-pkcs12: 1.15
    requests-toolbelt: 1.0.0
    resilient: 49.0.4423
    resilient-app-config-plugins: 1.0.0
    resilient-circuits: 49.0.4423
    resilient-lib: 49.0.4423
    retry2: 0.9.5
    SecretStorage: 3.3.3
    setuptools: 65.5.1
    six: 1.16.0
    soupsieve: 2.4.1
    stompest: 2.3.0
    urllib3: 1.26.16
    watchdog: 2.3.1
    wrapt: 1.15.0
    zipp: 3.15.0
    ###############
    2023-11-03 08:52:18,091 INFO [app] [MainThread] Configuration file: /etc/rescircuits/app.config
    2023-11-03 08:52:18,091 INFO [app] [MainThread] Resilient server: resilient.localdomain
    2023-11-03 08:52:18,092 INFO [app] [MainThread] Resilient api key id: 263b257c-2bb0-41a3-890e-21ab80917c8c
    2023-11-03 08:52:18,097 INFO [app] [MainThread] Resilient org:
    2023-11-03 08:52:18,097 INFO [app] [MainThread] Logging Level: INFO
    2023-11-03 08:52:18,097 INFO [app] [MainThread] App Config plugin: NoneType
    2023-11-03 08:52:18,099 WARNING [co3] [MainThread] Unverified HTTPS requests (cafile=false).
    2023-11-03 08:52:18,963 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-03 08:52:21,111 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-03 08:52:25,255 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...
    2023-11-03 08:52:33,402 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 16 seconds...
    2023-11-03 08:52:49,571 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 32 seconds...
    2023-11-03 08:53:22,417 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 64 seconds...
    2023-11-03 08:54:27,271 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 128 seconds...
    2023-11-03 08:56:37,536 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 256 seconds...
    2023-11-03 09:00:54,224 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 512 seconds...

    However, when i uncomment cafile and delete "cafile=false", i get the following output

    2023-11-03 09:16:08,219 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-03 09:16:11,475 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-03 09:16:15,818 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...
    2023-11-03 09:16:24,321 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 16 seconds...
    2023-11-03 09:16:40,949 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 32 seconds...
    2023-11-03 09:17:13,405 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 64 seconds...

    I'm not sure about the correct configuration method to ensure this app functions smoothly without any errors. 



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 12.  RE: VirusTotal app.config

    Posted Mon November 06, 2023 10:00 AM

    Hi -

    Ok so I'm glad you sent this over, clearly something else is going on. The support folks are getting a little confused about cafile. cafile determines the SSL check for connections to SOAR, not the third part endpoint of the app. That's an important distinction. And ALL apps (including community apps) have the cafile option; always!

    In your original post, it looked like the connection to Virustotal (aka the third party endpoint) was failing. But now you have a failure connecting to SOAR. You'll need to reput in cafile=false, and you'll need to modify the host value. Clearly the host is incorrect or the API key details are incorrect because you are receiving an HTML response from the SOAR host. That means that you aren't properly hitting the SOAR server.



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 13.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 06:03 AM

    Hi Bo,

    The support case was opened because Dany had problems connecting to SOAR. He had not at that point been able to connect to virustotal. In the case, cafile=false was referred to only in the context of the connection to SOAR. Dany had tried configuring the SOAR connection using the FQDN and IP address. Both options did not work because of SSL verification.

    The log extract shows that Dany has cafile=False set. It shows the connection is successful but 404's are being returned by the functions API calls. I doin't know what happened whilst Dany was workign with support but it seems that cafile=False did resolve the reported SOAR connection problem.

    2023-11-03 08:52:18,099 WARNING [co3] [MainThread] Unverified HTTPS requests (cafile=false).

    I suggest you set loglevel=DEBUG under the [resilient] section and test again. You should see what API endpoint is returning the 404's. In conjunction with the function logs check /usr/share/co3/logs/client.log for errors at the time of the 404's.



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 14.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 06:27 AM

    Dears,

    Setting the host value back to my SOAR IP Address and cafile to False, i'm getting the following error (loglevel=DEBUG):

    HTTPSConnectionPool(host='virustotal.com', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))
    {'state': 'failure', 'reason': '"HTTPSConnectionPool(host=\'virustotal.com\', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)\')))"'}
        selftest: failure
        selftest output:
        {'state': 'failure', 'reason': '"HTTPSConnectionPool(host=\'virustotal.com\', port=443): Max retries exceeded with url: /api/v3/ip_addresses/8.8.8.8 (Caused by SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)\')))"'}
        Elapsed time: 0.668000 seconds

    ERROR: running selftest for App.
    Error Code: 1



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 15.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 06:40 AM

    Hi Dany,

    Do what Bo suggest four days ago. This will bypass SSL checks to Virustotal but it is not recommended.

    ********

    I'm sorry I wasn't more clear, however, I don't know what else I can suggest. The value verify is the proper configuration name. It would look something like

    [fn_virustotal]
    ...
    verify=false
    
    [resilient]
    ...

    You should also try running curl https://virustotal.com/api/v3/ip_addresses/8.8.8.8 -v to see what SSL certificate is being returned. It should look like this. The common name of the certificate matches the hostname I am curling to. This needs to be the same for the verification to be satisfied. If the certificate returned is different, then you might have an SSL inspecting proxy in your environment altering connections and certificates.

    * About to connect() to virustotal.com port 443 (#0)
    *   Trying 216.239.38.21...
    * Connected to virustotal.com (216.239.38.21) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *     subject: CN=*.virustotal.com,O=VirusTotal SL,L=Malaga,C=ES
    *     start date: Dec 12 00:00:00 2022 GMT
    *     expire date: Jan 12 23:59:59 2024 GMT
    *     common name: *.virustotal.com
    *     issuer: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
    > GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: virustotal.com
    > Accept: */*



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 16.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 07:11 AM

    Dear,

    I could not find anything related to the certificate when executing the curl command. However, it executed successfully (i have attached a screenshot for your reference). Also, I'm getting an error when setting verify = false in the [fn_virustotal]:

    fn-virustotal: 
    Expecting value: line 1 column 1 (char 0)
    {'state': 'failure', 'reason': "'Expecting value: line 1 column 1 (char 0)'"}
        selftest: failure
        selftest output:
        {'state': 'failure', 'reason': "'Expecting value: line 1 column 1 (char 0)'"}
        Elapsed time: 0.753000 seconds

    ERROR: running selftest for App.
    Error Code: 1



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 17.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 08:49 AM

    Hi Dany,

    You have only sent a screen shot of the curl output. There would normally be a mention of the certificate. You might need to scroll up. Feel free to send the entire output as long as it doesn't include anything sensitive.

    # curl https://virustotal.com/api/v3/ip_addresses/8.8.8.8 -v
    * About to connect() to virustotal.com port 443 (#0)
    *   Trying 216.239.32.21...
    * Connected to virustotal.com (216.239.32.21) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *     subject: CN=*.virustotal.com,O=VirusTotal SL,L=Malaga,C=ES
    *     start date: Dec 12 00:00:00 2022 GMT
    *     expire date: Jan 12 23:59:59 2024 GMT
    *     common name: *.virustotal.com
    *     issuer: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
    > GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: virustotal.com
    > Accept: */*
    >
    < HTTP/1.1 401 Unauthorized



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 18.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 08:59 AM
    Edited by Dany El-Nghaywe Tue November 07, 2023 09:00 AM

    Dear,

    This is what i'm getting:

    curl https://virustotal.com/api/v3/ip_addresses/8.8.8.8 -v
    * About to connect() to virustotal.com port 443 (#0)
    *   Trying 216.239.38.21...
    * Connected to virustotal.com (216.239.38.21) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=*.virustotal.com,O=VirusTotal SL,L=Malaga,C=ES
    *       start date: Dec 12 00:00:00 2022 GMT
    *       expire date: Jan 12 23:59:59 2024 GMT
    *       common name: *.virustotal.com
    *       issuer: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
    > GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: virustotal.com
    > Accept: */*
    >
    < HTTP/1.1 401 Unauthorized
    < Content-Type: application/json
    < Set-Cookie: VT_SESSION_ID=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < Set-Cookie: VT_SESSION_HASH=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < Set-Cookie: VT_AUGMENT=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < Set-Cookie: VT_SESSION_ID=; Domain=.virustotal.com; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < Set-Cookie: VT_SESSION_HASH=; Domain=.virustotal.com; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < Set-Cookie: VT_AUGMENT=; Domain=.virustotal.com; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
    < X-Cloud-Trace-Context: 732bf2a083ba384b56caa4d41b8336b5
    < Date: Tue, 07 Nov 2023 13:59:04 GMT
    < Server: Google Frontend
    < Content-Length: 119
    <
    {
        "error": {
            "message": "X-Apikey header is missing",
            "code": "AuthenticationRequiredError"
        }
    * Connection #0 to host virustotal.com left intact



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 19.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 09:38 AM

    Hi Dany,

    You get the correct common name returned by the curl command. 

