-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ BUG ] Returning empty Body ("body": {"message": "No content returned", "resources": []}) #1033
Comments
No investigation needed |
not returning any data as of today.....it was working until yesterday |
It looks like problem in JSON file format where it get downloaded from the schedule report. |
Hi @Kish26 - I'm investigating this. Anything special about the report you're trying to retrieve? Is it configured for |
Hi
Report configured with json format. I’m after host report, vulnerability report and installed patches. I have automated this report pull it via falconpy (report execution query library ). It worked over years and it did get break today morning. Looks like json file format isn’t correct to me. I might be wrong.
This report was very helpful for our organisation.
Thanks you
Siva
On 31 Aug 2023, at 15:03, Joshua Hiller ***@***.***> wrote:
Hi @Kish26<https://github.com/Kish26> - I'm investigating this. Anything special about the report you're trying to retrieve? Is it configured for CSV or JSON format?
—
Reply to this email directly, view it on GitHub<#1033 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANBWPLWN2M77NXA4AVJ6ASTXYCKT5ANCNFSM6AAAAAA4FWJFX4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
I think I've found the issue, but have another follow up question. Which version of FalconPy are you using? Has this changed over the past day? |
what command I need to run to find a version please ?
Thanks -Siva
…________________________________
From: Joshua Hiller ***@***.***>
Sent: 31 August 2023 15:29
To: CrowdStrike/falconpy ***@***.***>
Cc: Kish26 ***@***.***>; Mention ***@***.***>
Subject: Re: [CrowdStrike/falconpy] [ BUG ] ...Returning empty Body ("body": {"message": "No content returned", "resources": []}) (Issue #1033)
I think I've found the issue, but have another follow up question.
Which version of FalconPy are you using?
—
Reply to this email directly, view it on GitHub<#1033 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANBWPLVQKU2JK2OOLWVBBF3XYCNUZANCNFSM6AAAAAA4FWJFX4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
If you've installed FalconPy for all users you should be able to see it with You can also ask FalconPy by checking the value of the from falconpy import _VERSION
print(_VERSION) |
Version 1.2.12
…________________________________
From: Joshua Hiller ***@***.***>
Sent: 31 August 2023 16:23
To: CrowdStrike/falconpy ***@***.***>
Cc: Kish26 ***@***.***>; Mention ***@***.***>
Subject: Re: [CrowdStrike/falconpy] [ BUG ] Returning empty Body ("body": {"message": "No content returned", "resources": []}) (Issue #1033)
what command I need to run to find a version please ? Thanks -Siva
If you've installed FalconPy for all users you should be able to see it with pip show requests (or pip3 show requests). If you're in a virtual environment, it would be something like pipenv graph.
You can also ask FalconPy by checking the value of the _VERSION constant.
from falconpy import _VERSION
print(_VERSION)
—
Reply to this email directly, view it on GitHub<#1033 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANBWPLTSKA43BC5P2ULIVR3XYCUAFANCNFSM6AAAAAA4FWJFX4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
FWIW: I am in a similar situation. I've been using falconpy without changes to my code for a long time, but today when i executed, it was only working about 25% of the time. The response did not contain any content so my code failed when looking for the meta key. The issue is intermittent and makes me lean towards an issue with the API but I am not positive. I chatted with support to inquire about a status page to see on-going issues and after providing him with my API client ID, he said it looked like rate limiting was my issue. I was skeptical, since i've never had the issue before today but perhaps they've changed the limits. I am adding some debug lines to see if I can get more info next time it fails. code that fails:
crowdstrike-falconpy version 1.2.12 |
We've found a programmatic fix for this issue (related to detecting the unusual payload return) that we can implement in the Result object. This is specific to how We'll have the programmatic fix included as part of the |
@Kish26 - Could you retest for me and let me know if you're still seeing this issue? I believe it should be resolved for versions prior to |
I enabled debug logging and tested at least 15 times and it worked each time, so whatever problem it was seems to be better now. No issues with rate limits or anything. 🤷 . To correct an error in my original reply, I was already on 1.3.0 but mistakenly saw 1.2.12 in requirements.txt. I just switched to using pyproject.toml recently and had ^1.2.12 set. If it happens again, i'll post logs here if needed. |
I just ran the report and same error message which is "body": {"message": "No content returned"", "resources": []} |
Which report type is still not working? |
Installed patches and Vulnerabilities aren't working |
installed patches -->last ran successfully was 31st of July |
Please let me know, if you want me to retest or upgraded to newer FalconPy version |
Hi @Kish26 - I've tested using the Note: I do have a fix for the |
I did try to create report manually from the UI console. It is working okay. When I pull the report using the above code using the report ID same issue.
Do i need to pull the code from repository again 1. 2.12 if you made any changes recently?
Thank you for your help so far.
|
That behavior makes me want to see the API response, which is harder to do in version Version I'll link you here to the pre-release announcement once it posts, the instructions for installing the bleeding edge package will be in there. (You'll install from the test PyPI index instead. Your code will not have to be changed.) The product package release will happen on either Tuesday or Wednesday depending on when the merge happens. |
thank you for your help
…________________________________
From: Joshua Hiller ***@***.***>
Sent: 01 September 2023 19:03
To: CrowdStrike/falconpy ***@***.***>
Cc: Kish26 ***@***.***>; Mention ***@***.***>
Subject: Re: [CrowdStrike/falconpy] [ BUG ] Returning empty Body ("body": {"message": "No content returned", "resources": []}) (Issue #1033)
That behavior makes me want to see the API response, which is harder to do in version 1.2.12. Perhaps getting you moved to the latest version is the right call here. 🤔
Version 1.3.1 is almost through unit testing and final reviews. This would give you the ability to use the new Debug Logging<https://www.falconpy.io/Usage/Logging.html> functionality, and it also contains the Result object fix<f6bd8ae>. You could pull it early as there will be a bleeding edge release once the updated code merges to main. (Should merge today.)
