IBM Resilient User Guide

Updated 1 day ago by Elvis Hovor

This document explains how to use TruSTAR integrated into the IBM Resilient platform. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

You can perform these actions with the TruSTAR App installed in IBM Resilient:

  • Submit an Incident to TruSTAR
  • Update a report on TruSTAR whenever a new artifact is added or the Incident status has changed.
  • Update the TruSTAR report when an Incident is closed
  • Delete Report of a deleted Incident
  • Whitelist and Undo Whitelist indicators in TruSTAR

Submitting Incidents to TruSTAR

You can automate report submissions or manually submit reports to TruSTAR. The deeplink to the TruSTAR report is added as a note in the Resilient incident.

Whenever an incident will be submitted or updated to TruSTAR, the correlated indicators for that report will be fetched and each of the correlated indicators is added as an artifact. In addition, a list of all correlated indicators is added as a note with deeplinks of each indicator in incident.

You can submit incidents automatically or manually:

  • If you have enabled auto_submission in app.config, then reports are automatically submitted when a new incident is created in Resilient.
  • If you have disabled auto_submission in app.config, then you will need to manually submit a report of the incident to TruSTAR.

Manually Submitting a Report

  1. Navigate to an Incident on the List Incidents menu.
  2. Click Actions in the upper right corner to display the Actions menu.
  3. Click Send To TruSTAR on the Actions menu.

Updating a Report

You can automatically or manually update a submitted report whenever a new artifact is added or if the status of the incident is changed.

You can update incidents automatically or manually:

  • If you have enabled auto_submission in app.config, then reports are automatically updated when the incident is updated in Resilient.
  • If you have disabled auto_submission in app.config, then you will need to manually submit a new report of the incident to TruSTAR.

Updating Closed Incidents

When an Incident is closed, you can add the resolution and resolution summary as well as all notes in the Incident to the corresponding report in TruSTAR.

You can update closed incidents automatically or manually:

  • If you have enabled auto_submission in app.config, then reports are automatically updated when the incident is closed in Resilient.
  • If you have disabled auto_submission in app.config, then you will need to manually submit a new report of the incident to TruSTAR.

Deleting a Report

You can delete a report in TruSTAR when the incident is deleted in Resilient.

  • If you have enabled auto_submission in app.config, then reports are automatically deleted when the incident is deleted in Resilient.
  • If you have disabled auto_submission in app.config, then you will need to manually delete the report in TruSTAR.

Whitelisting in TruSTAR

This feature lets you whitelist an artifact in TruSTAR or remove a whitelisted artifact from TruSTAR

  1. Navigate to an Incident listed on the List Incidents menu.
  2. Click Artifacts on the menu bar.
  3. Next to the artifact you want to edit, click the left button to display the whitelist choices and select the one you want to execute.

Report Format

Key

Value

reportBody

Incident content submitted to TruSTAR

updated

Time of last report update

externalUrl

None

created

Time when report was created

distributionType

ENCLAVE

title

Report Title

timeBegan

Time that the incident began

id

Report ID

enclaveIds

ID of enclaves in which report is submitted

externalTrackingId

External ID of report

Known Limitations

  • It takes approximately 10-15 seconds to fetch data from TruSTAR and display in Resilient.
  • You need to refresh the page to view the data enrichment.
  • Some indicators of URL type returned from the TruSTAR are not accepted by Resilient As a workaround, there is an artifact type “URL String”, which will be assigned as the type to those indicators.


How Did We Do?