    On the App Host server cli can you run sudo kubectl get pods -A -l apps.isc.ibm.com/app-type=app -L app.kubernetes.io/instance

    Look for the name of the function (fn_virustotal) in the INSTANCE column and then populate the following command. Enter the namespace and name values for the function from the other two columns.

    sudo kubectl -n <NAMESPACE> exec -it <NAME> /bin/bash

    It will look similar to.

    sudo kubectl -n 2cadf13e-10c4-4f00-ad69-7ce2f752182f exec -it 21f87c9f-6b33-4e19-97e7-80a4336cac2e-7777dc87b6-t5jnd /bin/bash

    This will get you into the function's container. Once the cli returns to (app-root) bash-4.4$ then run the same curl command. What is the certificate returned? Is it the same as when you ran the curl the first time?

    Regardless, you are now getting a connection to SOAR and Virustotal.

    In the past, the following kind of error suggest that the response coming back from the third party endpoint is not what the function expects. In the past this could be an HTML page instead of JSON or an error from the third party endpoint.

    fn-virustotal: 
    Expecting value: line 1 column 1 (char 0)
    {'state': 'failure', 'reason': "'Expecting value: line 1 column 1 (char 0)'"}
        selftest: failure
        selftest output:
        {'state': 'failure', 'reason': "'Expecting value: line 1 column 1 (char 0)'"}
        Elapsed time: 0.753000 seconds

    ERROR: running selftest for App.
    Error Code: 1

    I suggest that you set loglevel = DEBUG under the [resilient] section of the app.config and then try and invoke one of the Virustotal functions. Look at the function's log to see what errors you are seeing when the function calls the third party endpoint. Check the app.config is configured correctly too.

    @Bo Bleckel might have other thoughts. I'm cognisant that I have commented on a thread you were running with.



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 20.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 10:04 AM

    Hi Ben,

    I tried to run one function, and i downloaded the app logs with loglevel =DEBUG,

    i got the following error:

    2023-11-07 14:57:57,184 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-07 14:57:59,188 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (2): resilient.localdomain:443
    2023-11-07 14:57:59,782 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-07 14:58:03,788 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (3): resilient.localdomain:443
    2023-11-07 14:58:04,062 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...
    2023-11-07 14:58:12,068 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (4): resilient.localdomain:443
    2023-11-07 14:58:12,402 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 16 seconds...
    2023-11-07 14:58:28,419 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (5): resilient.localdomain:443
    2023-11-07 14:58:28,737 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 32 seconds...
    2023-11-07 14:59:00,771 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (6): resilient.localdomain:443
    2023-11-07 14:59:01,094 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 64 seconds...



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 21.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 10:17 AM

    Hi guys -

    Thanks Ben for the help, I think we're getting somewhere. @Dany El-Nghaywe, I would recommend again my very initial suggestion: set verify=false (scroll up on the thread to make sure you enter it properly) and then send the same output that you just sent.

    I and the developer of this app are not able to reproduce your issue in our env, so I do still think that proxies or other networking issues could be in the way; especially since your seeing a "self-signed certificate" error which should never come through from virustotal.

    Please do the verify=false setting and send the output. Thanks



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 22.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 10:26 AM

    Hi Dany,

    Also set cafile=False under the [resilient] section so that it doesn't verify the connection.

    You had this working so please keep track of what combination works because Bo or I do not know what values you have set in the app.config for each log snippet you share. Maybe you should send the app.config with each error so we can determine what value, cafile=false or verify=false you have or have not set?



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 23.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 10:52 AM

    Hello dears,

    With the current config:

    [fn_virustotal]
    api_token = $API_TOKEN
    polling_interval_sec = 60
    max_polling_wait_sec = 600
    verify = false

    [resilient]
    api_key_id = $API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    cafile = /etc/rescircuits/cert.cer
    host = resilient.localdomain
    port = 443
    org = CBM
    loglevel = DEBUG 

    I'm getting the following error:

    2023-11-07 14:57:56,480 INFO [app] [MainThread] Configuration file: /etc/rescircuits/app.config
    2023-11-07 14:57:56,480 INFO [app] [MainThread] Resilient server: resilient.localdomain
    2023-11-07 14:57:56,480 INFO [app] [MainThread] Resilient api key id: 263b257c-2bb0-41a3-890e-21ab80917c8c
    2023-11-07 14:57:56,482 INFO [app] [MainThread] Resilient org: CBM
    2023-11-07 14:57:56,482 INFO [app] [MainThread] Logging Level: DEBUG
    2023-11-07 14:57:56,482 INFO [app] [MainThread] App Config plugin: NoneType
    2023-11-07 14:57:56,483 DEBUG [actions_component] [MainThread] create idle timer
    2023-11-07 14:57:56,484 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 14:57:56,484 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 14:57:56,485 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 14:57:56,485 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 14:57:56,486 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (1): resilient.localdomain:443
    2023-11-07 14:57:57,184 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-07 14:57:59,188 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (2): resilient.localdomain:443
    2023-11-07 14:57:59,782 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-07 14:58:03,788 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (3): resilient.localdomain:443
    2023-11-07 14:58:04,062 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...
    2023-11-07 14:58:12,068 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (4): resilient.localdomain:443
    2023-11-07 14:58:12,402 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 16 seconds...
    2023-11-07 14:58:28,419 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (5): resilient.localdomain:443
    2023-11-07 14:58:28,737 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 32 seconds...
    2023-11-07 14:59:00,771 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (6): resilient.localdomain:443
    2023-11-07 14:59:01,094 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='resilient.localdomain', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 64 seconds...

    With the below config:

    [fn_virustotal]
    api_token = $API_TOKEN
    polling_interval_sec = 60
    max_polling_wait_sec = 600
    verify = false

    [resilient]
    api_key_id = $API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    #cafile = /etc/rescircuits/cert.cer
    cafile = false
    host = resilient.localdomain
    port = 443
    org = CBM
    loglevel = DEBUG 

    I get:

    2023-11-07 15:35:10,500 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (1): resilient.localdomain:443
    2023-11-07 15:35:11,228 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:35:11,229 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-07 15:35:13,378 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:35:13,379 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-07 15:35:17,522 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:35:17,523 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...
    2023-11-07 15:35:25,666 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:35:25,667 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 16 seconds...
    2023-11-07 15:35:41,828 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:35:41,829 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 32 seconds...
    2023-11-07 15:36:13,863 DEBUG [connectionpool] [MainThread] Resetting dropped connection: resilient.localdomain
    2023-11-07 15:36:14,331 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:36:14,332 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 64 seconds...
    2023-11-07 15:37:18,402 DEBUG [connectionpool] [MainThread] Resetting dropped connection: resilient.localdomain
    2023-11-07 15:37:18,866 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:37:18,867 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 128 seconds...
    2023-11-07 15:39:26,968 DEBUG [connectionpool] [MainThread] Resetting dropped connection: resilient.localdomain
    2023-11-07 15:39:27,417 DEBUG [connectionpool] [MainThread] https://resilient.localdomain:443 "GET /rest/session?include_permissions=false HTTP/1.1" 404 315
    2023-11-07 15:39:27,418 WARNING [api] [MainThread] RetryHTTPException: 'resilient' API Request Retry:
    Response Code: 404
    Reason: Not Found. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    <p>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.</p>
    </body></html>
    in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 256 seconds...

    When i change host value to ip address (instead of resilient.localdomain) and cafile=false:

    [fn_virustotal]
    api_token = $API_TOKEN
    polling_interval_sec = 60
    max_polling_wait_sec = 600
    verify = false

    [resilient]
    api_key_id = $API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    #cafile = /etc/rescircuits/cert.cer
    cafile = false
    host = 192.168.100.120
    port = 443
    org = CBM
    loglevel = DEBUG 

    I get the following error from the playbook:

    Traceback (most recent call last):
      File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
        return callback(response)
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
        content = json.loads(response.text)
      File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
        return _default_decoder.decode(s)
      File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
        obj, end = self.raw_decode(s, idx=_w(s, 0).end())
      File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
        raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
        response, code = vt.get_ip_report(vt_data)
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
        response, code = self.rc.execute("GET",
      File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
        raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    When i change the host value to ip address (instead of resilient.localdomain) and remove cafile=false:

    [fn_virustotal]
    api_token = $API_TOKEN
    polling_interval_sec = 60
    max_polling_wait_sec = 600
    verify = false

    [resilient]
    api_key_id = $API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    cafile = /etc/rescircuits/cert.cer
    host = 192.168.100.120
    port = 443
    org = CBM
    loglevel = DEBUG 

    I get:

