IBM Resilient

Updated 4 days ago by Elvis Hovor

INTRODUCTION

This documentation provides a description of the IBM Resilient Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within Resilient workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

USE CASES 

Speeding incident investigations:
Trustars Integration with Resilient greatly improves the time to response for SOC and IR analyst by ingesting correlated intelligence from external and internal sources from TruSTAR into their Resilient tickets all in near realtime.

Identifying high priority indicators:

Analyst can identify indicators that have a high risk score associated with them using the TruSTAR integration with the Resilient Threat Sources. This searches Trustar with the indicator and highlights in high and medium priority indicators for a quick visual prioritization of indicators

Automated Workflow Actions:

TruSTARs out of the box workflow actions allow for easy to build playbooks for enrichment of incidents thereby speeding incident triage and automating the non human intense functions of threat intelligence gathering.

INSTALLATION

This integration is an update set tar.gz file. You can download it here. This XML file contains all required Resilient objects  to run TruSTAR's integration in IBM Resilient.

The following bundles are required for successful install of the TruSTAR-Resilient app. Bundle can be downloaded here

#

Bundle Name

Description

1

trustar_resilient (1).tar.gz

This plugin  file contains all the actions required to support TruSTAR actions from Resilient.



PRE-REQUISITES

This section describes the system requirements to run TruSTAR integration in IBM Resilient.

System Prerequisites

Resilient platform version 30 or later

Python version 2.7.10 or later, or version 3.6 or later


Installation Prerequisites

Before installing, verify that your environment meets the following prerequisites:

  • Resilient platform is version 30 or later.
  • You have a Resilient account to use for the integrations. This can be any account that has the permission to view and modify administrator and customization settings and read and update incidents. You need to know the account username and password.
  • You have access to the command line of the Resilient appliance, which hosts the Resilient platform; or to a separate integration server where you will deploy and run the integration. If using a separate integration server, you must install Python version 2.7.10 or later, or version 3.6 or later, and “pip”. (The Resilient appliance is preconfigured with a suitable version of Python.)
  • You have access to TruSTAR platform and have details like api_key, api_secret and enclave ids for report submission and query.

Install the Python components

The functions package contains Python components that will be called by the Resilient platform to execute the functions during your workflows. These components run in the ‘resilient-circuits’ integration framework.

The package also includes Resilient customizations that will be imported into the platform later.

Ensure that the environment is up to date,

sudo pip install --upgrade pip

sudo pip install --upgrade resilient-circuits

sudo pip install keyrings.alt (For Linux only)

To install the package, you must first unzip it then install the package as follows:

sudo pip install --upgrade trustar_resilient -<version>.tar.gz

Configure the Python components

The ‘resilient-circuits’ components run as an unprivileged user, typically named `integration`. If you do not already have an `integration` user configured on your appliance, create it now.

Perform the following to configure and run the integration:

  1. Use one of the following commands to create or update the resilient-circuits configuration file. Use –c for new environments or –u for existing environments.
    1. sudo resilient-circuits config -c
      or
      sudo resilient-circuits config -u
  2. Edit the resilient-circuits configuration file.
    1. In the [resilient] section, ensure that you provide all the information needed to connect to the Resilient platform.
    2. In the [trustar] section, you will see a field ‘queue’, which contains the name of the message destination which will be used for this integration. Change the name if you want to use some other message destination else leave it unchanged. (Make sure that the user that you specified in [resilient] section has access to the message destination you specify.
    3. In the [trustar_threat_source] section update following fields:

# URL of TruSTAR platform.

url = 

<code class="inline-code"># API key of user from TruSTAR platform. Do not change this.</code>

user_api_key = ^api_key_for_trustar_threat_source

<code class="inline-code"># API secret of user from TruSTAR platform. Do not change this.</code>

user_api_secret = ^api_secret_for_trustar_threat_source

<code class="inline-code"># Enclave IDs of user from TruSTAR for searching indicators. Separate values using #comma.. </code>

enclave_ids_for_submission =
    1. In the [trustar_account_n] section change the ‘n’ with some integer number and update following fields in that:

# URL of TruSTAR platform.

url = trustar url

# API key of user from TruSTAR platform.

user_api_key = ^api_key_for_[stanza_name (for e.g. trustar_account_n)]

# API secret of user from TruSTAR platform.

user_api_secret = ^api_secret_for_[stanza_name (for e.g. trustar_account_n)]

