IBM Resilient 1.7.0

tags: Python | IBM SOAR | Resilient | Automation | Incident | Task

Description

IBM SOAR automation is created to support CDC users by automating the creation of incident, update incident, close incident, add attachments to incident, and create tasks under incidents on the IBM SOAR platform.

This is a bi-directional automation that supports the third-party analyst to create alerts and incidents in the CDC.

IBM Security™ SOAR, formerly Resilient, is designed to help Security teams respond to cyber threats with confidence, automate with intelligence, and collaborate with consistency. It codifies established incident response processes into dynamic playbooks to resolve incidents.

CyberProof provides CLI commands to cater to different user actions from the CDC to IBM SOAR, such as

• Create Incident

• Create Task

• Add Attachments

While creating incidents, CDC observables are mapped to the artifacts of IBM SOAR. Unmapped observables from the CDC are mapped to the Notes section in IBM SOAR incidents.

CyberProof also provides a task creation for incidents using a custom input adaptive card form.

Customer Configuration

No Customer Configuration

CDC Command Lines

* **create_incident_in_ibm_soar_cli**
Workflow for the creation of incidents in IBM XSOAR.

* **create_task_cli**
Creates a task with the given details.

* **add_task_form_cli**
Populates a form to add a task in an incident.

* **send_attachments_to_ibm_soar_cli**
Sends CDC files to IBM XSOAR attachments.

Workflows

* **observable_added_in_incident**
Observable added or alert added in the incident.

* **observable_artifact_mapping_subworkflow**
Workflow for mapping a CDC observable to IBM_XSAOR artifacts.

* **priority_changed**
Priority changed for CDC Incident.

* **get_cdc_incident_details_with_external_id**
A workflow to get CDC incident details and an external ID that can be reused.

* **close_incident_in_ibm_xsoar**
A workflow for closing an incident in IBM XSOAR. If the incident does not exist, then create and close.

* **automatic_incident_creation_in_ibm_xsoar**
Workflow for the creation of an incident in IBM XSOAR.

* **cdc_incident_created_with_alert**
Workflow for checking and mapping incident data with an IBM incident.

* **post_send_attachments_to_ibm_soar**
Post send-attachments-to-ibm-soar in the CDC, by the ID of the incident/message/channel.

* **cdc_to_ibm_soar_mapping_workflow**
Workflow for the mapping of CDC incident data to artifact Incident data.

* **send_attachments_to_ibm_soar**
Sends attachments to IBM XSOAR.

* **post_create_task**
Post create-task in the CDC, by the ID of the incident/message/channel.

* **get_cdc_alert_data**
Workflow for fetching alert data of the first alert.

* **send_attachments**
Sends attachments.

* **create_incident_in_ibm_soar**
Workflow for the creation of an incident in IBM XSOAR.

* **post_create_task_from_form**
Post create-task-from-form in the CDC, by the ID of the incident/message/channel.

Rules

* **ibm_xsoar_close_incident_rule**
IBM-XSOAR close incident rule

* **create_incident_by_priority_rule**
Create incident by priority rule

* **cdc_incident_created_with_alert_rule**
CDC incident created with alert rule

* **ibm_xsoar_priority_changed**
Triggered when the CDC incident priority is changed

* **observable_added_to_incident**
Triggered when new observables are added in a CDC incident

Sensors

No sensors

Triggers

No triggers

Known Issues

No known issues