    2023-11-07 15:48:06,446 INFO [app] [MainThread] Configuration file: /etc/rescircuits/app.config
    2023-11-07 15:48:06,446 INFO [app] [MainThread] Resilient server: 192.168.100.120
    2023-11-07 15:48:06,446 INFO [app] [MainThread] Resilient api key id: 263b257c-2bb0-41a3-890e-21ab80917c8c
    2023-11-07 15:48:06,448 INFO [app] [MainThread] Resilient org: CBM
    2023-11-07 15:48:06,449 INFO [app] [MainThread] Logging Level: DEBUG
    2023-11-07 15:48:06,449 INFO [app] [MainThread] App Config plugin: NoneType
    2023-11-07 15:48:06,450 DEBUG [actions_component] [MainThread] create idle timer
    2023-11-07 15:48:06,451 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 15:48:06,451 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 15:48:06,451 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 15:48:06,451 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 15:48:06,454 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (1): 192.168.100.120:443
    2023-11-07 15:48:06,463 WARNING [connection] [MainThread] Certificate did not match expected hostname: 192.168.100.120. Certificate: {'subject': ((('commonName', 'resilient.localdomain'),),), 'issuer': ((('commonName', 'resilient.localdomain'),),), 'version': 3, 'serialNumber': '3E9B967E', 'notBefore': 'May 16 12:58:37 2023 GMT', 'notAfter': 'May 15 12:58:37 2024 GMT', 'subjectAltName': (('DNS', 'resilient.localdomain'),)}
    2023-11-07 15:48:06,464 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='192.168.100.120', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(CertificateError("hostname '192.168.100.120' doesn't match 'resilient.localdomain'"))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
    2023-11-07 15:48:08,468 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (2): 192.168.100.120:443
    2023-11-07 15:48:08,475 WARNING [connection] [MainThread] Certificate did not match expected hostname: 192.168.100.120. Certificate: {'subject': ((('commonName', 'resilient.localdomain'),),), 'issuer': ((('commonName', 'resilient.localdomain'),),), 'version': 3, 'serialNumber': '3E9B967E', 'notBefore': 'May 16 12:58:37 2023 GMT', 'notAfter': 'May 15 12:58:37 2024 GMT', 'subjectAltName': (('DNS', 'resilient.localdomain'),)}
    2023-11-07 15:48:08,476 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='192.168.100.120', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(CertificateError("hostname '192.168.100.120' doesn't match 'resilient.localdomain'"))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 4 seconds...
    2023-11-07 15:48:12,482 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (3): 192.168.100.120:443
    2023-11-07 15:48:12,490 WARNING [connection] [MainThread] Certificate did not match expected hostname: 192.168.100.120. Certificate: {'subject': ((('commonName', 'resilient.localdomain'),),), 'issuer': ((('commonName', 'resilient.localdomain'),),), 'version': 3, 'serialNumber': '3E9B967E', 'notBefore': 'May 16 12:58:37 2023 GMT', 'notAfter': 'May 15 12:58:37 2024 GMT', 'subjectAltName': (('DNS', 'resilient.localdomain'),)}
    2023-11-07 15:48:12,491 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='192.168.100.120', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(CertificateError("hostname '192.168.100.120' doesn't match 'resilient.localdomain'"))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 8 seconds...



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 24.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 10:59 AM

    Hi Dany,

    I fear the 404 is returned when using resilient.localdomain because it is resolving to something else which is not the SOAR server. Stick with this combination.

    [fn_virustotal]
    api_token = $API_TOKEN
    polling_interval_sec = 60
    max_polling_wait_sec = 600
    verify = false

    [resilient]
    api_key_id = $API_KEY_ID
    api_key_secret = $API_KEY_SECRET
    #cafile = /etc/rescircuits/cert.cer
    cafile = false
    host = 192.168.100.120
    port = 443
    org = CBM
    loglevel = DEBUG 

    Now you have this set, invoke a function and look at the function logs afterwards to see what the API call is being made to virustotal and the results virustotal is sending back to the function.



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 25.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 11:27 AM

    Dear,

    I have configured the app.config as you recommended. I have then tested a VirusTotal function and got the following error:

    Traceback (most recent call last):
      File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
        return callback(response)
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
        content = json.loads(response.text)
      File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
        return _default_decoder.decode(s)
      File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
        obj, end = self.raw_decode(s, idx=_w(s, 0).end())
      File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
        raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
        response, code = vt.get_ip_report(vt_data)
      File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
        response, code = self.rc.execute("GET",
      File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
        raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    Also, i got the following error from the app logs:

    Current Pod Status:
    PodStatus(conditions=[PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-07T16:17:23Z, message=null, reason=null, status=True, type=Initialized, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-07T16:17:25Z, message=null, reason=null, status=True, type=Ready, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-07T16:17:25Z, message=null, reason=null, status=True, type=ContainersReady, additionalProperties={}), PodCondition(lastProbeTime=null, lastTransitionTime=2023-11-07T16:17:21Z, message=null, reason=null, status=True, type=PodScheduled, additionalProperties={})], containerStatuses=[ContainerStatus(containerID=containerd://5db0e0119f94f7f0722e879693f6537d3925349c941fcc0e7fd02fc85b65e4bb, image=quay.io/ibmresilient/fn_virustotal:1.1.0, imageID=quay.io/ibmresilient/fn_virustotal@sha256:31febf3bf6e1edb652bbcc076caeb87d53ee7da9d830478cc2cd7fb332ad5525, lastState=ContainerState(running=null, terminated=null, waiting=null, additionalProperties={}), name=80d76705-32b3-4f0e-820e-f51e86faa9f5, ready=true, restartCount=0, started=true, state=ContainerState(running=ContainerStateRunning(startedAt=2023-11-07T16:17:25Z, additionalProperties={}), terminated=null, waiting=null, additionalProperties={}), additionalProperties={})], ephemeralContainerStatuses=[], hostIP=192.168.100.121, initContainerStatuses=[ContainerStatus(containerID=containerd://1ad795cd7422dbc70cc30d89c79afb584cf4300439ba91705b915fdd27c2a9e3, image=quay.io/ibmresilient/apps-operator:1.12.1.530, imageID=quay.io/ibmresilient/apps-operator@sha256:77b1036879a0f55ba1585442faf23a70e836c66cd6ec4809ed201fcf5f7eba63, lastState=ContainerState(running=null, terminated=null, waiting=null, additionalProperties={}), name=protected-secrets-provision, ready=true, restartCount=0, started=null, state=ContainerState(running=null, terminated=ContainerStateTerminated(containerID=containerd://1ad795cd7422dbc70cc30d89c79afb584cf4300439ba91705b915fdd27c2a9e3, exitCode=0, finishedAt=2023-11-07T16:17:23Z, message=null, reason=Completed, signal=null, startedAt=2023-11-07T16:17:22Z, additionalProperties={}), waiting=null, additionalProperties={}), additionalProperties={})], message=null, nominatedNodeName=null, phase=Running, podIP=10.42.0.169, podIPs=[PodIP(ip=10.42.0.169, additionalProperties={})], qosClass=BestEffort, reason=null, startTime=2023-11-07T16:17:21Z, additionalProperties={})
    Logs:

    ------------------------
    Environment:
    Python Version: 3.9.16 (main, Dec 21 2022, 10:57:18) 
    [GCC 8.5.0 20210514 (Red Hat 8.5.0-17)]

    Installed packages:

    beautifulsoup4: 4.12.2
    bs4: 0.0.1
    cachetools: 5.3.1
    certifi: 2023.5.7
    cffi: 1.15.1
    charset-normalizer: 3.1.0
    circuits: 3.2.2
    cryptography: 41.0.1
    decorator: 5.1.1
    Deprecated: 1.2.14
    filelock: 3.12.0
    fn-virustotal: 1.1.0
    idna: 3.4
    importlib-metadata: 6.6.0
    jaraco.classes: 3.2.3
    jeepney: 0.8.0
    Jinja2: 3.1.2
    jwcrypto: 1.4.2
    keyring: 23.13.1
    MarkupSafe: 2.1.3
    more-itertools: 9.1.0
    pip: 23.1.2
    pycparser: 2.21
    pyOpenSSL: 23.2.0
    PySocks: 1.7.1
    pytz: 2023.3
    requests: 2.31.0
    requests-pkcs12: 1.15
    requests-toolbelt: 1.0.0
    resilient: 49.0.4423
    resilient-app-config-plugins: 1.0.0
    resilient-circuits: 49.0.4423
    resilient-lib: 49.0.4423
    retry2: 0.9.5
    SecretStorage: 3.3.3
    setuptools: 65.5.1
    six: 1.16.0
    soupsieve: 2.4.1
    stompest: 2.3.0
    urllib3: 1.26.16
    watchdog: 2.3.1
    wrapt: 1.15.0
    zipp: 3.15.0
    ###############
    2023-11-07 16:17:25,881 INFO [app] [MainThread] Configuration file: /etc/rescircuits/app.config
    2023-11-07 16:17:25,882 INFO [app] [MainThread] Resilient server: 192.168.100.120
    2023-11-07 16:17:25,882 INFO [app] [MainThread] Resilient api key id: 263b257c-2bb0-41a3-890e-21ab80917c8c
    2023-11-07 16:17:25,885 INFO [app] [MainThread] Resilient org: CBM
    2023-11-07 16:17:25,885 INFO [app] [MainThread] Logging Level: DEBUG
    2023-11-07 16:17:25,885 INFO [app] [MainThread] App Config plugin: NoneType
    2023-11-07 16:17:25,886 DEBUG [actions_component] [MainThread] create idle timer
    2023-11-07 16:17:25,887 WARNING [co3] [MainThread] Unverified HTTPS requests (cafile=false).
    2023-11-07 16:17:25,887 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 16:17:25,888 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 16:17:25,888 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 16:17:25,888 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 16:17:25,890 DEBUG [connectionpool] [MainThread] Starting new HTTPS connection (1): 192.168.100.120:443
    2023-11-07 16:17:26,009 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/session?include_permissions=false HTTP/1.1" 200 902
    2023-11-07 16:17:26,010 INFO [co3base] [MainThread] Using org name: CBM
    2023-11-07 16:17:26,011 DEBUG [co3] [MainThread] {
    "orgs": [
    {
    "id": 201,
    "name": "CBM",
    "addr": null,
    "addr2": null,
    "city": null,
    "state": null,
    "zip": null,
    "attachments_enabled": true,
    "final_phase_required": false,
    "tasks_private": false,
    "has_saml": false,
    "require_saml": false,
    "twofactor_auth_domain": null,
    "has_available_twofactor": false,
    "authorized_ldap_group": null,
    "supports_ldap": false,
    "incident_deletion_allowed": true,
    "configuration_type": "standard",
    "parent_org": null,
    "session_timeout": 1200,
    "last_modified_by": {
    "id": 2,
    "type": "user",
    "name": "dany.nghaywe@groupcbm.com",
    "display_name": "dany nghaywe"
    },
    "last_modified_time": 1698145048796,
    "uuid": "***",
    "timezone": null,
    "cloud_account": null,
    "perms": null,
    "effective_permissions": [],
    "role_handles": [],
    "enabled": true,
    "twofactor_cookie_lifetime_secs": 0
    }
    ],
    "password_expiration_date": 1730545349311,
    "api_key_handle": 22,
    "client_id": "***",
    "display_name": "VirusTotal"
    }
    2023-11-07 16:17:26,228 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201 HTTP/1.1" 200 None
    2023-11-07 16:17:26,230 DEBUG [rest_helper] [MainThread] Getting server version
    2023-11-07 16:17:26,345 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/const HTTP/1.1" 200 None
    2023-11-07 16:17:26,352 INFO [rest_helper] [MainThread] IBM Security QRadar SOAR version: v48.0.8529
    2023-11-07 16:17:26,620 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
    2023-11-07 16:17:26,836 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201/types/actioninvocation/fields HTTP/1.1" 200 None
    2023-11-07 16:17:27,037 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201/actions HTTP/1.1" 200 None
    2023-11-07 16:17:27,040 DEBUG [actions_component] [MainThread] num_workers set to 25
    2023-11-07 16:17:27,049 INFO [app] [MainThread] Components auto-load directory: (none)
    2023-11-07 16:17:27,369 DEBUG [decorators] [MainThread] @function <function FunctionComponent._virustotal_function at 0x7f5ea40feee0>
    2023-11-07 16:17:27,370 INFO [component_loader] [MainThread] Loading 1 components
    2023-11-07 16:17:27,370 INFO [component_loader] [MainThread] 'fn_virustotal.components.virustotal.FunctionComponent' loading
    2023-11-07 16:17:27,495 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201/functions/virustotal?handle_format=names HTTP/1.1" 200 None
    2023-11-07 16:17:27,713 DEBUG [connectionpool] [MainThread] https://192.168.100.120:443 "GET /rest/orgs/201/types/__function/fields HTTP/1.1" 200 None
    2023-11-07 16:17:27,724 DEBUG [actions_component] [MainThread] @function handler names: ['virustotal']
    2023-11-07 16:17:27,724 DEBUG [helpers] [MainThread] Getting environmental variable 'API_TOKEN'
    2023-11-07 16:17:27,725 DEBUG [app_config] [MainThread] Substituting value for '$API_TOKEN' in $API_TOKEN
    2023-11-07 16:17:27,725 DEBUG [component_loader] [MainThread] 'fn_virustotal.components.virustotal.FunctionComponent' loaded
    2023-11-07 16:17:27,725 DEBUG [debugger] [MainThread] <registered[*] (<Debugger/* 9:MainThread (queued=0) [S]>, <App/* 9:MainThread (queued=9) [R]> )>
    2023-11-07 16:17:27,726 DEBUG [debugger] [MainThread] <registered[*] (<FunctionComponent/* 9:MainThread (queued=0) [S]>, <ComponentLoader/loader 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:27,726 INFO [actions_component] [MainThread] 'fn_virustotal.components.virustotal.FunctionComponent' function 'virustotal' registered to 'fn_virustotal'
    2023-11-07 16:17:27,726 DEBUG [debugger] [MainThread] <registered[*] (<Timer/* 9:MainThread (queued=0) [S]>, <Actions/* 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:27,727 DEBUG [debugger] [MainThread] <load_all_success[loader] ( )>
    2023-11-07 16:17:27,727 INFO [app] [MainThread] Components loaded
    2023-11-07 16:17:27,728 DEBUG [app] [MainThread] Components:
    <App/* 9:MainThread (queued=6) [R]>
    started/*
    config_logging/*
    load_all_success/*
    do_initialization/*
    stopped/*
    reload_opts/*
    load_all_failure/*
    <Debugger/* 9:MainThread (queued=0) [S]>
    signal/*
    exception/*
    <ComponentLoader/loader 9:MainThread (queued=0) [S]>
    exception/loader
    load/*
    load_complete/*
    <FunctionComponent/* 9:MainThread (queued=0) [S]>
    reload/*, *
    virustotal/functions.virustotal
    <Actions/* 9:MainThread (queued=0) [S]>
    reconnect/*
    exception/*
    signal/*
    retry_failed_deliveries/*
    Ack_failure/*
    Ack_success/*
    Message/*
    load_all_success/*
    Connect_success/*
    subscribe_to_all/*
    Connected/*
    reload/*, *
    FunctionErrorEvent/*
    Disconnected/*
    registered/*
    StatusMessageEvent/*
    idle_reset/*
    HeartbeatTimeout/*
    Send_failure/*
    SelftestTerminateEvent/*
    OnStompError/*
    Send_success/*
    prepare_unregister/*
    <FunctionWorker/functionworker 9:MainThread (queued=0) [S]>
    signal/*
    stopped/*
    unregistered/*
    task/*
    <Timer/* 9:MainThread (queued=0) [S]>
    generate_events/*
    <Timer/* 9:MainThread (queued=0) [S]>
    generate_events/*
    2023-11-07 16:17:27,728 DEBUG [debugger] [MainThread] <registered[*] (<Timer/* 9:MainThread (queued=0) [S]>, <Actions/* 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:27,729 DEBUG [debugger] [MainThread] <registered[*] (<Actions/* 9:MainThread (queued=0) [S]>, <App/* 9:MainThread (queued=4) [R]> )>
    2023-11-07 16:17:27,729 WARNING [actions_component] [MainThread] Unverified STOMP TLS certificate (cafile=false)
    2023-11-07 16:17:27,737 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 16:17:27,737 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 16:17:27,737 DEBUG [helpers] [MainThread] Getting environmental variable 'API_KEY_SECRET'
    2023-11-07 16:17:27,738 DEBUG [app_config] [MainThread] Substituting value for '$API_KEY_SECRET' in $API_KEY_SECRET
    2023-11-07 16:17:27,738 INFO [stomp_component] [MainThread] Connect to 192.168.100.120:65001
    2023-11-07 16:17:27,738 DEBUG [stomp_component] [MainThread] Stomp uri: failover:(ssl://192.168.100.120:65001)?maxReconnectAttempts=3,startupMaxReconnectAttempts=3
    2023-11-07 16:17:27,739 DEBUG [debugger] [MainThread] <registered[loader] (<ComponentLoader/loader 9:MainThread (queued=0) [S]>, <App/* 9:MainThread (queued=5) [R]> )>
    2023-11-07 16:17:27,739 DEBUG [debugger] [MainThread] <registered[functionworker] (<FunctionWorker/functionworker 9:MainThread (queued=0) [S]>, <Actions/* 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:27,740 DEBUG [debugger] [MainThread] <started[*] (<App/* 9:MainThread (queued=3) [R]> )>
    2023-11-07 16:17:27,740 INFO [app] [MainThread] App Started
    2023-11-07 16:17:27,741 DEBUG [debugger] [MainThread] <registered[stomp] (<StompClient/stomp 9:MainThread (queued=0) [S]>, <Actions/* 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:27,742 DEBUG [debugger] [MainThread] <reconnect[*] ( subscribe=False)>
    2023-11-07 16:17:27,843 INFO [actions_component] [MainThread] STOMP attempting to connect
    2023-11-07 16:17:27,843 DEBUG [debugger] [MainThread] <Connect[*] ()>
    2023-11-07 16:17:27,844 INFO [stomp_component] [MainThread] Connect to Stomp...
    2023-11-07 16:17:27,844 INFO [client] [MainThread] Connecting to 192.168.100.120:65001 ...
    2023-11-07 16:17:27,844 DEBUG [stomp_transport] [MainThread] stomp_transport.connect()
    2023-11-07 16:17:27,894 INFO [client] [MainThread] Connection established
    2023-11-07 16:17:27,895 DEBUG [client] [MainThread] Sending CONNECT frame [headers={'login': '263b257c-2bb0-41a3-890e-21ab80917c8c', 'passcode': '***', 'accept-version': '1.0,1.1,1.2', 'host': '', 'heart-beat': '0,15000'}, version=1.2]
    2023-11-07 16:17:28,216 DEBUG [client] [MainThread] Received CONNECTED frame [headers={'version': '1.2', 'session': 'ID:resilient.localdomain-40161-1698227109777-4:68', 'heart-beat': '15000,0', 'server': 'ActiveMQ/5.15.14'}, version=1.2]
    2023-11-07 16:17:28,216 INFO [client] [MainThread] Connected to stomp broker [session=ID:resilient.localdomain-40161-1698227109777-4:68, version=1.2]
    2023-11-07 16:17:28,217 DEBUG [stomp_component] [MainThread] State after Connection Attempt: connected
    2023-11-07 16:17:28,217 INFO [stomp_component] [MainThread] Connected to failover:(ssl://192.168.100.120:65001)?maxReconnectAttempts=3,startupMaxReconnectAttempts=3
    2023-11-07 16:17:28,217 INFO [stomp_component] [MainThread] Client HB: 0  Server HB: 15000
    2023-11-07 16:17:28,217 INFO [stomp_component] [MainThread] No Client heartbeats will be sent
    2023-11-07 16:17:28,218 INFO [stomp_component] [MainThread] Requested heartbeats from server.
    2023-11-07 16:17:28,219 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:17:28,220 DEBUG [debugger] [MainThread] <Connected[stomp] ()>
    2023-11-07 16:17:28,220 INFO [actions_component] [MainThread] STOMP connected.
    2023-11-07 16:17:28,221 DEBUG [debugger] [MainThread] <registered[*] (<Timer/* 9:MainThread (queued=0) [S]>, <StompClient/stomp 9:MainThread (queued=0) [S]> )>
    2023-11-07 16:17:28,221 DEBUG [debugger] [MainThread] <Connect_success[*] (<Connect[*] ()>, 'success' )>
    2023-11-07 16:17:28,222 DEBUG [actions_component] [MainThread] Connected successfully. Resubscribe? False
    2023-11-07 16:17:28,222 DEBUG [debugger] [MainThread] <Connected_done[stomp] (None )>
    2023-11-07 16:17:28,223 DEBUG [debugger] [MainThread] <Connected_success[stomp] (<Connected[stomp] ()>, None )>
    2023-11-07 16:17:28,324 INFO [actions_component] [MainThread] resilient-circuits has started successfully and is now running...
    2023-11-07 16:17:28,325 INFO [actions_component] [MainThread] Subscribe to message destination 'fn_virustotal'
    2023-11-07 16:17:28,325 DEBUG [debugger] [MainThread] <Subscribe[*] ()>
    2023-11-07 16:17:28,325 INFO [stomp_component] [MainThread] Subscribe to message destination actions.201.fn_virustotal
    2023-11-07 16:17:28,326 DEBUG [client] [MainThread] Sending SUBSCRIBE frame [headers={'ack': 'client-individual', '***': 'actions.201.fn_virustotal', 'activemq.prefetchSize': 20, 'destination': 'actions.201.fn_virustotal'}, version=1.2]
    2023-11-07 16:17:28,327 DEBUG [debugger] [MainThread] <Subscribe_success[*] (<Subscribe[*] ()>, None )>
    2023-11-07 16:17:28,930 DEBUG [client] [MainThread] Received MESSAGE frame [headers={'timestamp': '1699372174960', 'reply-to': '/queue/acks.201.fn_virustotal', 'persistent': 'true', 'Co3ContentType': 'application/json', 'message-id': '***', 'Co3MessagePayload': 'FunctionDataDTO', 'priority': '4', 'subscription': 'actions.201.fn_virustotal', 'ack': 'ID:resilient.localdomain-40161-1698227109777-5:20', 'JMSXUserID': 'SYSTEM', 'destination': '/queue/actions.201.fn_virustotal', 'correlation-id': '***', 'Co3RemoteAddr': '127.0.0.1', 'Co3ContextToken': 'eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E', 'expires': '0'}, body=b'{"function":{"creato...', version=1.2]
    2023-11-07 16:17:29,032 DEBUG [debugger] [MainThread] <Message[stomp] ()>
    2023-11-07 16:17:29,033 DEBUG [stomp_component] [MainThread] Stomp message received
    2023-11-07 16:17:29,033 DEBUG [actions_component] [MainThread] STOMP listener: message for actions.201.fn_virustotal
    2023-11-07 16:17:29,033 DEBUG [actions_component] [MainThread] Got Message: MESSAGE frame [headers={'timestamp': '1699372174960', 'reply-to': '/queue/acks.201.fn_virustotal', 'persistent': 'true', 'Co3ContentType': 'application/json', 'message-id': 'ID:resilient.localdomain-35151-1698227260510-3:1:647:1:1', 'Co3MessagePayload': 'FunctionDataDTO', 'priority': '4', 'subscription': 'actions.201.fn_virustotal', 'ack': 'ID:resilient.localdomain-40161-1698227109777-5:20', 'JMSXUserID': 'SYSTEM', 'destination': '/queue/actions.201.fn_virustotal', 'correlation-id': 'invid:142', 'Co3RemoteAddr': '127.0.0.1', 'Co3ContextToken': 'eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E', 'expires': '0'}, body=b'{"function":{"creato...', version=1.2]
    2023-11-07 16:17:29,033 DEBUG [action_message] [MainThread] Source: <Actions/* 9:MainThread (queued=0) [S]>
    2023-11-07 16:17:29,034 DEBUG [action_message] [MainThread] Headers: {
    "timestamp": "1699372174960",
    "reply-to": "/queue/acks.201.fn_virustotal",
    "persistent": "true",
    "Co3ContentType": "application/json",
    "message-id": "ID:resilient.localdomain-35151-1698227260510-3:1:647:1:1",
    "Co3MessagePayload": "FunctionDataDTO",
    "priority": "4",
    "subscription": "actions.201.fn_virustotal",
    "ack": "ID:resilient.localdomain-40161-1698227109777-5:20",
    "JMSXUserID": "SYSTEM",
    "destination": "/queue/actions.201.fn_virustotal",
    "correlation-id": "invid:142",
    "Co3RemoteAddr": "127.0.0.1",
    "Co3ContextToken": "eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E",
    "expires": "0"
    }
    2023-11-07 16:17:29,034 DEBUG [action_message] [MainThread] Message: {
    "function": {
    "creator": null,
    "description": null,
    "display_name": "VirusTotal",
    "id": 90,
    "name": "virustotal",
    "output_description": null,
    "tags": [
    {
    "tag_handle": {
    "display_name": "fn_virustotal",
    "id": 54,
    "name": "fn_virustotal"
    },
    "value": null
    },
    {
    "tag_handle": {
    "display_name": "Playbook_4aea219b-1665-43ff-ab82-c868d727f22d",
    "id": 56,
    "name": "playbook_4aea219b_1665_43ff_ab82_c868d727f22d"
    },
    "value": "Playbook Tag"
    },
    {
    "tag_handle": {
    "display_name": "Playbook_8d6fda2b-f434-4735-956c-0bc347ed1757",
    "id": 55,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757"
    },
    "value": "Playbook Tag"
    }
    ],
    "uuid": null,
    "version": null,
    "view_items": [],
    "workflows": []
    },
    "groups": [
    {
    "display_name": "SOAR group",
    "id": 19,
    "name": "SOAR group",
    "type": "group"
    }
    ],
    "inputs": {
    "vt_data": "8.8.8.8",
    "incident_id": 2146,
    "vt_type": "ip",
    "artifact_id": 31
    },
    "playbook_instance": {
    "is_playbook_deleted": false,
    "playbook_activation_type": "manual",
    "playbook_display_name": "Example: VirusTotal (PB)",
    "playbook_id": 39,
    "playbook_instance_id": 39
    },
    "principal": {
    "display_name": "dany nghaywe",
    "id": 2,
    "name": "dany.nghaywe@groupcbm.com",
    "type": "user"
    },
    "workflow": {
    "actions": [],
    "description": null,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "object_type": {
    "id": 4,
    "name": "artifact"
    },
    "programmatic_name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "tags": [],
    "uuid": null,
    "workflow_id": 137
    },
    "workflow_instance": {
    "workflow": {
    "actions": [],
    "description": null,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "object_type": {
    "id": 4,
    "name": "artifact"
    },
    "programmatic_name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "tags": [],
    "uuid": null,
    "workflow_id": 137
    },
    "workflow_instance_id": 52
    }
    }
    2023-11-07 16:17:29,034 INFO [actions_component] [MainThread] Event: <virustotal[] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> Channel: functions.virustotal
    2023-11-07 16:17:29,035 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:17:29,035 DEBUG [debugger] [MainThread] <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000>
    2023-11-07 16:17:29,036 DEBUG [debugger] [MainThread] <Message_success[stomp] (<Message[stomp] ()>, None )>
    2023-11-07 16:17:29,136 DEBUG [decorators] [MainThread] decorated
    2023-11-07 16:17:29,137 DEBUG [debugger] [MainThread] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> vt_data='8.8.8.8', incident_id=2146, vt_type='ip', artifact_id=31)>
    2023-11-07 16:17:29,238 DEBUG [actions_component] [MainThread] Task: <function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>
    2023-11-07 16:17:29,239 DEBUG [decorators] [Thread-1] Thread-1: _call_the_task
    2023-11-07 16:17:29,239 DEBUG [helpers] [Thread-1] Getting environmental variable 'API_TOKEN'
    2023-11-07 16:17:29,240 DEBUG [app_config] [Thread-1] Substituting value for '$API_TOKEN' in $API_TOKEN
    2023-11-07 16:17:29,240 DEBUG [helpers] [Thread-1] Getting environmental variable 'API_TOKEN'
    2023-11-07 16:17:29,240 DEBUG [app_config] [Thread-1] Substituting value for '$API_TOKEN' in $API_TOKEN
    2023-11-07 16:17:29,240 INFO [virustotal] [Thread-1] incident_id: 2146
    2023-11-07 16:17:29,241 INFO [virustotal] [Thread-1] artifact_id: 31
    2023-11-07 16:17:29,241 INFO [virustotal] [Thread-1] attachment_id: None
    2023-11-07 16:17:29,242 INFO [virustotal] [Thread-1] task_id: None
    2023-11-07 16:17:29,242 INFO [virustotal] [Thread-1] vt_type: ip
    2023-11-07 16:17:29,242 INFO [virustotal] [Thread-1] vt_data: 8.8.8.8
    2023-11-07 16:17:29,243 INFO [decorators] [Thread-1] [virustotal] StatusMessage: starting...
    2023-11-07 16:17:29,243 DEBUG [requests_common] [Thread-1]   method: GET
    2023-11-07 16:17:29,243 DEBUG [requests_common] [Thread-1]   url: https://virustotal.com/api/v3/ip_addresses/8.8.8.8
    2023-11-07 16:17:29,244 DEBUG [requests_common] [Thread-1]   timeout: 30
    2023-11-07 16:17:29,244 DEBUG [requests_common] [Thread-1]   callback: <function callback at 0x7f5ea40fe790>
    2023-11-07 16:17:29,245 DEBUG [requests_common] [Thread-1]   verify: False
    2023-11-07 16:17:29,248 DEBUG [connectionpool] [Thread-1] Starting new HTTPS connection (1): virustotal.com:443
    2023-11-07 16:17:29,248 DEBUG [debugger] [MainThread] <StatusMessageEvent[*] ('starting...' )>
    2023-11-07 16:17:29,250 DEBUG [debugger] [MainThread] <Send[*] ()>
    2023-11-07 16:17:29,250 DEBUG [stomp_component] [MainThread] send()
    2023-11-07 16:17:29,251 DEBUG [client] [MainThread] Sending SEND frame [headers={'correlation-id': '***', 'destination': '/queue/acks.201.fn_virustotal'}, body=b'{"message_type": 0, ...', version=1.2]
    2023-11-07 16:17:29,251 DEBUG [stomp_component] [MainThread] Message sent
    2023-11-07 16:17:29,252 DEBUG [debugger] [MainThread] <Send_success[*] (<Send[*] ()>, None )>
    2023-11-07 16:17:30,094 DEBUG [connectionpool] [Thread-1] https://virustotal.com:443 "GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1" 404 315
    2023-11-07 16:17:30,095 DEBUG [requests_common] [Thread-1] 404
    2023-11-07 16:17:30,095 DEBUG [requests_common] [Thread-1] b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<p>Additionally, a 404 Not Found\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n'
    2023-11-07 16:17:30,096 ERROR [requests_common] [Thread-1] Expecting value: line 1 column 1 (char 0)
    2023-11-07 16:17:30,159 ERROR [actions_component] [MainThread] Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task
    yield result.get()
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
    raise self._value
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task
    raise val
    resilient_circuits.action_message.FunctionException_: 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'