# Enclave IDs of user from TruSTAR for submitting report. Separate values using comma.

enclave_ids_for_submission = list of enclave ids

# Enclave IDs of user from TruSTAR from querying on TruSTAR. Separate values using comma.

enclave_ids_for_query = list of enclave ids

# Auto Submission parameter. Possible values - enable|disable

auto_submission = disable

# Enter parameters to submit with report to TruSTAR. Possible values -#Summary|Notes|Breach|Artifacts. Separate values using comma.

submit_data_to_trustar = summary,notes,breach,artifacts

# Incident Types to exclude for report submission to TruSTAR. Separate values using comma.

incident_types_to_exclude = Denial of Service

# List of workspaces for which this TruSTAR account will be used.

workspace = list of workspaces

# TAG to assign to the report submitted to TruSTAR

tag = 
    1. You can add other TruSTAR accounts for different workspaces. Append a new section named [trustar_account_n] with some other value of ‘n’ and repeat step 2.d.
    2. In the [webserver] section update following fields:

server = Host IP of server where resilient circuits is running (Default is local host)

port = Post on which this will run (Default is 9000)

secure = 1|0 (1 for https, 0 for http. Default is 0)

cafile = certificate file. (Needed only when secure = 1)


Do not do any changes under [custom_threat_service] section.

    1. After doing changes in the config file run following command:
    sudo res-keyring
      1. Here you will need to provide details like API key and API secret.
      2. User can also use this method to store their Resilient platform.
    1. In [resilient] stanza of app.config file, replace value of password with “^password”.
    2. Then run this command and it will ask you to enter the password value.
    1. The package contains rules, message destination and function definitions that you can use in workflows.

    Deploy these customizations to the Resilient platform with the following command:

    resilient-circuits customize

    Answer the prompts to deploy functions, message destinations, workflows and rules

    Run the integration framework

    1. Steps for Linux
      1. Create a service file using following command.

    sudo vi /etc/systemd/system/resilient_circuits.service

      1. Add following content in that .service file:

    [Unit] Description=Resilient-Circuits Service After=resilient.service Requires=resilient.service

    [Service] Type = simple User = root WorkingDirectory = /root ExecStartPre = /usr/bin/resutil threatserviceedit -name “TruSTAR” \

    -resturl “{http|https}://127.0.0.1:9000/cts/trustar”

    ExecStart = /usr/local/bin/resilient-circuits run -r Restart = always TimeoutSec = 100

    [Install] WantedBy = multi-user.target

    Change locations in the file as per the environment.

      1. Ensure that the service unit file is correctly permissioned:
    sudo chmod 664 /etc/systemd/system/resilient_circuits.service
      1. Use the systemctl command to manually enable or disable the service:
    sudo systemctl [enable|disable] resilient_circuits 
      1. Use the systemctl command to manually start, stop, restart and return status on the service:
    sudo systemctl [start|stop|restart|status] resilient_circuits 
      1. Log files for systemd and the resilient-circuits service can be viewed through the journalctl command:
    sudo journalctl -u resilient_circuits --since "2 hours ago
              
    1. Steps for Windows
      1. Run the following command from command prompt.
    resilient-circuits run -r
      1. Run the following command where your resilient platform is installed.
        sudo resutil threatserviceedit -name "TruSTAR" -resturl "{url}/cts/trustar"
                  - In place of {url}, add value in this format:         {http|https}://host_ip{port_you_added_in_config_f
              

    Business use case

    TruSTAR app provides the end-user a holistic view for SOC Admin to troubleshoot security offenses and improve overall security posture of the organization. Integration with Resilient to allow Resilient users to insert all the incidents being created, to TruSTAR and also empower them to enrich incidents and events in the Resilient.

    Following are use cases are addressed in the TruSTAR app for Resilient.

    1. Assign an Incident to a particular workspace.
    2. Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
    3. Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
    4. Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
    5. Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
    6. Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
    7. Delete Report of a deleted incident from TruSTAR. (Automatic Action)
    8. Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
    9. Workflow functions to perform following actions:
      1. Submit or Update Incident data to TruSTAR
      2. Get Priority Score of an Indicator from TruSTAR
      3. Get Correlated Indicators from TruSTAR for a particular Incident
      4. Delete report for a particular incident from TruSTAR
      5. Whitelist an indicator in TruSTAR
      6. Undo Whitelist an indicator in TruSTAR
    10. Threat Service

    Here are the details on overall use cases addressed in TruSTAR app for Resilient.

