IBM Security QRadar SOAR

Dear Team,

we have successfully able to install exchange online application using AppHost on SOAR v44. and self test for application was also successful.

however when we are trying to run the action using exchange online query message function, it is failing and returning a traceback error.

Need help in order to test the function successfully.

we have followed the guide available with application from xForce app exchange using below URL

IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR

Ibmcloud		remove preview
IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

following is the error we are receiving

Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/components/exchange_online_query_emails.py", line 89, in _exchange_online_query_emails_function email_results = MS_graph_helper.query_messages(email_address, mail_folders, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 666, in query_messages query_results = self.query_messages_by_list(email_address, mail_folder, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 626, in query_messages_by_list user_query = self.query_messages_by_address(email_address.strip(), mail_folder, sender, start_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 709, in query_messages_by_address json_response = response.json() File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType


2022-08-29 07:32:06,824 INFO [oauth2_client_credentials_session] Response status code: 200
2022-08-29 07:32:12,391 ERROR [exchange_online_query_emails] [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType

2022-08-29 07:32:58,245 ERROR [actions_component] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7fb92f1e1940>, <exchange_online_query_emails[functions.exchange_online_query_emails] (id=46, workflow=example_exchange_online_query_messages_of_a_group, user=zofeen.khan@XXXX.com) 2022-08-29 07:32:05.660000> incident_id=5909, exo_has_attachments=None, exo_message_subject='Fw[2]: CASES amazon gift card', exo_email_address='test1@XXXX.com', exo_query_output_format=[{'id': 239, 'name': 'Exchange Online data table'}, {'id': 241, 'name': 'Incident note'}], exo_start_date=1661410800000, exo_email_address_sender=None, exo_end_date=1661454000000, exo_message_body=None, exo_mail_folders='inbox')> (<class 'resilient_circuits.action_message.FunctionException_'>):
Traceback (most recent call last):
File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

------------------------------
Syed Shameer Hussain
------------------------------

Hi Syed,

Can you simplify the search to see if you still get the same error?

Specify:

message subject: Fw[2]: CASES amazon gift card
email address: test1@XXXX.com

and see if the query completes.



------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Wed August 31, 2022 06:50 AM
From: Syed Shameer Hussain
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Dear Team,

we have successfully able to install exchange online application using AppHost on SOAR v44. and self test for application was also successful.

however when we are trying to run the action using exchange online query message function, it is failing and returning a traceback error.

Need help in order to test the function successfully.

we have followed the guide available with application from xForce app exchange using below URL

IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR

Ibmcloud		remove preview
IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

following is the error we are receiving

Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/components/exchange_online_query_emails.py", line 89, in _exchange_online_query_emails_function email_results = MS_graph_helper.query_messages(email_address, mail_folders, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 666, in query_messages query_results = self.query_messages_by_list(email_address, mail_folder, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 626, in query_messages_by_list user_query = self.query_messages_by_address(email_address.strip(), mail_folder, sender, start_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 709, in query_messages_by_address json_response = response.json() File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType


2022-08-29 07:32:06,824 INFO [oauth2_client_credentials_session] Response status code: 200
2022-08-29 07:32:12,391 ERROR [exchange_online_query_emails] [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType

2022-08-29 07:32:58,245 ERROR [actions_component] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7fb92f1e1940>, <exchange_online_query_emails[functions.exchange_online_query_emails] (id=46, workflow=example_exchange_online_query_messages_of_a_group, user=zofeen.khan@XXXX.com) 2022-08-29 07:32:05.660000> incident_id=5909, exo_has_attachments=None, exo_message_subject='Fw[2]: CASES amazon gift card', exo_email_address='test1@XXXX.com', exo_query_output_format=[{'id': 239, 'name': 'Exchange Online data table'}, {'id': 241, 'name': 'Incident note'}], exo_start_date=1661410800000, exo_email_address_sender=None, exo_end_date=1661454000000, exo_message_body=None, exo_mail_folders='inbox')> (<class 'resilient_circuits.action_message.FunctionException_'>):
Traceback (most recent call last):
File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

------------------------------
Syed Shameer Hussain
------------------------------

Dear Ann,

Thanks for your response. I have tried to simplify the search as you suggested still error occurred. I am attaching the error message for your better understanding.


Best regards,

Syed.

------------------------------
Syed Shameer Hussain
------------------------------

Original Message:
Sent: Thu September 01, 2022 07:28 PM
From: AnnMarie Norcross
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Hi Syed,

Can you simplify the search to see if you still get the same error?

Specify:

message subject: Fw[2]: CASES amazon gift card
email address: test1@XXXX.com

and see if the query completes.



------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed August 31, 2022 06:50 AM
From: Syed Shameer Hussain
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Dear Team,

we have successfully able to install exchange online application using AppHost on SOAR v44. and self test for application was also successful.

however when we are trying to run the action using exchange online query message function, it is failing and returning a traceback error.