    2023-11-07 16:17:30,160 DEBUG [debugger] [MainThread] <task_failure[functionworker] (<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> vt_data='8.8.8.8', incident_id=2146, vt_type='ip', artifact_id=31)>, (<class 'resilient_circuits.action_message.FunctionException_'>, FunctionException_(), <traceback object at 0x7f5e846d9240>) )>
    2023-11-07 16:17:30,161 DEBUG [debugger] [MainThread] <exception[*] (<class 'resilient_circuits.action_message.FunctionException_'>, FunctionException_(), ['  File "/opt/app-root/lib64/python3.9/site-packages/circuits/core/manager.py", line 874, in processTask\n    raise value.extract()\n', '  File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task\n    yield result.get()\n', '  File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get\n    raise self._value\n', '  File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker\n    result = (True, func(*args, **kwds))\n', '  File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task\n    raise val\n'] handler=None, fevent=<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> vt_data='8.8.8.8', incident_id=2146, vt_type='ip', artifact_id=31)>)>
    2023-11-07 16:17:30,161 ERROR [debugger] [MainThread] ERROR  (<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> vt_data='8.8.8.8', incident_id=2146, vt_type='ip', artifact_id=31)>) (<class 'resilient_circuits.action_message.FunctionException_'>): FunctionException_()
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/circuits/core/manager.py", line 874, in processTask
    raise value.extract()
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task
    yield result.get()
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
    raise self._value
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task
    raise val
    resilient_circuits.action_message.FunctionException_: 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    2023-11-07 16:17:30,162 ERROR [actions_component] [MainThread] Circuits event <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e846bd5e0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 15:49:34.960000> vt_data='8.8.8.8', incident_id=2146, vt_type='ip', artifact_id=31)> raised exception (<class 'resilient_circuits.action_message.FunctionException_'>): 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    2023-11-07 16:17:30,162 DEBUG [actions_component] [MainThread] Ack ID:resilient.localdomain-35151-1698227260510-3:1:647:1:1
    2023-11-07 16:17:30,162 DEBUG [debugger] [MainThread] <Ack[*] ()>
    2023-11-07 16:17:30,163 DEBUG [stomp_component] [MainThread] ack_frame()
    2023-11-07 16:17:30,163 DEBUG [client] [MainThread] Sending ACK frame [headers={'id': '***'}, version=1.2]
    2023-11-07 16:17:30,163 DEBUG [stomp_component] [MainThread] Ack Sent
    2023-11-07 16:17:30,164 DEBUG [debugger] [MainThread] <Send[*] ()>
    2023-11-07 16:17:30,164 DEBUG [stomp_component] [MainThread] send()
    2023-11-07 16:17:30,164 DEBUG [client] [MainThread] Sending SEND frame [headers={'correlation-id': '***', 'destination': '/queue/acks.201.fn_virustotal'}, body=b'{"message_type": 1, ...', version=1.2]
    2023-11-07 16:17:30,165 DEBUG [stomp_component] [MainThread] Message sent
    2023-11-07 16:17:30,165 DEBUG [debugger] [MainThread] <Ack_success[*] (<Ack[*] ()>, None )>
    2023-11-07 16:17:30,165 DEBUG [debugger] [MainThread] <Send_success[*] (<Send[*] ()>, None )>
    2023-11-07 16:17:57,905 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:17:58,219 DEBUG [debugger] [MainThread] <ServerHeartbeat[*] ()>
    2023-11-07 16:17:58,220 DEBUG [debugger] [MainThread] <ServerHeartbeat_success[*] (<ServerHeartbeat[*] ()>, None )>
    2023-11-07 16:18:12,990 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:18:17,922 DEBUG [client] [MainThread] Received MESSAGE frame [headers={'timestamp': '1699373897668', 'reply-to': '/queue/acks.201.fn_virustotal', 'persistent': 'true', 'Co3ContentType': 'application/json', 'message-id': '***', 'Co3MessagePayload': 'FunctionDataDTO', 'priority': '4', 'subscription': 'actions.201.fn_virustotal', 'ack': 'ID:resilient.localdomain-40161-1698227109777-5:21', 'JMSXUserID': 'SYSTEM', 'destination': '/queue/actions.201.fn_virustotal', 'correlation-id': '***', 'Co3RemoteAddr': '127.0.0.1', 'Co3ContextToken': 'eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E', 'expires': '0'}, body=b'{"function":{"creato...', version=1.2]
    2023-11-07 16:18:18,024 DEBUG [debugger] [MainThread] <Message[stomp] ()>
    2023-11-07 16:18:18,025 DEBUG [stomp_component] [MainThread] Stomp message received
    2023-11-07 16:18:18,025 DEBUG [actions_component] [MainThread] STOMP listener: message for actions.201.fn_virustotal
    2023-11-07 16:18:18,025 DEBUG [actions_component] [MainThread] Got Message: MESSAGE frame [headers={'timestamp': '1699373897668', 'reply-to': '/queue/acks.201.fn_virustotal', 'persistent': 'true', 'Co3ContentType': 'application/json', 'message-id': 'ID:resilient.localdomain-35151-1698227260510-3:1:649:1:1', 'Co3MessagePayload': 'FunctionDataDTO', 'priority': '4', 'subscription': 'actions.201.fn_virustotal', 'ack': 'ID:resilient.localdomain-40161-1698227109777-5:21', 'JMSXUserID': 'SYSTEM', 'destination': '/queue/actions.201.fn_virustotal', 'correlation-id': 'invid:143', 'Co3RemoteAddr': '127.0.0.1', 'Co3ContextToken': 'eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E', 'expires': '0'}, body=b'{"function":{"creato...', version=1.2]
    2023-11-07 16:18:18,025 DEBUG [action_message] [MainThread] Source: <Actions/* 9:MainThread (queued=0) [S]>
    2023-11-07 16:18:18,026 DEBUG [action_message] [MainThread] Headers: {
    "timestamp": "1699373897668",
    "reply-to": "/queue/acks.201.fn_virustotal",
    "persistent": "true",
    "Co3ContentType": "application/json",
    "message-id": "ID:resilient.localdomain-35151-1698227260510-3:1:649:1:1",
    "Co3MessagePayload": "FunctionDataDTO",
    "priority": "4",
    "subscription": "actions.201.fn_virustotal",
    "ack": "ID:resilient.localdomain-40161-1698227109777-5:21",
    "JMSXUserID": "SYSTEM",
    "destination": "/queue/actions.201.fn_virustotal",
    "correlation-id": "invid:143",
    "Co3RemoteAddr": "127.0.0.1",
    "Co3ContextToken": "eyJhbGciOiJIUzI1NiJ9.bnVsbA.vkktPeZSQSlrnIiLjxIqiQCp33kTikeZMZf3LFkXu4E",
    "expires": "0"
    }
    2023-11-07 16:18:18,026 DEBUG [action_message] [MainThread] Message: {
    "function": {
    "creator": null,
    "description": null,
    "display_name": "VirusTotal",
    "id": 90,
    "name": "virustotal",
    "output_description": null,
    "tags": [
    {
    "tag_handle": {
    "display_name": "fn_virustotal",
    "id": 54,
    "name": "fn_virustotal"
    },
    "value": null
    },
    {
    "tag_handle": {
    "display_name": "Playbook_4aea219b-1665-43ff-ab82-c868d727f22d",
    "id": 56,
    "name": "playbook_4aea219b_1665_43ff_ab82_c868d727f22d"
    },
    "value": "Playbook Tag"
    },
    {
    "tag_handle": {
    "display_name": "Playbook_8d6fda2b-f434-4735-956c-0bc347ed1757",
    "id": 55,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757"
    },
    "value": "Playbook Tag"
    }
    ],
    "uuid": null,
    "version": null,
    "view_items": [],
    "workflows": []
    },
    "groups": [
    {
    "display_name": "SOAR group",
    "id": 19,
    "name": "SOAR group",
    "type": "group"
    }
    ],
    "inputs": {
    "vt_data": "8.8.8.8",
    "incident_id": 2147,
    "vt_type": "ip",
    "artifact_id": 32
    },
    "playbook_instance": {
    "is_playbook_deleted": false,
    "playbook_activation_type": "manual",
    "playbook_display_name": "Example: VirusTotal (PB)",
    "playbook_id": 39,
    "playbook_instance_id": 40
    },
    "principal": {
    "display_name": "dany nghaywe",
    "id": 2,
    "name": "dany.nghaywe@groupcbm.com",
    "type": "user"
    },
    "workflow": {
    "actions": [],
    "description": null,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "object_type": {
    "id": 4,
    "name": "artifact"
    },
    "programmatic_name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "tags": [],
    "uuid": null,
    "workflow_id": 137
    },
    "workflow_instance": {
    "workflow": {
    "actions": [],
    "description": null,
    "name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "object_type": {
    "id": 4,
    "name": "artifact"
    },
    "programmatic_name": "playbook_8d6fda2b_f434_4735_956c_0bc347ed1757",
    "tags": [],
    "uuid": null,
    "workflow_id": 137
    },
    "workflow_instance_id": 53
    }
    }
    2023-11-07 16:18:18,026 INFO [actions_component] [MainThread] Event: <virustotal[] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> Channel: functions.virustotal
    2023-11-07 16:18:18,027 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:18:18,027 DEBUG [debugger] [MainThread] <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000>
    2023-11-07 16:18:18,027 DEBUG [debugger] [MainThread] <Message_success[stomp] (<Message[stomp] ()>, None )>
    2023-11-07 16:18:18,128 DEBUG [decorators] [MainThread] decorated
    2023-11-07 16:18:18,129 DEBUG [debugger] [MainThread] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> vt_data='8.8.8.8', incident_id=2147, vt_type='ip', artifact_id=32)>
    2023-11-07 16:18:18,230 DEBUG [actions_component] [MainThread] Task: <function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>
    2023-11-07 16:18:18,231 DEBUG [decorators] [Thread-3] Thread-3: _call_the_task
    2023-11-07 16:18:18,232 DEBUG [helpers] [Thread-3] Getting environmental variable 'API_TOKEN'
    2023-11-07 16:18:18,232 DEBUG [app_config] [Thread-3] Substituting value for '$API_TOKEN' in $API_TOKEN
    2023-11-07 16:18:18,232 DEBUG [helpers] [Thread-3] Getting environmental variable 'API_TOKEN'
    2023-11-07 16:18:18,233 DEBUG [app_config] [Thread-3] Substituting value for '$API_TOKEN' in $API_TOKEN
    2023-11-07 16:18:18,233 INFO [virustotal] [Thread-3] incident_id: 2147
    2023-11-07 16:18:18,233 INFO [virustotal] [Thread-3] artifact_id: 32
    2023-11-07 16:18:18,234 INFO [virustotal] [Thread-3] attachment_id: None
    2023-11-07 16:18:18,234 INFO [virustotal] [Thread-3] task_id: None
    2023-11-07 16:18:18,234 INFO [virustotal] [Thread-3] vt_type: ip
    2023-11-07 16:18:18,234 INFO [virustotal] [Thread-3] vt_data: 8.8.8.8
    2023-11-07 16:18:18,235 INFO [decorators] [Thread-3] [virustotal] StatusMessage: starting...
    2023-11-07 16:18:18,235 DEBUG [requests_common] [Thread-3]   method: GET
    2023-11-07 16:18:18,235 DEBUG [debugger] [MainThread] <StatusMessageEvent[*] ('starting...' )>
    2023-11-07 16:18:18,236 DEBUG [requests_common] [Thread-3]   url: https://virustotal.com/api/v3/ip_addresses/8.8.8.8
    2023-11-07 16:18:18,237 DEBUG [requests_common] [Thread-3]   timeout: 30
    2023-11-07 16:18:18,237 DEBUG [debugger] [MainThread] <Send[*] ()>
    2023-11-07 16:18:18,237 DEBUG [requests_common] [Thread-3]   callback: <function callback at 0x7f5ea40fe790>
    2023-11-07 16:18:18,238 DEBUG [stomp_component] [MainThread] send()
    2023-11-07 16:18:18,238 DEBUG [requests_common] [Thread-3]   verify: False
    2023-11-07 16:18:18,239 DEBUG [client] [MainThread] Sending SEND frame [headers={'correlation-id': '***', 'destination': '/queue/acks.201.fn_virustotal'}, body=b'{"message_type": 0, ...', version=1.2]
    2023-11-07 16:18:18,240 DEBUG [connectionpool] [Thread-3] Starting new HTTPS connection (1): virustotal.com:443
    2023-11-07 16:18:18,241 DEBUG [stomp_component] [MainThread] Message sent
    2023-11-07 16:18:18,242 DEBUG [debugger] [MainThread] <Send_success[*] (<Send[*] ()>, None )>
    2023-11-07 16:18:18,927 DEBUG [connectionpool] [Thread-3] https://virustotal.com:443 "GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1" 404 315
    2023-11-07 16:18:18,928 DEBUG [requests_common] [Thread-3] 404
    2023-11-07 16:18:18,929 DEBUG [requests_common] [Thread-3] b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<p>Additionally, a 404 Not Found\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n'
    2023-11-07 16:18:18,929 ERROR [requests_common] [Thread-3] Expecting value: line 1 column 1 (char 0)
    2023-11-07 16:18:18,945 ERROR [actions_component] [MainThread] Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task
    yield result.get()
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
    raise self._value
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task
    raise val
    resilient_circuits.action_message.FunctionException_: 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'


