IBM Resilient 1.7.0

IBM Resilient - 1.7.0

tags: Python | IBM SOAR | Resilient | Automation | Incident | Task

Table of Contents

• Description
• Customer Configuration
• CDC Command Lines
• Workflows
• Rules
• Sensors
• Triggers
• Known Issues

Description

IBM SOAR automation is created to support CDC users by automating the creation of incident, update incident, close incident, add attachments to incident and create tasks under incidents on IBM SOAR platform.

This is a bi-directional automation which supports the third party analyst to create an alert and incident in CDC.

IBM Security™ SOAR, formerly Resilient, is designed to help security team to respond to cyber threats with confidence, automate with intelligence, and collaborate with consistency. It codifies established incident response processes into dynamic playbooks to resolve incidents.

CyberProof provides CLI commands to cater to different user actions from CDC to IBM SOAR such as

• Create Incident

• Create Task

• Add Attachments

While creating incidents, CDC observables are mapped to the artifacts of IBM SOAR. Unmapped observables from CDC are mapped to notes section in incident of IBM SOAR.

CyberProof also provides a task creation for incident using custom input adaptive card form.

Customer Configuration

No Customer Configuration

CDC Command Lines

* **create_incident_in_ibm_soar_cli**
Workflow for creartion of incident in ibm xsaor

* **create_task_cli**
Creates task with given details.

* **add_task_form_cli**
Populates form to add task in incident

* **send_attachments_to_ibm_soar_cli**
Sends CDC files to IBM XSOAR attachments

Workflows

* **observable_added_in_incident**
Observable added or alert added in the incident.

* **observable_artifact_mapping_subworkflow**
Workflow for mapping CDC Observable to IBM_XSAOR Artifacts.

* **priority_changed**
Priority changed for CDC Incident.

* **get_cdc_incident_details_with_external_id**
worlfow to get cdc incindet details and external id which can be resued

* **close_incident_in_ibm_xsoar**
Workflow for closing and incdient in IBM-XSOAR, if incident does not exists thet create and close.

* **automatic_incident_creation_in_ibm_xsoar**
Workflow for creartion of incident in ibm xsaor

* **cdc_incident_created_with_alert**
Workflow for checking and mapping incident data with IBM incident.

* **post_send_attachments_to_ibm_soar**
Post send-attachments-to-ibm-soar in CDC by ID of incident/message/chanel.

* **cdc_to_ibm_soar_mapping_workflow**
Workflow for Mapping of CDC Incident data to Artifact Incident data.

* **send_attachments_to_ibm_soar**
Sends attachements to IBM XSoar

* **post_create_task**
Post create-task in CDC by ID of incident/message/chanel.

* **get_cdc_alert_data**
Workflow for fetching alert data of first alert.

* **send_attachments**
Sends attachements

* **create_incident_in_ibm_soar**
Workflow for creartion of incident in ibm xsaor

* **post_create_task_from_form**
Post create-task-from-form in CDC by ID of incident/message/chanel.

Rules

* **ibm_xsoar_close_incident_rule**
IBM-XSOAR close incident rule

* **create_incident_by_priority_rule**
Create incident by priority rule

* **cdc_incident_created_with_alert_rule**
CDC incident created with alert rule

* **ibm_xsoar_priority_changed**
Triggered when CDC incident priority is changed

* **observable_added_to_incident**
Triggered when new observables are added in CDC incident

Sensors

No sensors

Triggers

No triggers

Known Issues

No issues