IBM Resilient

Updated 2 weeks ago by Elvis Hovor

Introduction

The IBM Resilient Plugin built for TruSTAR allows users to utilize context of TruSTAR’s IOCs and incidents within Resilient workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Features

  • Enrich Resilient tickets with correlated intelligence from TruSTAR
  • Highlight high-priority indicators to analyst using the TruSTAR integration
  • Ingest Resilient tickets into users enclave in TruSTAR as Incident Reports.
  • Update corresponding TruSTAR Incident Report when a Resilient ticket is updated.
  • Build automation play books from 6 Trustar related actions.

Use Cases 

Speeding incident investigations:
TruSTARs Integration with Resilient greatly improves the time to response for SOC and IR analyst by ingesting correlated intelligence from external and internal sources from TruSTAR into their Resilient tickets all in near realtime.

Identifying high priority indicators:

Analyst can identify indicators that have a high risk score associated with them using the TruSTAR integration with the Resilient Threat Sources. This searches Trustar with the indicator and highlights in high and medium priority indicators for a quick visual prioritization of indicators

Automated Workflow Actions:

TruSTARs out of the box workflow actions allow for easy to build playbooks for enrichment of incidents thereby speeding incident triage and automating the non human intense functions of threat intelligence gathering.

Requirements

This section describes the system pre-requisites to run TruSTAR integration in IBM Resilient.

Resilient platform version 30 or later

Python version 2.7.10 or later, or version 3.6 or later

Download Files

This integration file contains all required Resilient objects  to run TruSTAR's integration. The following file are required for successful install of the TruSTAR-Resilient app.

#

File Name

Description

1

trustar_resilient (6).tar.gz

This plugin file contains all the actions required to support TruSTAR actions from Resilient.

The current app version on IBM Exchange does not have support for proxy. To use the TruSTAR's Resilient plugin with proxy settings use the local download file found on this page
You have a Resilient account to use for the integrations. This can be any account that has the permission to view and modify administrator and customization settings and read and update incidents. You need to know the account username and password.
You have access to the command line of the Resilient appliance, which hosts the Resilient platform; or to a separate integration server where you will deploy and run the integration. If using a separate integration server, you must install Python version 2.7.10 or later, or version 3.6 or later, and “pip”. (The Resilient appliance is preconfigured with a suitable version of Python.)

Installation Guide

Setup & Configuration

Install the Python components

The functions package contains Python components that will be called by the Resilient platform to execute the functions during your workflows. These components run in the ‘resilient-circuits’ integration framework.

The package also includes Resilient customizations that will be imported into the platform later.

Ensure that the environment is up to date,

sudo pip install --upgrade pip

sudo pip install --upgrade resilient-circuits

To install the package, you must first unzip it then install the package as follows:

sudo pip install --upgrade trustar_resilient -<version>.tar.gz

Configure the Python components

The ‘resilient-circuits’ components run as an unprivileged user, typically named `integration`. If you do not already have an `integration` user configured on your appliance, create it now.

Perform the following to configure and run the integration:

  1. Use one of the following commands to create or update the resilient-circuits configuration file. Use –c for new environments or –u for existing environments.
    1. sudo resilient-circuits config -c
      or
      sudo resilient-circuits config -u
  2. Edit the resilient-circuits configuration file.
    Possible location: /usr/local/lib/python2.7/site-packages
  3. In the [resilient] section, ensure that you provide all the information needed to connect to the Resilient platform.
  4. In the [trustar] section, you will see a field ‘queue’, which contains the name of the message destination which will be used for this integration. Change the name if you want to use some other message destination else leave it unchanged. (Make sure that the user that you specified in [resilient] section has access to the message destination you specify.
  5. If the integration is running on a machine and is using proxy for internet connectivity, then need to add proxy related configuration in [trustar] section as shown below:
    [trustar]
    # Name of the message destination.
    queue = trustar
    # Set the value true if proxy is enabled on the machine where this utility is running.
    proxy = false
    # Set below property as true if secured proxy is in use.
    secure_proxy = false
    # URL of proxy server in ip:port(8.8.8.8:1111) format
    proxy_url =
    # Username of secure proxy
    proxy_username = ^proxy_username_for_trustar
    # Password of secure proxy
    proxy_password = ^proxy_password_for_trustar
  6. In the [trustar_threat_source] section update following fields:
    # URL of TruSTAR platform.
    url = https://station.trustar.co
    # API key of user from TruSTAR platform. Do not change this.
    user_api_key = ^api_key_for_trustar_threat_source
    # API secret of user from TruSTAR platform. Do not change this.
    user_api_secret = ^api_secret_for_trustar_threat_source
    # Enclave IDs of user from TruSTAR for searching indicators. Separate values using #comma..
    enclave_ids_for_submission =
  7. In the [trustar_account_n] section change the ‘n’ with some integer number and update following fields in that:
    # URL of TruSTAR platform.
    url = trustar url
    # API key of user from TruSTAR platform.
    user_api_key = ^api_key_for_[stanza_name (for e.g. trustar_account_n)]
    # API secret of user from TruSTAR platform.
    user_api_secret = ^api_secret_for_[stanza_name (for e.g. trustar_account_n)]
    # Enclave IDs of user from TruSTAR for submitting report. Separate values using comma.
    enclave_ids_for_submission = list of enclave ids
    # Enclave IDs of user from TruSTAR from querying on TruSTAR. Separate values using comma.
    enclave_ids_for_query = list of enclave ids
    # Auto Submission parameter. Possible values - enable|disable
    auto_submission = disable
    # Enter parameters to submit with report to TruSTAR. Possible values -#Summary|Notes|Breach|Artifacts. Separate values using comma.
    submit_data_to_trustar = summary,notes,breach,artifacts
    # Incident Types to exclude for report submission to TruSTAR. Separate values using comma.
    incident_types_to_exclude = Denial of Service
    # List of workspaces for which this TruSTAR account will be used.
    workspace = list of workspaces
    # TAG to assign to the report submitted to TruSTAR
    tag =
You can add other TruSTAR accounts for different workspaces. Append a new section named [trustar_account_n] with some other value of ‘n’ and repeat step 6 above

If you want to use Threat service feature of the integration, you need to add following sections in app.config file.

Ignore if you have already installed rc-cts and rc-webserver community apps of resilient and added configuration for both in app.config file

In the [webserver] section update following fields:

server = Host IP of server where resilient circuits is running (Default is local host)

port = Post on which this will run (Default is 9000)

secure = 1|0 (1 for https, 0 for http. Default is 0)

cafile = certificate file. (Needed only when secure = 1)


Add [custom_threat_service] section in app.config file and in that section add following fields: (Remove # from starting of field if you want to make any changes.)

server = Host IP of server where resilient circuits is running (Default is local host)

port = Post on which this will run (Default is 9000)

secure = 1|0 (1 for https, 0 for http. Default is 0)

cafile = certificate file. (Needed only when secure = 1)

Add [custom_threat_service] section in app.config file and in that section add following fields: (Remove # from starting of field if you want to make any changes.)

urlbase=/cts (SHOULD NOT CHANGE)

#first_retry_secs= 5

#later_retry_secs=60

#max_retries=60

#cache_size=10000

#cache_ttl=600000 k.

If you want to change value of urlbase in the above section, update the same value while you register threat service and in place of cts in url for threat service.

After doing changes in the config file run following command:

sudo res-keyring
  1. Here you will need to provide details like API key and API secret.
  2. User can also use this method to store their Resilient platform.
  3. In [resilient] stanza of app.config file, replace value of password with “^password”.
  4. Then run this command and it will ask you to enter the password value.
  5. The package contains rules, message destination and function definitions that you can use in workflows.
  6. Deploy these customizations to the Resilient platform with the following command: resilient-circuits customize
  7. Answer the prompts to deploy functions, message destinations, workflows and rules
Run the integration framework
Steps for Linux

Create a service file using following command.

sudo vi /etc/systemd/system/resilient_circuits.service

Add following content in that .service file:

[Unit] Description=Resilient-Circuits Service After=resilient.service Requires=resilient.service

Change locations in the file as per the environment.

