IBM Resilient Install

Updated 2 months ago by Elvis Hovor

This document explains how to install and configure the TruSTAR integration with IBM Resilient.

The TruSTAR App for IBM Resilient enables you to access TruSTAR's IOCs and incidents within the Resilient workflow. You can automatically send Resilient incidents as TruSTAR reports, enriching them with correlated intelligence from TruSTAR and then automatically update the report when the incident is updated.

You can use the TruSTAR App with Resilient to:

  • Speed incident investigations: TruSTARs Integration with Resilient improves incident response time by ingesting correlated intelligence from TruSTAR into Resilient tickets in near real-time.
  • Identify high priority indicators: Identify indicators that have a high risk score in TruSTAR, providing a quick visual prioritization of indicators.
  • Automate Workflows: TruSTAR's workflows automate incident enrichment and threat intelligence gathering, accelerating your incident triage for faster and more complete responses to emerging threats.

Installation Options

You can choose to install the TruSTAR App on a Resilient appliance or on a separate integration server.

If you choose to use a separate integration server, you must install Python version 2.7.10 or later, or version 3.6 or later, and “pip”. (The Resilient appliance is preconfigured with a suitable version of Python.)

Requirements

Software Requirements

  • IBM Resilient version 30 to 33.
  • IBM Resilient Circuits. This can be a local installation on the Resilient appliance or installed on a separate integration server.
  • Python version 2.7.10 or higher, or version 3.6 or higher (only when using a separate integration server)
  • The TruSTAR App for IBM Resilient. You can download this tar file from the IBM X-Force Exchange. The file contains the following packages:
    • trustar_cts
    • trustar_resilient_action_module
    • util
    • setup.py

User Requirements

  • An IBM Resilient account username and password. This account must have permission to view and modify administrator and customization settings and read and update incidents.
  • Access to the command line of the Resilient appliance that hosts the Resilient platform or access to a separate integration server where you will deploy and run the TruSTAR integration.
  • Access to TruSTAR Station and to the api_key, api_secret, and enclave ids for report submission and query.

Installing Prerequisite Software

The TruSTAR App for Resilient requires that you have Resilient Circuits installed and configured on the machine where you will install the TruSTAR App. To ensure your environment is ready for TruSTAR, please perform these procedures:

  • Check if IBM Resilient Circuits is installed on your environment.
  • Creating or Updating the Resilient Circuits Configuration File
  • Editing the Configuration File
  • Configuring the Threat Service
  • Executing the keyring Command
  • Executing the customize Command
  • Running the integration framework.

Checking for Resilient Circuits

Ensure that the IBM Resilients Circuits environment is up to date by executing these commands:

sudo pip install --upgrade pip
sudo pip install --upgrade resilient-circuits
For information on how to install IBM Resilient Circuits, use this link. You can also reference the IBM Resilient Circuits Guides at this github link.

To install the TruSTAR App package, unzip it and then install it using the following command:

sudo pip install --upgrade trustar_resilient -<version>.tar.gz

The ‘resilient-circuits’ components run as an unprivileged user, typically named integration. If you do not already have this user account configured on your appliance, you should create it now using information at this link.

Creating or Updating the Resilient Circuits Configuration File

  1. Use one of the following commands to create or update the Resilient Circuits configuration file. Use –c for new environments or –u for existing environments.
    sudo resilient-circuits config -c
    or
    sudo resilient-circuits config -u

Editing the Configuration File

  1. Locate the resilient-circuits configuration file. The default location is usually /usr/local/lib/python2.7/site-packages
  2. In the [resilient] section, provide all the information needed to connect to the Resilient platform.
  3. In the [trustar] section, locate the field named queue, which contains the name of the message destination for this integration. Change the name only if you want to use some other message destination.
Make sure that the user specified in the [resilient] section has access to this message destination. For more information on setting up a message destination, please see this IBM documentation.
  1. If the integration is running on a machine that uses a proxy for internet connectivity, add that proxy-related configuration in the [trustar] section as shown below:
[trustar]
# Name of the message destination.
queue = trustar
# Set the value true if proxy is enabled on the machine where this utility is running.
proxy = false
# Set below property as true if secured proxy is in use.
secure_proxy = false
# URL of proxy server in ip:port(8.8.8.8:1111) format
proxy_url =
# Username of secure proxy
proxy_username = ^proxy_username_for_trustar
# Password of secure proxy
proxy_password = ^proxy_password_for_trustar
  1. In the [trustar_threat_source] section update the following fields:
# URL of TruSTAR platform.
url = https://station.trustar.co
# API key of user from TruSTAR platform. Do not change this.
user_api_key = ^api_key_for_trustar_threat_source
# API secret of user from TruSTAR platform. Do not change this.
user_api_secret = ^api_secret_for_trustar_threat_source
# Enclave IDs of user from TruSTAR for searching indicators. Separate values using #comma..
enclave_ids_for_submission =
  1. In the [trustar_account_n] section:
  • Change the ‘n’ with some integer number
  • Update the following fields. When entering multiple values on a line, use commas to separate each value.
# URL of TruSTAR platform.
url = trustar url
# API key of user from TruSTAR platform.
user_api_key = ^api_key_for_[stanza_name (for e.g. trustar_account_n)]
# API secret of user from TruSTAR platform.
user_api_secret = ^api_secret_for_[stanza_name (for e.g. trustar_account_n)]
# Enclave IDs of user from TruSTAR for submitting report.
enclave_ids_for_submission = list of enclave ids
# Enclave IDs of user from TruSTAR from querying on TruSTAR.
enclave_ids_for_query = list of enclave ids for enrichment
# Auto Submission parameter. Possible values - enable|disable
auto_submission = disable
# Enter parameters to submit with report to TruSTAR. Possible values -#Summary|Notes|Breach|Artifacts.
submit_data_to_trustar = summary,notes,breach,artifacts
# Incident Types to exclude for report submission to TruSTAR.
incident_types_to_exclude = Denial of Service
# List of workspaces for which this TruSTAR account will be used. (Not API name)
workspace = name of workspaces
# TAG to assign to the report submitted to TruSTAR
tag =
You can find the correct name of the Resilient workspace(s) on the Workspaces screen in Administrator Settings. Be sure to use the value in the Name of Workspace field, not the API name field.
Resilient_Install_Figure1
You can add other TruSTAR accounts for different workspaces. Append a new section named [trustar_account_n] with some other value of ‘n’ and repeat the step above