    1. Submit Incident to different TruSTAR accounts or enclaves based on workspace.
    • This feature lets user to submit incident data to different TruSTAR accounts or enclaves based on the workspace in which the incident is assigned.
    • User need to add TruSTAR credentials and other details in app.config for this feature.
    • To assign an incident to a particular workspace perform following steps.
      • Navigate to Customization Settings
    Figure 1 Navigate to Customization Settings

      • Navigate to Layouts tab under Customization Settings.
    Figure 2 Navigate to Layouts under Customization Settings

      • Under New wizard, add Workspace field from Fields to one of the blocks.
    Figure 3 Place workspace field at one wizard

      • Click on the save button to save the changes.
    Figure 4 Save the changes

      • Now you can select workspace whenever you create a new incident.
    Figure 5 Select workspace for new incident
    1. Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
    • User can submit an incident as a report in TruSTAR
    • Deeplink of the submitted report will be added as a note in the incident.
    • Report can be submitted automatically or using manual action.
    • If user has enabled auto_submission in app.config, then report will be submitted automatically.
    • If user has disabled auto_submission in app.config, then he/she need to perform “Send To TruSTAR” manual action to submit report.
    • Steps for Manual Action:
      • Navigate to an Incident listed under “List Incidents” menu.
      • On that incident find “Actions” dropdown tab at upper right corner.
      • Click “Send To TruSTAR” under that dropdown.
    Figure 6 Send Incident to TruSTAR
    Figure 7 Report submitted to TruSTAR
    1. Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
    • Using this functionality, whenever a new artifact is added in Resilient incident and auto submission is enabled, corresponding report of that incident in TruSTAR will added.
    • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action shown in Figure 1.
    • Steps are the same which you have followed while submitting report.
    1. Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
    • Using this functionality, whenever an incident will be submitted or updated to TruSTAR automatically or manually, correlated indicators for that report will be fetched and each of the correlated indicator will be added as an artifact,  as well as list of all correlated indicators will be added as note with deeplink of each indicator in incident.
    1. Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
    • This feature will add all notes which are added in an incident to its corresponding report whenever that incident is closed.
    • If auto submission is enabled, report will be updated automatically.
    • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
    1. Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
    • This feature will add resolution and resolution summary of a closed incident, to its corresponding report in TruSTAR.
    • If auto submission is enabled, report will be updated automatically.
    • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
    1. Delete Report of a deleted incident from TruSTAR. (Automatic Action)
    • This feature will delete report of a deleted incident from TruSTAR if auto submission is enabled.
    • If auto submission is disabled, user need to delete report manually from TruSTAR.
    1. Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
    • This feature lets resilient user to whitelist an artifact in TruSTAR or remove an already whitelisted artifact from TruSTAR
    • Steps:
      • Navigate to an Incident listed under “List Incidents” menu.
      • Under that incident, navigate to Artifacts tab.
      • Under that tab click on button showed in below screenshot to perform these actions.
    Figure 8 Whitelist | Undo whitelist artifact in TruSTAR
    1. Workflow functions to perform following actions:
      1. Submit or Update Incident data to TruSTAR
        1. Input: Incident ID
        2. Output: Report submitted to TruSTAR, in json format
      2. Get Priority Score of an Indicator from TruSTAR
        1. Input: Indicator value.
        2. Output: Priority Value of the provided artifact in json format.
      3. Get Correlated Indicators from TruSTAR for a particular Incident
        1. Input: Incident ID
        2. Output: List of corelated indicators in json format
      4. Delete report for a particular incident from TruSTAR
        1. Input: Incident ID
        2. Output: Status in json format, done or error.
      5. Whitelist an indicator in TruSTAR
        1. Input: Indicator value and incident ID
        2. Output: List of indicators whitelisted in TruSTAR
      6. Undo Whitelist an indicator in TruSTAR
        1. Input: Indicator value, type and Incident ID
        2. Output: Status in json format, done or error.
    1. Threat Service
    • Whenever a new artifact is added in any incident, this feature will fetch its priority score from the TruSTAR and update that in artifact’s hits section.
    • To enable|disable this feature perform following steps:
    1. Navigate to Administrator Settings.
    Figure 9 Navigate to Administrator Settings

    1. Navigate to Threat Sources tab under Administrator Settings
    Figure 10 Navigate to Threat Sources



    1. Find “TruSTAR” threat source. You can turn its status from ON|OFF from here.
    Figure 11 TruSTAR threat source

    Limitations

    Below are the known limitations of this integration:

    1. It will take around 10 – 15 seconds to fetch the data from TruSTAR and reflect those data in Resilient.
    2. User needs to refresh the page to view the data enriched in Resilient.
    3. Some indicators of URL type returned from the TruSTAR are not accepted by Resilient.