Ensure that the service unit file is correctly permissioned:

sudo chmod 664 /etc/systemd/system/resilient_circuits.service

Use the systemctl command to manually enable or disable the service:

sudo systemctl [enable|disable] resilient_circuits 

Use the systemctl command to manually start, stop, restart and return status on the service:

sudo systemctl [start|stop|restart|status] resilient_circuits 

Log files for systemd and the resilient-circuits service can be viewed through the journalctl command:

sudo journalctl -u resilient_circuits --since "2 hours ago

Steps for Windows

Run the following command from command prompt.

resilient-circuits run -r

Run the following command where your resilient platform is installed.

    sudo resutil threatserviceedit -name "TruSTAR" -resturl "{url}/cts/trustar"
- In place of {url}, add value in this format: {http|https}://host_ip{port_you_added_in_config_f

Usage & App Commands

This app provides the end-user a holistic view for SOC Admin to troubleshoot security offenses and improve overall security posture of the organization. This integration allows Resilient users to submit all the incidents being created to TruSTAR and also enrich Resilient incidents and events with TruSTAR data.

The following actions are supported:

  1. Assign an Incident to a particular workspace.
  2. Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
  3. Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
  4. Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
  5. Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
  6. Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
  7. Delete Report of a deleted incident from TruSTAR. (Automatic Action)
  8. Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
  9. Workflow functions to perform following actions:
    1. Submit or Update Incident data to TruSTAR
    2. Get Priority Score of an Indicator from TruSTAR
    3. Get Correlated Indicators from TruSTAR for a particular Incident
    4. Delete report for a particular incident from TruSTAR
    5. Whitelist an indicator in TruSTAR
    6. Undo Whitelist an indicator in TruSTAR
Threat Service

Here are the details on overall use cases addressed in TruSTAR app for Resilient.

  1. Submit Incident to different TruSTAR accounts or enclaves based on workspace.
  • This feature lets user to submit incident data to different TruSTAR accounts or enclaves based on the workspace in which the incident is assigned.
  • User need to add TruSTAR credentials and other details in app.config for this feature.
  • To assign an incident to a particular workspace perform following steps.
    • Navigate to Customization Settings
    • Navigate to Layouts tab under Customization Settings.
    • Under New wizard, add Workspace field from Fields to one of the blocks.
    • Click on the save button to save the changes.
    • Now you can select workspace whenever you create a new incident.
Submit Incident data to TruSTAR as reports (GUI Manual Action or Automatic Action)
  • User can submit an incident as a report in TruSTAR
  • Deeplink of the submitted report will be added as a note in the incident.
  • Report can be submitted automatically or using manual action.
  • If user has enabled auto_submission in app.config, then report will be submitted automatically.
  • If user has disabled auto_submission in app.config, then he/she need to perform “Send To TruSTAR” manual action to submit report.
  • Steps for Manual Action:
    • Navigate to an Incident listed under “List Incidents” menu.
    • On that incident find “Actions” dropdown tab at upper right corner.
    • Click “Send To TruSTAR” under that dropdown.
Update submitted report on TruSTAR whenever a new artifact is added, or status of the incident is changed. (GUI Manual Action or Automatic Action)
  • Using this functionality, whenever a new artifact is added in Resilient incident and auto submission is enabled, corresponding report of that incident in TruSTAR will added.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action shown in Figure 1.
  • Steps are the same which you have followed while submitting report.
Fetch correlated indicators from TruSTAR whenever a new incident is added, or currently submitted incident is updated (GUI Manual Action or Automatic Action)
  • Using this functionality, whenever an incident will be submitted or updated to TruSTAR automatically or manually, correlated indicators for that report will be fetched and each of the correlated indicator will be added as an artifact,  as well as list of all correlated indicators will be added as note with deeplink of each indicator in incident.
Add notes added in Resilient Incident to TruSTAR report whenever an Incident status is changed to Close. (GUI Manual Action or Automatic Action)
  • This feature will add all notes which are added in an incident to its corresponding report whenever that incident is closed.
  • If auto submission is enabled, report will be updated automatically.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
Add resolution and resolution summary of a closed resilient incident to its corresponding report in TruSTAR. (GUI Manual Action or Automatic Action)
  • This feature will add resolution and resolution summary of a closed incident, to its corresponding report in TruSTAR.
  • If auto submission is enabled, report will be updated automatically.
  • If auto submission is disabled, user need to perform “Send To TruSTAR” manual action to reflect the changes in its corresponding TruSTAR report.
Delete Report of a deleted incident from TruSTAR. (Automatic Action)
  • This feature will delete report of a deleted incident from TruSTAR if auto submission is enabled.
  • If auto submission is disabled, user need to delete report manually from TruSTAR.
Whitelist and Undo Whitelist indicators in TruSTAR. (GUI Manual Action)
  • This feature lets resilient user to whitelist an artifact in TruSTAR or remove an already whitelisted artifact from TruSTAR
  • Steps:
    • Navigate to an Incident listed under “List Incidents” menu.
    • Under that incident, navigate to Artifacts tab.
    • Under that tab click on button showed in below screenshot to perform these actions.
Workflow functions to perform following actions:

Submit or Update Incident data to TruSTAR

9. Workflow functions to perform following actions:

a. Submit or Update Incident data to TruSTAR

  • Input: Incident ID
  • Pre-process script
  • Output: Report submitted to TruSTAR, in json format
  • Payload: JSON object with following content

Key

Value

reportBody

Incident content submitted to TruSTAR

updated

Time of last report update

externalUrl

None

created

Time when report was created

distributionType

ENCLAVE

title

Report Title

timeBegan

Time that the incident began

id

Report ID

enclaveIds

ID of enclaves in which report is submitted

externalTrackingId

External ID of report

b. Get Priority Score of an Indicator from TruSTAR

  • Input: Indicator value
  • Pre-process script
  • Output: Priority Value of the provided artifact in json format.
  • Payload: JSON object with following content

Key

Value

priorityLevel

Priority level of that indicator in TruSTAR (LOW, MEDIUM, HIGH, NOT_FOUND)

c. Get Correlated Indicators from TruSTAR for a particular Incident

  • Input: Incident ID
  • Pre-process script: Same as "Submit or Update Incident data to TruSTAR"
  • Output: List of correlated indicators in json format
  • Payload: JSON object with following content

Key

Value

indicators

List of correlated indicators.
E.g.: [
{

‘type’: “MALWARE”,
‘value’: “WANNACRY”
}
]

Delete report for a particular incident from TruSTAR

  • Input: Incident ID
  • Pre-process script: Same as figure. 9
  • Output: Status in json format, done or error.
  • Payload: JSON object with following content

Key

Value

status

Done

Whitelist an indicator in TruSTAR

  • Input: Indicator value and incident ID
  • Pre-process script
  • Output: List of indicators whitelisted in TruSTAR
  • Payload: JSON object with following content

    Key

    Value

    indicators

    List of indicators. E.g.: [ {

    ‘type’: “MALWARE”, ‘value’: “WANNACRY” } ]

Undo Whitelist an indicator in TruSTAR

  • Input: Indicator value, type and Incident ID
  • Pre-process script
  • Output: Status in json format, done or error.
  • Payload: JSON object with following content

Key

Value

status

Done

If any error occurs during execution of any of the above functions than the output of that function will be a JSON object with ‘error’ key and error message as value.

Post-process script

  • Result of any function is accessible in post-process script using “results” variable.
  • See below example to understand how you can fetch results.
  • Here, ID of submitted report is fetched from the “Submit report to TruSTAR” function result and added as note in incident.
  • Using the same approach, you can fetch results of other functions and use them in your business logic.

Threat Service

  • Whenever a new artifact is added in any incident, this feature will fetch its priority score from the TruSTAR and update that in artifact’s hits section.
  • To enable|/disable this feature perform following steps:

Navigate to Administrator Settings.

Navigate to Threat Sources tab under Administrator Settings



Find “TruSTAR” threat source. You can turn its status from ON/OFF from here.

Known Limitations

  • It will take around 10 – 15 seconds to fetch the data from TruSTAR and reflect those data in Resilient.
  • User needs to refresh the page to view the data enriched in Resilient.
  • Some indicators of URL type returned from the TruSTAR are not accepted by Resilient as a workaround we have added an artifact type “URL String”, which will be assigned as type to those indicators.

Troubleshooting/FAQs


How Did We Do?