search

swiftbird07 / IRIS-SOAR

🚀 IRIS-SOAR: Modular SOAR (Security Orchestration, Automation, and Response) implementation in Python. Designed to complement DFIR-IRIS through playbook automation and seamless integrations. Easily extensible and in active development. Join us in building a tool geared towards enhancing security efficiency!
MIT License
6 stars 0 forks source link

No running worker found #2

Open hardislander opened 2 months ago

hardislander commented 2 months ago

Hi,

I am trying to use IRIS-SOAR with DFIR IRIS. Getting the following errors

When checking status

iris@iris:~/IRIS-SOAR$ sudo python3 iris-soar.py --status 2024-07-08 08:48:35,832 - isoar - INFO - Checking the status of IRIS-SOAR... 2024-07-08 08:48:35,841 - isoar - INFO - Found running daemon (pid=4604). 2024-07-08 08:48:35,841 - isoar - INFO - 2024-07-08 08:48:35,841 - isoar - INFO - Daemon information: 2024-07-08 08:48:35,841 - isoar - INFO - psutil.Process(pid=4604, name='python3', status='sleeping', started='08:48:29') 2024-07-08 08:48:35,841 - isoar - INFO - 2024-07-08 08:48:35,852 - isoar - INFO - No running worker found.

When running the following commands

iris@iris:~/IRIS-SOAR$ sudo python3 isoar_case_worker.py 2024-07-08 08:49:55,682 - isoar_case_worker - INFO - Started IRIS-SOAR worker script 2024-07-08 08:49:55,682 - isoar_case_worker - INFO - Checking for new alerts... 2024-07-08 08:49:55,740 - isoar_case_worker - INFO - Successfully requested alerts from DFIR-IRIS (new). 2024-07-08 08:49:55,756 - isoar_case_worker - INFO - Successfully requested alerts from DFIR-IRIS (pending). 2024-07-08 08:49:55,756 - isoar_case_worker - INFO - No pending alerts found. 2024-07-08 08:49:55,756 - isoar_case_worker - INFO - Successfully got 20 alerts from DFIR-IRIS.

2024-07-08 08:49:56,613 - isoar_case_worker - INFO - Transforming alert 178 - PAM: Login session opened. to Alert object... 2024-07-08 08:49:56,655 - isoar_case_worker - ERROR - Failed to transform alert PAM: Login session opened. to Alert object. Error: Traceback (most recent call last): File "/home/iris/IRIS-SOAR/isoar_case_worker.py", line 158, in main alert_obj.load_from_iris(iris_alert_id) File "/home/iris/IRIS-SOAR/lib/class_helper.py", line 3102, in load_from_iris rulecontext = {k: v for k, v in context.items() if k.startswith("rule")} AttributeError: 'NoneType' object has no attribute 'items'

2024-07-08 08:49:56,655 - isoar_case_worker - INFO - Finished transforming alerts to Alert objects. 2024-07-08 08:49:56,655 - isoar_case_worker - INFO - Asking alert_playbooks if they want to create a new case for the alerts... 2024-07-08 08:49:56,656 - isoar_case_worker - INFO - Alert_playbook can handle the alerts. Calling it to handle. 2024-07-08 08:49:56,675 - isoar_case_worker - INFO - Alert_playbook can handle the alerts. Calling it to handle. 2024-07-08 08:49:56,685 - isoar_case_worker - INFO - No case was created for the alerts. No case playbook will be called.

Any idea why this is happening?

Santosh

swiftbird07 commented 1 month ago

Sorry I was busy, is this issue fixed or do you still need help? If yes then what exactly is you setup? It is normal that it states "No running worker found" as the worker will only run for a brief time every X minutes (see daemon interval in config).