๐ IRIS-SOAR: Modular SOAR (Security Orchestration, Automation, and Response) implementation in Python. Designed to complement DFIR-IRIS through playbook automation and seamless integrations. Easily extensible and in active development. Join us in building a tool geared towards enhancing security efficiency!
License: MIT License
Hi,
I am trying to use IRIS-SOAR with DFIR IRIS. Getting the following errors
When checking status
iris@iris:~/IRIS-SOAR$ sudo python3 iris-soar.py --status
2024-07-08 08:48:35,832 - isoar - INFO - Checking the status of IRIS-SOAR...
2024-07-08 08:48:35,841 - isoar - INFO - Found running daemon (pid=4604).
2024-07-08 08:48:35,841 - isoar - INFO -
2024-07-08 08:48:35,841 - isoar - INFO - Daemon information:
2024-07-08 08:48:35,841 - isoar - INFO - psutil.Process(pid=4604, name='python3', status='sleeping', started='08:48:29')
2024-07-08 08:48:35,841 - isoar - INFO -
2024-07-08 08:48:35,852 - isoar - INFO - No running worker found.
When running the following commands
iris@iris:~/IRIS-SOAR$ sudo python3 isoar_case_worker.py
2024-07-08 08:49:55,682 - isoar_case_worker - INFO - Started IRIS-SOAR worker script
2024-07-08 08:49:55,682 - isoar_case_worker - INFO - Checking for new alerts...
2024-07-08 08:49:55,740 - isoar_case_worker - INFO - Successfully requested alerts from DFIR-IRIS (new).
2024-07-08 08:49:55,756 - isoar_case_worker - INFO - Successfully requested alerts from DFIR-IRIS (pending).
2024-07-08 08:49:55,756 - isoar_case_worker - INFO - No pending alerts found.
2024-07-08 08:49:55,756 - isoar_case_worker - INFO - Successfully got 20 alerts from DFIR-IRIS.
2024-07-08 08:49:56,613 - isoar_case_worker - INFO - Transforming alert 178 - PAM: Login session opened. to Alert object...
2024-07-08 08:49:56,655 - isoar_case_worker - ERROR - Failed to transform alert PAM: Login session opened. to Alert object. Error: Traceback (most recent call last):
File "/home/iris/IRIS-SOAR/isoar_case_worker.py", line 158, in main
alert_obj.load_from_iris(iris_alert_id)
File "/home/iris/IRIS-SOAR/lib/class_helper.py", line 3102, in load_from_iris
rule_context = {k: v for k, v in context.items() if k.startswith("rule_")}
AttributeError: 'NoneType' object has no attribute 'items'
2024-07-08 08:49:56,655 - isoar_case_worker - INFO - Finished transforming alerts to Alert objects.
2024-07-08 08:49:56,655 - isoar_case_worker - INFO - Asking alert_playbooks if they want to create a new case for the alerts...
2024-07-08 08:49:56,656 - isoar_case_worker - INFO - Alert_playbook can handle the alerts. Calling it to handle.
2024-07-08 08:49:56,675 - isoar_case_worker - INFO - Alert_playbook can handle the alerts. Calling it to handle.
2024-07-08 08:49:56,685 - isoar_case_worker - INFO - No case was created for the alerts. No case playbook will be called.
Any idea why this is happening?
Santosh
I try to integrate IRIS-SOAR with wazuh-indexer 4.4 , but I got the follwing errors:
root@IRIS:/IRIS-SOAR# python3 iris-soar.py --restart
2024-03-12 21:49:59,942 - isoar - INFO - Restarting IRIS-SOAR...
2024-03-12 21:49:59,942 - isoar - INFO - Stopping IRIS-SOAR...
2024-03-12 21:49:59,964 - isoar - INFO - Daemon not running
2024-03-12 21:49:59,987 - isoar - INFO - Worker script not running
2024-03-12 21:49:59,988 - isoar - WARNING - Nothing to stop!
2024-03-12 21:49:59,998 - isoar - INFO - Daemon disabled. Starting the main loop (isoar_worker.py) directly...
2024-03-12 21:50:00,053 - isoar_collector - INFO - Started IRIS-SOAR collector script
2024-03-12 21:50:00,053 - isoar_collector - INFO - Checking for new alerts...
2024-03-12 21:50:00,151 - isoar_collector - INFO - Calling module elastic_siem
/usr/local/lib/python3.9/dist-packages/elasticsearch/_sync/client/init.py:399: SecurityWarning: Connecting to 'https://192.168.59.128:9200' using TLS with verify_certs=False is insecure
_transport = transport_class(
2024-03-12 21:50:00,251 - isoar_collector - WARNING - The module elastic_siem had an unhandled error when trying to provide new alerts. Error: Traceback (most recent call last):
File "/root/IRIS-SOAR/isoar_alert_collector.py", line 130, in main
new_alerts = module_import.irsoar_provide_new_alerts(integration_config)
File "/root/IRIS-SOAR/integrations/elastic_siem.py", line 1256, in irsoar_provide_new_alerts
result = elastic_client.search(
File "/usr/local/lib/python3.9/dist-packages/elasticsearch/_sync/client/utils.py", line 446, in wrapped
return api(*args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/elasticsearch/_sync/client/init.py", line 3836, in search
return self.perform_request( # type: ignore[return-value]
File "/usr/local/lib/python3.9/dist-packages/elasticsearch/_sync/client/_base.py", line 320, in perform_request
raise HTTP_EXCEPTIONS.get(meta.status, ApiError)(
elasticsearch.ApiError: ApiError(406, 'Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported', 'Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported')
. Skipping Integration.
2024-03-12 21:50:00,251 - isoar_collector - WARNING - The module ibm_qradar is disabled. Skipping.
2024-03-12 21:50:00,251 - isoar_collector - WARNING - The module matrix_notify is disabled. Skipping.
2024-03-12 21:50:00,252 - isoar_collector - INFO - Finished collector script.
root@IRIS:~/IRIS-SOAR#
Is the error becose the compatability with wazuh-indexer 4 , kindly , your support ,please ,
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
