Troubleshooting
Problem
In v5.0.0 templates that were working with earlier versions of the plug-in do not work for offense.local_destination_addresses and offense.source_addresses fields.
This problem has been resolved in 5.0.3.
Symptom
After upgrading the plug-in to 5.0.0, you might find that incidents are not created when an offense is escalated or incidents are not updated when an offense is updated. Errors such as the following taken from the circuits.log indicate a problem with the template.
2023-04-13 12:13:00,783 [soar_inbound] [Thread-1] INFO A new offense was found. Creating a case for offense ID 102775
2023-04-13 12:13:00,988 [actions_component] [MainThread] ERROR Traceback (most recent call last):
File "/opt/app-root/app/components/soar_inbound.py", line 102, in _inbound_soar_escalator
self.create_case_flow(qradar_offense, matched_rule, org_id=org_id)
File "/opt/app-root/app/components/soar_inbound.py", line 234, in create_case_flow
case_to_escalate = self.escalator.transform_offense(qradar_offense, matched_rule)
File "/opt/app-root/app/apis/escalation_helper.py", line 452, in transform_offense
case = template_functions.render_json(template, mapdata)
File "/opt/app-root/app/lib/template_functions.py", line 339, in render_json
result = render(template, data)
File "/opt/app-root/app/lib/template_functions.py", line 320, in render
stringvalue = jtemplate.render(data)
File "/usr/local/lib/python3.6/site-packages/jinja2/environment.py", line 1291, in render
self.environment.handle_exception()
File "/usr/local/lib/python3.6/site-packages/jinja2/environment.py", line 925, in handle_exception
raise rewrite_traceback_stack(source=source)
File "<template>", line 67, in top-level template code
File "/opt/app-root/app/lib/template_functions.py", line 200, in list_filter
return ', '.join(val)
TypeError: sequence item 0: expected str instance, dict foundAs a result, the case_updates to follow fail and show IntegrationErrors.
File "/usr/local/lib/python3.6/site-packages/circuits/core/manager.py", line 874, in processTask
raise value.extract()
File "/usr/local/lib/python3.6/site-packages/resilient_circuits/actions_component.py", line 90, in _on_task
yield result.get()
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 644, in get
raise self._value
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 119, in worker
result = (True, func(*args, **kwds))
File "/usr/local/lib/python3.6/site-packages/resilient_circuits/decorators.py", line 176, in _invoke_inbound_app
for r in ia_results:
File "/opt/app-root/app/components/soar_inbound.py", line 220, in _inbound_soar_escalator
raise IntegrationError(str(e))
resilient_lib.components.integration_errors.IntegrationError: ': {"success":false,"title":null,"message":"The specified IP Address is invalid: {'id':","hints":[],"error_code":"generic"}'
2023-04-20 17:32:37,739 [escalation_helper] [Thread-23] INFO Token gathered and set
2023-04-20 17:32:37,740 [resilient_helpers] [Thread-23] DEBUG has_qradar_id() request
2023-04-20 17:32:37,740 [resilient_helpers] [Thread-23] DEBUG get_types_incident_fields() request
2023-04-20 17:32:37,740 [resilient_client] [Thread-23] DEBUG org_id 201 was passed to a SingleOrgClient.
2023-04-20 17:32:38,153 [connectionpool] [Thread-23] DEBUG https://<IP ADDRESS>:443 "GET /rest/orgs/201/types/incident/fields HTTP/1.1" 200 None
2023-04-20 17:32:39,611 [connectionpool] [Thread-23] DEBUG https://<IP ADDRESS>:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 None
2023-04-20 17:32:39,615 [api] [Thread-23] WARNING BasicHTTPException: 'resilient' API Request FAILED:
Response Code: 400
Reason: Unknown Reason. {"success":false,"title":null,"message":"The specified IP Address is invalid: {'id':","hints":[],"error_code":"generic"} in resilient.co3base.BaseClient.post.<locals>.__post, retrying in 2 seconds...
......
2023-04-20 17:33:12,077 [actions_component] [MainThread] ERROR Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/resilient/co3.py", line 474, in post
....
raise BasicHTTPException(response)
resilient.co3base.BasicHTTPException: 'resilient' API Request FAILED:
Response Code: 400
Reason: Unknown Reason. {"success":false,"title":null,"message":"The specified IP Address is invalid: {'id':","hints":[],"error_code":"generic"}
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"TS012871839","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
31 July 2023
UID
ibm16989129