I'll link you here to the pre-release announcement once it posts, the instructions for installing the bleeding edge package will be in there. (You'll install from the test PyPI index instead. Your code will not have to be changed.)
The product package release will happen on either Tuesday or Wednesday depending on when the merge happens.
—
Reply to this email directly, view it on GitHub<#1033 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANBWPLQWLPRIRVDOFGFSVDDXYIPORANCNFSM6AAAAAA4FWJFX4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Thank you, this time i am getting status_code': 500 {'status_code': 500, 'headers': {}, 'body': {'errors': [{'message': "'ascii' codec can't decode byte 0xc2 in position 1508426: ordinal not in range(128)", 'code': 500}], |
If you've performed the upgrade, you should be able to access Debug Logging. Here's a variation of the script above that turns it on. We're need to know what the import json
import logging
from argparse import ArgumentParser, RawTextHelpFormatter
from falconpy import ReportExecutions
import os
logging.basicConfig(level=logging.DEBUG)
def consume_arguments():
"""Consume our required command line arguments."""
parser = ArgumentParser(description=__doc__, formatter_class=RawTextHelpFormatter)
required = parser.add_argument_group("required_arguments")
required.add_argument("-k", "--falcon_client_id",
help="CrowdStrike API Client ID",
required=True
)
required.add_argument("-s", "--falcon_client_secret",
help="CrowdStrike API Client Secret",
required=True
)
required.add_argument("-r", "--report", help="ID of the report to retrieve", required=True)
return parser.parse_args()
def retrieve_report_executions(sdk: ReportExecutions, rptid: str):
"""Retrieve the list of execution IDs that match this report ID."""
print(f"🔍 Searching for executions of {rptid}")
execution_id_lookup = sdk.reports_executions_query(filter=f"scheduled_report_id:'{rptid}'")
if not execution_id_lookup["status_code"] == 200:
raise SystemExit("⛔ Unable to retrieve report executions from "
"the CrowdStrike API, check API key permissions."
)
# Give the SDK back so we can feed our results to the next method easily
return sdk, execution_id_lookup["body"]["resources"]
def get_report_execution_runs(sdk: ReportExecutions, id_list: list):
"""Retrieve the list of execution runs for each execution ID."""
print(f"✅ Found {len(id_list)} executions of this report available.")
# Retrieve the status of these IDs
exec_status_lookup = sdk.report_executions_get(id_list)
if not exec_status_lookup["status_code"] == 200:
raise SystemExit("⛔ Unable to retrieve execution statuses from the CrowdStrike API.")
print(f"⚠️ This execution has run {len(exec_status_lookup['body']['resources'])} times.")
# Give the SDK back as well so we can easily feed it to our next method call
return sdk, exec_status_lookup["body"]["resources"]
def process_executions(sdk: ReportExecutions, run_list: list):
"""Process the results of the executions, this solution only handles completed runs."""
saved = 0
for exec_status in run_list:
status = exec_status["status"]
exec_id = exec_status["id"]
rpt_id = exec_status["scheduled_report_id"]
if status.upper() == "DONE":
report_detail = sdk.get_download(exec_id)
if report_detail:
if isinstance(report_detail, dict):
try:
with open(f"{rpt_id}_{exec_id}.rpt", "w", encoding="utf-8") as json_output:
json.dump(report_detail, json_output)
saved += 1
print(f"📥 {exec_id} successfully saved to {rpt_id}_{exec_id}.rpt")
except json.JSONDecodeError:
print(f"❗ Unable to decode results of report run {exec_id} for ")
else:
with open(f"{rpt_id}_{exec_id}.rpt", "wb") as csv_output:
csv_output.write(report_detail)
saved += 1
else:
print(f"⛔ Unable to retrieve report for execution {exec_id} of {rpt_id}.")
else:
print(f"⏩ Skipping {exec_id} as not yet finished.")
# Return back the number of successful saves
return saved
if __name__ == "__main__":
# Consume any provided command line arguments
cmdline = consume_arguments()
# Create an instance of the ReportExecutions Service Class
falcon = ReportExecutions(client_id=os.getenv("CLIENT_ID"),
client_secret=cmdline.falcon_client_secret,
debug=True
)
# Retrieve our report executions, and process them, saving any that
# have completed successfully to individual files (JSON format).
# Let's be fancy and leverage list expansion to provide arguments from
# one method to the subsequent one. It's like inception for Python. ♜
SUCCESSFUL = process_executions(
*get_report_execution_runs(*retrieve_report_executions(falcon, cmdline.report))
)
# Inform the user of the result
print(f"🏁 Retrieval complete, {SUCCESSFUL} report results were downloaded.") |
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.crowdstrike.com:443 |
once report size is 1KB and payload is {"status_code": 500, "headers": {}, "body": {"errors": [{"message": "'ascii' codec can't decode byte 0xc2 in position 1508426: ordinal not in range(128)", "code": 500}], "resources": []}} |
if it is configured to CSV, it is working but not with JSON. CSV is good for me. Thank you |
I am using the below code to pull the information, it was working fine yesterday but it is not returning any content in json's body.
Can you please help ?
The text was updated successfully, but these errors were encountered: