Hello experts,

The Cisco Umbrella investigate - Rule "Threadgrid sample information for a hash" is not working when triggered using a artifact hash type - MD5 or SHA1. It seems the python script is breaking for this particular rule. I have tested other rules, and they work fine.

The Cisco Umbrealla investigate app from ibm app exchange: https://exchange.xforce.ibmcloud.com/api/hub/extensionsNew/d0bf3f6a27742c3deefa1426eab8b4fa/Resilient_Integrations_Function_Guide_for_Cisco_Umbrella_Investigate.pdf

I converted the rule to playbook, and obtained the below error message.

Traceback (most recent call last):

  File "/opt/app-root/lib64/python3.9/site-packages/fn_cisco_umbrella_inv/components/umbrella_threat_grid_sample.py", line 151, in _umbrella_threat_grid_sample_function

    rtn = rinv.sample(hash, **params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 292, in sample

    return self.get_parse(uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 107, in get_parse

    return self._request_parse(self.get, uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 100, in _request_parse

    r.raise_for_status()

  File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status

    raise HTTPError(http_error_msg, response=self)

requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://investigate.umbrella.com/sample/44d88612fea##f######b02f?limit=2&offset=0

Please I will appreciate if anyone can help here.

Regards,

Greetings

Are you getting the same error with the original rule? If that rule is also failing, it may be best to open a support ticket so we can review further. 

Regards,

Mark

Hello experts,

The Cisco Umbrella investigate - Rule "Threadgrid sample information for a hash" is not working when triggered using a artifact hash type - MD5 or SHA1. It seems the python script is breaking for this particular rule. I have tested other rules, and they work fine.

The Cisco Umbrealla investigate app from ibm app exchange: https://exchange.xforce.ibmcloud.com/api/hub/extensionsNew/d0bf3f6a27742c3deefa1426eab8b4fa/Resilient_Integrations_Function_Guide_for_Cisco_Umbrella_Investigate.pdf

I converted the rule to playbook, and obtained the below error message.

Traceback (most recent call last):

  File "/opt/app-root/lib64/python3.9/site-packages/fn_cisco_umbrella_inv/components/umbrella_threat_grid_sample.py", line 151, in _umbrella_threat_grid_sample_function

    rtn = rinv.sample(hash, **params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 292, in sample

    return self.get_parse(uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 107, in get_parse

    return self._request_parse(self.get, uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 100, in _request_parse

    r.raise_for_status()

  File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status

    raise HTTPError(http_error_msg, response=self)

requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://investigate.umbrella.com/sample/44d88612fea##f######b02f?limit=2&offset=0

Please I will appreciate if anyone can help here.

Regards,

Greetings

Are you getting the same error with the original rule? If that rule is also failing, it may be best to open a support ticket so we can review further. 

Regards,

Mark

Hello experts,

The Cisco Umbrella investigate - Rule "Threadgrid sample information for a hash" is not working when triggered using a artifact hash type - MD5 or SHA1. It seems the python script is breaking for this particular rule. I have tested other rules, and they work fine.

The Cisco Umbrealla investigate app from ibm app exchange: https://exchange.xforce.ibmcloud.com/api/hub/extensionsNew/d0bf3f6a27742c3deefa1426eab8b4fa/Resilient_Integrations_Function_Guide_for_Cisco_Umbrella_Investigate.pdf

I converted the rule to playbook, and obtained the below error message.

Traceback (most recent call last):

  File "/opt/app-root/lib64/python3.9/site-packages/fn_cisco_umbrella_inv/components/umbrella_threat_grid_sample.py", line 151, in _umbrella_threat_grid_sample_function

    rtn = rinv.sample(hash, **params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 292, in sample

    return self.get_parse(uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 107, in get_parse

    return self._request_parse(self.get, uri, params)

  File "/opt/app-root/lib64/python3.9/site-packages/investigate/investigate.py", line 100, in _request_parse

    r.raise_for_status()

  File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status

    raise HTTPError(http_error_msg, response=self)

requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://investigate.umbrella.com/sample/44d88612fea##f######b02f?limit=2&offset=0

Please I will appreciate if anyone can help here.

Regards,