IBM Resilient

Updated 1 week ago by Elvis Hovor

Introduction

The IBM Resilient Plugin built for TruSTAR allows users to utilize context of TruSTAR’s IOCs and incidents within Resilient workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Features

  • Enrich Resilient tickets with correlated intelligence from TruSTAR
  • Highlight high-priority indicators to analyst using the TruSTAR integration
  • Ingest Resilient tickets into users enclave in TruSTAR as Incident Reports.
  • Update corresponding TruSTAR Incident Report when a Resilient ticket is updated.
  • Build automation play books from 6 Trustar related actions.

Use Cases 

Speeding incident investigations:
TruSTARs Integration with Resilient greatly improves the time to response for SOC and IR analyst by ingesting correlated intelligence from external and internal sources from TruSTAR into their Resilient tickets all in near realtime.

Identifying high priority indicators:

Analyst can identify indicators that have a high risk score associated with them using the TruSTAR integration with the Resilient Threat Sources. This searches Trustar with the indicator and highlights in high and medium priority indicators for a quick visual prioritization of indicators

Automated Workflow Actions:

TruSTARs out of the box workflow actions allow for easy to build playbooks for enrichment of incidents thereby speeding incident triage and automating the non human intense functions of threat intelligence gathering.

Requirements

This section describes the system pre-requisites to run TruSTAR integration in IBM Resilient.

Resilient platform version 30 or later

Python version 2.7.10 or later, or version 3.6 or later

Download Files

This integration file contains all required Resilient objects  to run TruSTAR's integration. The following file are required for successful install of the TruSTAR-Resilient app.

#

File Name

Description

1

trustar_resilient (6).tar.gz

This plugin  file contains all the actions required to support TruSTAR actions from Resilient.

You have a Resilient account to use for the integrations. This can be any account that has the permission to view and modify administrator and customization settings and read and update incidents. You need to know the account username and password.
You have access to the command line of the Resilient appliance, which hosts the Resilient platform; or to a separate integration server where you will deploy and run the integration. If using a separate integration server, you must install Python version 2.7.10 or later, or version 3.6 or later, and “pip”. (The Resilient appliance is preconfigured with a suitable version of Python.)

Installation Guide

Setup & Configuration

Install the Python components

The functions package contains Python components that will be called by the Resilient platform to execute the functions during your workflows. These components run in the ‘resilient-circuits’ integration framework.

The package also includes Resilient customizations that will be imported into the platform later.

Ensure that the environment is up to date,

sudo pip install --upgrade pip

sudo pip install --upgrade resilient-circuits

To install the package, you must first unzip it then install the package as follows:

sudo pip install --upgrade trustar_resilient -<version>.tar.gz

Configure the Python components

The ‘resilient-circuits’ components run as an unprivileged user, typically named `integration`. If you do not already have an `integration` user configured on your appliance, create it now.

Perform the following to configure and run the integration:

  1. Use one of the following commands to create or update the resilient-circuits configuration file. Use –c for new environments or –u for existing environments.
    1. sudo resilient-circuits config -c
      or
      sudo resilient-circuits config -u
  2. Edit the resilient-circuits configuration file.
    1. In the [resilient] section, ensure that you provide all the information needed to connect to the Resilient platform.
    2. In the [trustar] section, you will see a field ‘queue’, which contains the name of the message destination which will be used for this integration. Change the name if you want to use some other message destination else leave it unchanged. (Make sure that the user that you specified in [resilient] section has access to the message destination you specify.
    3. In the [trustar_threat_source] section update following fields:

# URL of TruSTAR platform.

url = https://station.trustar.co

# API key of user from TruSTAR platform. Do not change this.

user_api_key = ^api_key_for_trustar_threat_source    

# API secret of user from TruSTAR platform. Do not change this.

user_api_secret = ^api_secret_for_trustar_threat_source

# Enclave IDs of user from TruSTAR for searching indicators. Separate values using #comma..

enclave_ids_for_submission =

In the [trustar_account_n] section change the ‘n’ with some integer number and update following fields in that:

# URL of TruSTAR platform.

url = trustar url

# API key of user from TruSTAR platform.

user_api_key = ^api_key_for_[stanza_name (for e.g. trustar_account_n)]

# API secret of user from TruSTAR platform.

user_api_secret = ^api_secret_for_[stanza_name (for e.g. trustar_account_n)]

# Enclave IDs of user from TruSTAR for submitting report. Separate values using comma.

enclave_ids_for_submission = list of enclave ids

# Enclave IDs of user from TruSTAR from querying on TruSTAR. Separate values using comma.

enclave_ids_for_query = list of enclave ids

# Auto Submission parameter. Possible values - enable|disable

auto_submission = disable

# Enter parameters to submit with report to TruSTAR. Possible values -#Summary|Notes|Breach|Artifacts. Separate values using comma.

submit_data_to_trustar = summary,notes,breach,artifacts

# Incident Types to exclude for report submission to TruSTAR. Separate values using comma.

incident_types_to_exclude = Denial of Service

# List of workspaces for which this TruSTAR account will be used.

workspace = list of workspaces

# TAG to assign to the report submitted to TruSTAR

tag = 

You can add other TruSTAR accounts for different workspaces. Append a new section named [trustar_account_n] with some other value of ‘n’ and repeat step 2.d.

In the [webserver] section update following fields:

server = Host IP of server where resilient circuits is running (Default is local host)

port = Post on which this will run (Default is 9000)

secure = 1|0 (1 for https, 0 for http. Default is 0)

cafile = certificate file. (Needed only when secure = 1)


Do not do any changes under [custom_threat_service] section.

After doing changes in the config file run following command:

sudo res-keyring
  1. Here you will need to provide details like API key and API secret.
  2. User can also use this method to store their Resilient platform.
  3. In [resilient] stanza of app.config file, replace value of password with “^password”.
  4. Then run this command and it will ask you to enter the password value.
  5. The package contains rules, message destination and function definitions that you can use in workflows.
  6. Deploy these customizations to the Resilient platform with the following command: resilient-circuits customize
  7. Answer the prompts to deploy functions, message destinations, workflows and rules
Run the integration framework
Steps for Linux

Create a service file using following command.

sudo vi /etc/systemd/system/resilient_circuits.service

Add following content in that .service file:

[Unit] Description=Resilient-Circuits Service After=resilient.service Requires=resilient.service

Change locations in the file as per the environment.

Ensure that the service unit file is correctly permissioned:

sudo chmod 664 /etc/systemd/system/resilient_circuits.service

Use the systemctl command to manually enable or disable the service:

sudo systemctl [enable|disable] resilient_circuits 

Use the systemctl command to manually start, stop, restart and return status on the service:

sudo systemctl [start|stop|restart|status] resilient_circuits 

Log files for systemd and the resilient-circuits service can be viewed through the journalctl command:

sudo journalctl -u resilient_circuits --since "2 hours ago

Steps for Windows

Run the following command from command prompt.

resilient-circuits run -r

Run the following command where your resilient platform is installed.

    sudo resutil threatserviceedit -name "TruSTAR" -resturl "{url}/cts/trustar"
- In place of {url}, add value in this format: {http|https}://host_ip{port_you_added_in_config_f

Usage & App Commands

This app provides the end-user a holistic view for SOC Admin to troubleshoot security offenses and improve overall security posture of the organization. This integration allows Resilient users to submit all the incidents being created to TruSTAR and also enrich Resilient incidents and events with TruSTAR data.

The following actions are supported:

  1. Assign an Incident to a particular workspace.
  2. Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
  3. Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
  4. Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
  5. Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
  6. Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
  7. Delete Report of a deleted incident from TruSTAR. (Automatic Action)
  8. Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
  9. Workflow functions to perform following actions:
    1. Submit or Update Incident data to TruSTAR
    2. Get Priority Score of an Indicator from TruSTAR
    3. Get Correlated Indicators from TruSTAR for a particular Incident
    4. Delete report for a particular incident from TruSTAR
    5. Whitelist an indicator in TruSTAR
    6. Undo Whitelist an indicator in TruSTAR
Threat Service

Here are the details on overall use cases addressed in TruSTAR app for Resilient.