    2023-11-07 16:18:18,946 DEBUG [debugger] [MainThread] <task_failure[functionworker] (<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> vt_data='8.8.8.8', incident_id=2147, vt_type='ip', artifact_id=32)>, (<class 'resilient_circuits.action_message.FunctionException_'>, FunctionException_(), <traceback object at 0x7f5e84233080>) )>
    2023-11-07 16:18:18,946 DEBUG [debugger] [MainThread] <exception[*] (<class 'resilient_circuits.action_message.FunctionException_'>, FunctionException_(), ['  File "/opt/app-root/lib64/python3.9/site-packages/circuits/core/manager.py", line 874, in processTask\n    raise value.extract()\n', '  File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task\n    yield result.get()\n', '  File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get\n    raise self._value\n', '  File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker\n    result = (True, func(*args, **kwds))\n', '  File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task\n    raise val\n'] handler=None, fevent=<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> vt_data='8.8.8.8', incident_id=2147, vt_type='ip', artifact_id=32)>)>
    2023-11-07 16:18:18,947 ERROR [debugger] [MainThread] ERROR  (<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> vt_data='8.8.8.8', incident_id=2147, vt_type='ip', artifact_id=32)>) (<class 'resilient_circuits.action_message.FunctionException_'>): FunctionException_()
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/circuits/core/manager.py", line 874, in processTask
    raise value.extract()
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task
    yield result.get()
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
    raise self._value
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_circuits/decorators.py", line 101, in _call_the_task
    raise val
    resilient_circuits.action_message.FunctionException_: 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    2023-11-07 16:18:18,947 ERROR [actions_component] [MainThread] Circuits event <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f5e842441f0>, <virustotal[functions.virustotal] (id=90, workflow=playbook_8d6fda2b_f434_4735_956c_0bc347ed1757, user=dany.nghaywe@groupcbm.com) 2023-11-07 16:18:17.668000> vt_data='8.8.8.8', incident_id=2147, vt_type='ip', artifact_id=32)> raised exception (<class 'resilient_circuits.action_message.FunctionException_'>): 
    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 292, in execute
    return callback(response)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 286, in callback
    content = json.loads(response.text)
    File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
    File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
    File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/components/virustotal.py", line 129, in _virustotal_function
    response, code = vt.get_ip_report(vt_data)
    File "/opt/app-root/lib64/python3.9/site-packages/fn_virustotal/lib/vt_common.py", line 224, in get_ip_report
    response, code = self.rc.execute("GET",
    File "/opt/app-root/lib64/python3.9/site-packages/resilient_lib/components/requests_common.py", line 303, in execute
    raise IntegrationError(msg)
    resilient_lib.components.integration_errors.IntegrationError: 'Expecting value: line 1 column 1 (char 0)'

