IBM Support

QRadar SOAR: Unexpected end of multipart stream

Troubleshooting


Problem

Failures to custom Threat Services associated with file-attachment artifacts can cause integration environment failures in IBM QRadar SOAR.

Symptom

Threat service framework can cause the integration environment running resilient-circuits to fail when a stack trace error will appear in the integration server app.log with a multipart stream error:
ERROR <handler[*][request][0.10] (Dispatcher._on_request)> (<request[web] (<Request POST /cts/threat_service_name HTTP/1.1>, <Response 200 OK None (0)> )>) (<class 'circuits.web.parsers.multipart.MultipartError'>): MultipartError('Unexpected end of multipart stream.',)
Traceback (most recent call last):
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/core/manager.py", line 659, in _dispatcher
value = event_handler(event, *eargs, **ekwargs)
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/web/dispatchers/dispatcher.py", line 114, in _on_request
process(req, event.kwargs)
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/web/processors.py", line 54, in process
process_multipart(request, params)
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/web/processors.py", line 30, in process_multipart
for part in parser:
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/web/parsers/multipart.py", line 209, in _iter_
for part in self._part_iter:
File "/Users/xxxxx/.pyenv/versions/3.6.9/lib/python3.6/site-packages/circuits/web/parsers/multipart.py", line 310, in _iterparse
raise MultipartError("Unexpected end of multipart stream.")
circuits.web.parsers.multipart.MultipartError: Unexpected end of multipart stream.}}
As a result, the custom threat feed in question will become disabled. The custom threat feed can be re-enabled within the IBM QRadar SOAR UI, but requires manual intervention.

Cause

  • The rc-cts python package used to enable custom threat services
  • The circuits python package used for receiving artifact information from IBM QRadar SOAR and invoking the custom threat service

Resolving The Problem

IMPORTANT: Verify a backup exists.
  • One resolution is to disable sending file-based artifacts to custom threat services.
  • Update the python package rc-cts to the latest release (v41.1 or greater): 
    pip install --upgrade rc-cts
    This version correctly interprets the app.config setting: upload_file. This setting should be set to false: 
    upload_file=false
  • If it's not possible to upgrade rc-cts, then commenting out this setting will have the same effect as setting it to false: 
    [custom_threat_service]
upload_file=false
    Note: The effect of this setting disables the sending of file-attachment artifacts to custom threat services.
Due to caching of settings in IBM SOAR, additional steps are needed to clear this cache.
This can be done two ways:
  1. Restarting IBM SOAR.
    Restarting IBM SOAR is the preferred action as deleting/recreating the custom threat service will remove all previous hits returned for an artifact.
    1. Stop resilient-circuits
    2. Upgrade rc-cts: 
      pip install --upgrade rc-cts
    3. Edit app.config file with the setting: 
      upload_file=false
    4. Restart IBM SOAR
  2. Deleting the custom threat service and recreating it.
    1. From the command line prompt within the SOAR appliance, delete the custom threat service: 
      resutil threatservicedel -name <threat service name>
    2. Recrate the custom threat service: 
      resutil threatserviceedit -name <threat service name> -url http://<your integration server>:<9000>:/<custom threat service endpoint>
    3. Test the custom threat service: 
      resutil threatservicetest -name <threat service name>
    4. Restart resilient-circuits.
The next artifact triggering the custom threat service will correctly read the upload_file setting and bypass file-base artifacts.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000008ZtGAAU","label":"Integrations-\u003EResilient Circuits"},{"code":"a8m0z0000001hW8AAI","label":"Resilient Core-\u003EThreat Services"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 July 2025

UID

ibm17240216

Page Feedback