Need help in order to test the function successfully.

we have followed the guide available with application from xForce app exchange using below URL

IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR

Ibmcloud		remove preview
IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

following is the error we are receiving

Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/components/exchange_online_query_emails.py", line 89, in _exchange_online_query_emails_function email_results = MS_graph_helper.query_messages(email_address, mail_folders, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 666, in query_messages query_results = self.query_messages_by_list(email_address, mail_folder, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 626, in query_messages_by_list user_query = self.query_messages_by_address(email_address.strip(), mail_folder, sender, start_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 709, in query_messages_by_address json_response = response.json() File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType


2022-08-29 07:32:06,824 INFO [oauth2_client_credentials_session] Response status code: 200
2022-08-29 07:32:12,391 ERROR [exchange_online_query_emails] [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType

2022-08-29 07:32:58,245 ERROR [actions_component] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7fb92f1e1940>, <exchange_online_query_emails[functions.exchange_online_query_emails] (id=46, workflow=example_exchange_online_query_messages_of_a_group, user=zofeen.khan@XXXX.com) 2022-08-29 07:32:05.660000> incident_id=5909, exo_has_attachments=None, exo_message_subject='Fw[2]: CASES amazon gift card', exo_email_address='test1@XXXX.com', exo_query_output_format=[{'id': 239, 'name': 'Exchange Online data table'}, {'id': 241, 'name': 'Incident note'}], exo_start_date=1661410800000, exo_email_address_sender=None, exo_end_date=1661454000000, exo_message_body=None, exo_mail_folders='inbox')> (<class 'resilient_circuits.action_message.FunctionException_'>):
Traceback (most recent call last):
File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

------------------------------
Syed Shameer Hussain
------------------------------

Hi Syed

I see you have a support case open on this issue.
Please post your logs (with potential sensitive information) to the case.

I think your issue may be related to app.config settings related to the first 2 microsoft url parameters which do not require editting by the user.

Please check the support ticket and reply there.

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Thu September 08, 2022 03:45 AM
From: Syed Shameer Hussain
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Dear Ann,

Thanks for your response. I have tried to simplify the search as you suggested still error occurred. I am attaching the error message for your better understanding.


Best regards,

Syed.

------------------------------
Syed Shameer Hussain

Original Message:
Sent: Thu September 01, 2022 07:28 PM
From: AnnMarie Norcross
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Hi Syed,

Can you simplify the search to see if you still get the same error?

Specify:

message subject: Fw[2]: CASES amazon gift card
email address: test1@XXXX.com

and see if the query completes.



------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed August 31, 2022 06:50 AM
From: Syed Shameer Hussain
Subject: Exchange Online Query Message Function Failed | Traceback (most recent call last)

Dear Team,

we have successfully able to install exchange online application using AppHost on SOAR v44. and self test for application was also successful.

however when we are trying to run the action using exchange online query message function, it is failing and returning a traceback error.

Need help in order to test the function successfully.

we have followed the guide available with application from xForce app exchange using below URL

IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR

Ibmcloud		remove preview
IBM Security App Exchange - Microsoft Exchange Online Integration for SOAR IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers View this on Ibmcloud >

following is the error we are receiving

Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/components/exchange_online_query_emails.py", line 89, in _exchange_online_query_emails_function email_results = MS_graph_helper.query_messages(email_address, mail_folders, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 666, in query_messages query_results = self.query_messages_by_list(email_address, mail_folder, sender, start_date, end_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 626, in query_messages_by_list user_query = self.query_messages_by_address(email_address.strip(), mail_folder, sender, start_date, File "/opt/app-root/lib64/python3.9/site-packages/fn_exchange_online/lib/ms_graph_helper.py", line 709, in query_messages_by_address json_response = response.json() File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType


2022-08-29 07:32:06,824 INFO [oauth2_client_credentials_session] Response status code: 200
2022-08-29 07:32:12,391 ERROR [exchange_online_query_emails] [Errno Expecting value] <?xml version="1.0" encoding="utf-8"?><edmx:Edmx Version="4.0" xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx"><edmx:DataServices><Schema Namespace="microsoft.graph" Alias="graph" xmlns="http://docs.oasis-open.org/odata/ns/edm"><EnumType

2022-08-29 07:32:58,245 ERROR [actions_component] <task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7fb92f1e1940>, <exchange_online_query_emails[functions.exchange_online_query_emails] (id=46, workflow=example_exchange_online_query_messages_of_a_group, user=zofeen.khan@XXXX.com) 2022-08-29 07:32:05.660000> incident_id=5909, exo_has_attachments=None, exo_message_subject='Fw[2]: CASES amazon gift card', exo_email_address='test1@XXXX.com', exo_query_output_format=[{'id': 239, 'name': 'Exchange Online data table'}, {'id': 241, 'name': 'Incident note'}], exo_start_date=1661410800000, exo_email_address_sender=None, exo_end_date=1661454000000, exo_message_body=None, exo_mail_folders='inbox')> (<class 'resilient_circuits.action_message.FunctionException_'>):
Traceback (most recent call last):
File "/opt/app-root/lib64/python3.9/site-packages/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

------------------------------
Syed Shameer Hussain
------------------------------