    2023-11-07 16:18:18,948 DEBUG [actions_component] [MainThread] Ack ID:resilient.localdomain-35151-1698227260510-3:1:649:1:1
    2023-11-07 16:18:18,948 DEBUG [debugger] [MainThread] <Ack[*] ()>
    2023-11-07 16:18:18,948 DEBUG [stomp_component] [MainThread] ack_frame()
    2023-11-07 16:18:18,949 DEBUG [client] [MainThread] Sending ACK frame [headers={'id': '***'}, version=1.2]
    2023-11-07 16:18:18,949 DEBUG [stomp_component] [MainThread] Ack Sent
    2023-11-07 16:18:18,950 DEBUG [debugger] [MainThread] <Send[*] ()>
    2023-11-07 16:18:18,950 DEBUG [stomp_component] [MainThread] send()
    2023-11-07 16:18:18,950 DEBUG [client] [MainThread] Sending SEND frame [headers={'correlation-id': '***', 'destination': '/queue/acks.201.fn_virustotal'}, body=b'{"message_type": 1, ...', version=1.2]
    2023-11-07 16:18:18,950 DEBUG [stomp_component] [MainThread] Message sent
    2023-11-07 16:18:18,951 DEBUG [debugger] [MainThread] <Ack_success[*] (<Ack[*] ()>, None )>
    2023-11-07 16:18:18,951 DEBUG [debugger] [MainThread] <Send_success[*] (<Send[*] ()>, None )>
    2023-11-07 16:18:27,040 DEBUG [debugger] [MainThread] <retry_failed_deliveries[*] ( )>
    2023-11-07 16:18:28,220 DEBUG [debugger] [MainThread] <ServerHeartbeat[*] ()>
    2023-11-07 16:18:28,220 DEBUG [debugger] [MainThread] <ServerHeartbeat_success[*] (<ServerHeartbeat[*] ()>, None )>
    2023-11-07 16:18:42,976 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:18:57,961 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:18:58,220 DEBUG [debugger] [MainThread] <ServerHeartbeat[*] ()>
    2023-11-07 16:18:58,221 DEBUG [debugger] [MainThread] <ServerHeartbeat_success[*] (<ServerHeartbeat[*] ()>, None )>
    2023-11-07 16:19:12,981 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:19:27,040 DEBUG [debugger] [MainThread] <retry_failed_deliveries[*] ( )>
    2023-11-07 16:19:27,944 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:19:28,220 DEBUG [debugger] [MainThread] <ServerHeartbeat[*] ()>
    2023-11-07 16:19:28,221 DEBUG [debugger] [MainThread] <ServerHeartbeat_success[*] (<ServerHeartbeat[*] ()>, None )>
    2023-11-07 16:19:42,978 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:19:57,947 DEBUG [client] [MainThread] Received heart-beat
    2023-11-07 16:19:58,221 DEBUG [debugger] [MainThread] <ServerHeartbeat[*] ()>
    2023-11-07 16:19:58,221 DEBUG [debugger] [MainThread] <ServerHeartbeat_success[*] (<ServerHeartbeat[*] ()>, None )>