Configuring the Threat Service

If you want to use the Threat Service feature, add the following sections to the app.config file.

Ignore if you have already installed rc-cts and rc-webserver packages and added configuration for both into app.config file
  1. In the [webserver] section, update following fields:
server = Host IP of server where resilient circuits is running (Default is local host)
port = Post on which this will run (Default is 9000)
secure = 1|0 (1 for https, 0 for http. Default is 0)
cafile = certificate file. (Needed only when secure = 1)
  1. Add a [custom_threat_service] section in app.config file
  2. In that new section, add the fields listed below.
  • Remove # from start of any line where you want to make changes.
  • If you change the value of URLBASE, you must use the same value when you register the Threat Service and replace "cts" in the URL for the Threat Service.
urlbase=/cts (SHOULD NOT CHANGE)
#first_retry_secs= 5
#later_retry_secs=60
#max_retries=60
#cache_size=10000
#cache_ttl=600000 k.

Executing the keyring Command

After doing changes in the config file run following command:

sudo res-keyring

You will need to provide TruSTAR details, including API key and API secret.

You can configure the config file to require entry of the Resilient password when running the keyring command.

  • In the [resilient] section of the app.config file, replace the value of password with “^password”.

Executing the customize Command

The TruSTAR App package contains rules, message destination and function definitions that you can use in workflows.

  1. Deploy these customizations to the Resilient platform with the following command:
resilient-circuits customize
  1. Answer the prompts to deploy functions, message destinations, workflows and rules

Running the Integration Framework

You will need to set up Resilient Circuits as a service. For instructions on how to do this, use this IBM Support documentation.

To test that you have successfully set up the Resilient Circuits integration, run this command:

resilient-circuits run

To start Resilient Circuits as a service, execute this command:

sudo systemctl start resilient-circuits

Starting the Threat Service

sudo resutil threatserviceedit -name "TruSTAR" -resturl "{url}/cts/trustar"

In place of {url}, add value in this format:

{http|https}://host_ip:{port_you_added_in_config_file}

Installing the TruSTAR App

  1. Navigate to the Admin tab in Resilient.
  2. Click Extension Management.
  3. Click Add and select the TruSTAR App bundle from the location you downloaded it to. 
  4. Click Install Immediately, then click OK to begin the installation. 

You now see the TruSTAR App settings on the IBM Resilient Admin page .  

Configuring the TruSTAR App

You can configure these elements for the TruSTAR App:

  • Assign an Incident to a particular workspace
  • Set up automatic fetching of priority scores

Assigning an Incident to a Workspace

This feature lets you submit incident data to different TruSTAR accounts or enclaves based on the Resilient workspace in which the incident is assigned.

User need to add TruSTAR credentials and other details in app.config for this feature.

To assign an incident to a particular workspace, perform the following steps.

  1. Navigate to Customization Settings
Resilient_Install_Figure2
  1. Click Layouts on the Customization Settings menu.
Resilient_Install_Figure3
  1. Click New Wizard on the left menu.
Resilient_Install_Figure4
  1. Add Workspace information from Fields to one of the blocks.
  2. Click Save to save the changes.
Resilient_Install_Figure5

Now you can select a specific workspace whenever you create a new incident.

Resilient_Install_Figure6

Fetching a Priority Score from TruSTAR

Whenever a new artifact is added to any incident, the Threat Service can fetch its priority score from TruSTAR and update that information in the artifact’s hits section. Values are displayed as LOW, MEDIUM, HIGH, or NOT_FOUND

To enable or disable this feature:

  1. Navigate to Administrator Settings.
Resilient_Install_Figure7
  1. Click Threat Sources on the Administrator Settings menu.
Resilient_Install_Figure8

  1. You can change the TruSTAR status by clicking it ON or OFF.
Resilient_Install_Figure9


How Did We Do?