    Solution: We have added an artifact type “URL String”, which will be assigned as type to those indicators.

    Installation Prerequisites

    Before installing, verify that your environment meets the following prerequisites:

    • Resilient platform is version 30 or later.
    • You have a Resilient account to use for the integrations. This can be any account that has the permission to view and modify administrator and customization settings and read and update incidents. You need to know the account username and password.
    • You have access to the command line of the Resilient appliance, which hosts the Resilient platform; or to a separate integration server where you will deploy and run the integration. If using a separate integration server, you must install Python version 2.7.10 or later, or version 3.6 or later, and “pip”. (The Resilient appliance is preconfigured with a suitable version of Python.)
    • You have access to TruSTAR platform and have details like api_key, api_secret and enclave ids for report submission and query.

    Install the Python components

    The functions package contains Python components that will be called by the Resilient platform to execute the functions during your workflows. These components run in the ‘resilient-circuits’ integration framework.

    The package also includes Resilient customizations that will be imported into the platform later.

    Ensure that the environment is up to date,

    sudo pip install --upgrade pip
              sudo pip install --upgrade resilient-circuits
    To install the package, you must first unzip it then install the package as follows:
              sudo pip install --upgrade trustar_resilient -<version>.tar.gz
    Configure the Python components

    The ‘resilient-circuits’ components run as an unprivileged user, typically named `integration`. If you do not already have an `integration` user configured on your appliance, create it now.

    Perform the following to configure and run the integration:

    1. Use one of the following commands to create or update the resilient-circuits configuration file. Use –c for new environments or –u for existing environments.
      1. sudo resilient-circuits config -c

        or

        sudo resilient-circuits config -u
    2. Edit the resilient-circuits configuration file.
      1. In the [resilient] section, ensure that you provide all the information needed to connect to the Resilient platform.
      2. In the [trustar] section, you will see a field ‘queue’, which contains the name of the message destination which will be used for this integration. Change the name if you want to use some other message destination else leave it unchanged. (Make sure that the user that you specified in [resilient] section has access to the message destination you specify.
      3. In the [trustar_threat_source] section update following fields:

    # URL of TruSTAR platform.

    url =

    # API key of user from TruSTAR platform.

    user_api_key =

    # API secret of user from TruSTAR platform.

    user_api_secret =

    # Enclave IDs of user from TruSTAR for searching indicators. Separate values using #comma..

    enclave_ids_for_submission =

      1. In the [trustar_account_n] section change the ‘n’ with some integer number and update following fields in that:

    # URL of TruSTAR platform.

    url = trustar url

    # API key of user from TruSTAR platform.

    user_api_key = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    # API secret of user from TruSTAR platform.

    user_api_secret = xxxxxxxxxxxxxxxxxxxxxxxx

    # Enclave IDs of user from TruSTAR for submitting report. Separate values using comma.

    enclave_ids_for_submission = list of enclave ids

    # Enclave IDs of user from TruSTAR from querying on TruSTAR. Separate values using comma.

    enclave_ids_for_query = list of enclave ids

    # Auto Submission parameter. Possible values - enable|disable

    auto_submission = disable

    # Enter parameters to submit with report to TruSTAR. Possible values -#Summary|Notes|Breach|Artifacts. Separate values using comma.

    submit_data_to_trustar = summary,notes,breach,artifacts

    # Incident Types to exclude for report submission to TruSTAR. Separate values using comma.

    incident_types_to_exclude = Denial of Service

    # List of workspaces for which this TruSTAR account will be used.

    workspace = list of workspaces

      1. You can add other TruSTAR accounts for different workspaces. Append a new section named [trustar_account_n] with some other value of ‘n’ and repeat step 2.d.
      2. In the [webserver] section update following fields:

    server = Host IP of server where resilient circuits is running (Default is local host)

    port = Post on which this will run (Default is 9000)

    secure = 1|0 (1 for https, 0 for http. Default is 0)

    cafile = certificate file. (Needed only when secure = 1)

      1. Do not do any changes under [custom_threat_service] section.
    1. The package contains rules, message destination and function definitions that you can use in workflows.

    Deploy these customizations to the Resilient platform with the following command:

    resilient-circuits customize

    Answer the prompts to deploy functions, message destinations, workflows and rules


    How Did We Do?