    ------------------------------
    Dany El-Nghaywe
    ------------------------------



  • 26.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 11:45 AM

    Hi Dany,

    The problem is that virustotal is sending back a 404.

    2023-11-07 16:18:18,927 DEBUG [connectionpool] [Thread-3] https://virustotal.com:443 "GET /api/v3/ip_addresses/8.8.8.8 HTTP/1.1" 404 315
    2023-11-07 16:18:18,928 DEBUG [requests_common] [Thread-3] 404
    2023-11-07 16:18:18,929 DEBUG [requests_common] [Thread-3] b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<p>Additionally, a 404 Not Found\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n'
    2023-11-07 16:18:18,929 ERROR [requests_common] [Thread-3] Expecting value: line 1 column 1 (char 0)



    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 27.  RE: VirusTotal app.config

    Posted Tue November 07, 2023 11:54 AM

    Hi Dany,

    When you used resilient.localdomain you got a 404. When you used an IP address you didn't get a 404 returned.

    When you try to connect to virustotal.com you get a 404. This sounds like a network problem.

    I asked previously for you to run the curl command from inside the function's container. If you have some kind of network issue then this should help.

    **********

    On the App Host server cli can you run sudo kubectl get pods -A -l apps.isc.ibm.com/app-type=app -L app.kubernetes.io/instance

    Look for the name of the function (fn_virustotal) in the INSTANCE column and then populate the following command. Enter the namespace and name values for the function from the other two columns.

    sudo kubectl -n <NAMESPACE> exec -it <NAME> /bin/bash

    It will look similar to.

    sudo kubectl -n 2cadf13e-10c4-4f00-ad69-7ce2f752182f exec -it 21f87c9f-6b33-4e19-97e7-80a4336cac2e-7777dc87b6-t5jnd /bin/bash

    This will get you into the function's container. Once the cli returns to (app-root) bash-4.4$ then run the same curl command.

    curl https://virustotal.com/api/v3/ip_addresses/8.8.8.8 -v -k

    What is the certificate returned and the entire output?



    ------------------------------
    BEN WILLIAMS
    ------------------------------