Contents x
      IBM Resilient 1.7.1
      • 03 Feb 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      IBM Resilient 1.7.1

      • Updated on 03 Feb 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: Python | IBM SOAR | Resilient | Automation | Incident | Task

      Description

      IBM SOAR automation is created to support CDC users by automating the creation of incident, update incident, close incident, add attachments to incident, and create tasks under incidents - on the IBM SOAR platform.

      This is a bi-directional automation that supports the third party analyst to create an alert and incident in the CDC.

      IBM Security™ SOAR, formerly Resilient, is designed to help Security teams respond to cyber threats with confidence, automate with intelligence, and collaborate with consistency. It codifies established incident response processes into dynamic playbooks to resolve incidents.

      CyberProof provides CLI commands to cater to different user actions from CDC to IBM SOAR, such as:

      • Create Incident
      • Create Task
      • Add Attachments

      While creating incidents, CDC observables are mapped to the artifacts of IBM SOAR. Unmapped observables from the CDC are mapped to the Notes section in incidents of IBM SOAR.

      CyberProof also provides a task creation for incidents, using a custom input adaptive card form.

      Integration Type:SOAR
      Information read:Incident and Task Details
      API Supported:Custom API
      Input:CDC Incident, Attachment, Task details
      Output:Incident created, updated, closed and Task created in IBM SOAR

      Customer Configuration

      No customer configuration

      CDC Command Lines

      * **create_incident_in_ibm_soar_cli**
      Workflow for the creation of incidents in IBM XSOAR.

      OptionTypeDescriptionRequired

      * **create_task_cli**
      Creates a task with given details.

      OptionTypeDescriptionRequired
      task_namestringThe name of the task to be createdTrue
      phasestringThe phase of the task.False
      ownerstringThe owner of the task.False
      due_datestringThe due date of the task.False
      due_timestringThe due time of the task.False
      privatebooleanThe task ID - private or not.False
      instructionsstringThe instructions for the task.False

      * **add_task_form_cli**
      Populates a form to add a task in an incident.

      OptionTypeDescriptionRequired

      * **send_attachments_to_ibm_soar_cli**
      Sends CDC files to IBM XSOAR attachments.

      OptionTypeDescriptionRequired
      file_idsarrayFile IDs from the CDC.True

      Workflows

      * **observable_added_in_incident**
      Observables added or alerts added in the incident.

      * **observable_artifact_mapping_subworkflow**
      Workflow for mapping CDC observables to IBM_XSAOR artifacts.

      * **priority_changed**
      Priority changed for a CDC incident.

      * **get_cdc_incident_details_with_external_id**
      Workflow to get CDC incident details, and an external ID that can be reused.

      * **close_incident_in_ibm_xsoar**
      Workflow for closing an incident in IBM XSOAR. If the incident does not exist, then create and close.

      * **automatic_incident_creation_in_ibm_xsoar**
      Workflow for the creation of an incident in IBM XSOAR.

      * **cdc_incident_created_with_alert**
      Workflow for checking and mapping incident data with IBM incidents.

      * **post_send_attachments_to_ibm_soar**
      Post send-attachments-to-ibm-soar in the CDC, by the ID of the incident/message/channel.

      * **cdc_to_ibm_soar_mapping_workflow**
      Workflow for the mapping of CDC incident data to Artifact Incident data.

      * **send_attachments_to_ibm_soar**
      Sends attachments to IBM XSOAR.

      * **post_create_task**
      Post create-task in the CDC, by the ID of the incident/message/channel.

      * **get_cdc_alert_data**
      Workflow for fetching alert data of the first alert.

      * **send_attachments**
      Sends attachments.

      * **create_incident_in_ibm_soar**
      Workflow for the creation of incidents in IBM XSOAR.

      * **post_create_task_from_form**
      Post create-task-from-form in the CDC, by the ID of the incident/message/channel.

      Rules

      * **ibm_xsoar_close_incident_rule**
      IBM XSOAR close incident rule.

      * **create_incident_by_priority_rule**
      Create incident by priority rule.

      * **cdc_incident_created_with_alert_rule**
      CDC incident created with alert rule.

      * **ibm_xsoar_priority_changed**
      Triggered when a CDC incident priority is changed.

      * **observable_added_to_incident**
      Triggered when new observables are added in a CDC incident.

      Sensors

      No sensors

      Triggers

      No triggers

      Known Issues

      No known issues

      Was this article helpful?
      What's Next