  1. Submit Incident to different TruSTAR accounts or enclaves based on workspace.
  • This feature lets user to submit incident data to different TruSTAR accounts or enclaves based on the workspace in which the incident is assigned.
  • User need to add TruSTAR credentials and other details in app.config for this feature.
  • To assign an incident to a particular workspace perform following steps.
    • Navigate to Customization Settings
    • Navigate to Layouts tab under Customization Settings.
    • Under New wizard, add Workspace field from Fields to one of the blocks.
    • Click on the save button to save the changes.
    • Now you can select workspace whenever you create a new incident.
Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
  • User can submit an incident as a report in TruSTAR
  • Deeplink of the submitted report will be added as a note in the incident.
  • Report can be submitted automatically or using manual action.
  • If user has enabled auto_submission in app.config, then report will be submitted automatically.
  • If user has disabled auto_submission in app.config, then he/she need to perform “Send To TruSTAR” manual action to submit report.
  • Steps for Manual Action:
    • Navigate to an Incident listed under “List Incidents” menu.
    • On that incident find “Actions” dropdown tab at upper right corner.
    • Click “Send To TruSTAR” under that dropdown.
Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
  • Using this functionality, whenever a new artifact is added in Resilient incident and auto submission is enabled, corresponding report of that incident in TruSTAR will added.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action shown in Figure 1.
  • Steps are the same which you have followed while submitting report.
Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
  • Using this functionality, whenever an incident will be submitted or updated to TruSTAR automatically or manually, correlated indicators for that report will be fetched and each of the correlated indicator will be added as an artifact,  as well as list of all correlated indicators will be added as note with deeplink of each indicator in incident.
Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
  • This feature will add all notes which are added in an incident to its corresponding report whenever that incident is closed.
  • If auto submission is enabled, report will be updated automatically.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
  • This feature will add resolution and resolution summary of a closed incident, to its corresponding report in TruSTAR.
  • If auto submission is enabled, report will be updated automatically.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
Delete Report of a deleted incident from TruSTAR. (Automatic Action)
  • This feature will delete report of a deleted incident from TruSTAR if auto submission is enabled.
  • If auto submission is disabled, user need to delete report manually from TruSTAR.
Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
  • This feature lets resilient user to whitelist an artifact in TruSTAR or remove an already whitelisted artifact from TruSTAR
  • Steps:
    • Navigate to an Incident listed under “List Incidents” menu.
    • Under that incident, navigate to Artifacts tab.
    • Under that tab click on button showed in below screenshot to perform these actions.
Workflow functions to perform following actions:

Submit or Update Incident data to TruSTAR

Get Priority Score of an Indicator from TruSTAR

Get Correlated Indicators from TruSTAR for a particular Incident

Delete report for a particular incident from TruSTAR

Whitelist an indicator in TruSTAR

Undo Whitelist an indicator in TruSTAR

Threat Service

  • Whenever a new artifact is added in any incident, this feature will fetch its priority score from the TruSTAR and update that in artifact’s hits section.
  • To enable|/disable this feature perform following steps:

Navigate to Administrator Settings.

Navigate to Threat Sources tab under Administrator Settings



Find “TruSTAR” threat source. You can turn its status from ON/OFF from here.

Known Limitations

  • It will take around 10 – 15 seconds to fetch the data from TruSTAR and reflect those data in Resilient.
  • User needs to refresh the page to view the data enriched in Resilient.
  • Some indicators of URL type returned from the TruSTAR are not accepted by Resilient as a workaround we have added an artifact type “URL String”, which will be assigned as type to those indicators.

Troubleshooting/FAQs


How Did We Do?