File submission to FireEye MAS results in ERR_CODE_RUNTIME_EXCEPTION in Security Analytics

book

Article ID: 168203

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

When files are submitted to FireEye MAS 7.x through Data Enrichment these files will not create an analysis task.
Instead the /var/log/messages log will show something like this:

Nov 6 06:09:55 bluecoat-10g Data-Enrichment: error: ERR_CODE_RUNTIME_EXCEPTION : Failed to submit artifact: % File bluecoat-10g_2014-11-06T08.45.00-0500_24.99.233.46-51098_192.168.2.122-80_172e6256e2f6ca8f587b322dcab6c94f1_22.exe does not exist

Cause

This can be caused by insufficient privileges of the user specified for MAS submission.

Resolution

Make sure the MAS user is an admin user, not analyst.

To verify the problem you can use the attached python script.
Connect to the Security Analytics appliance via SSH.

1. Backup the existing fireeye.py script file:  cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak
1. Replace the fireeye.py file in /usr/lib64/python3.3/site-packages/derp/providers  with the attached version of the file
2. Restart derpd:
service derpd restart
3. Request for FireEye analysis
4.  /var/log/messages will show the permission error if you search for the submitted filename.