IBM Resilient 1.7.1
  • 03 Feb 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

IBM Resilient 1.7.1

  • Dark
    Light
  • PDF

Article Summary

tags: Python | IBM SOAR | Resilient | Automation | Incident | Task


Description

IBM SOAR automation is created to support CDC users by automating the creation of incident, update incident, close incident, add attachments to incident, and create tasks under incidents - on the IBM SOAR platform.

This is a bi-directional automation that supports the third party analyst to create an alert and incident in the CDC.

IBM Security™ SOAR, formerly Resilient, is designed to help Security teams respond to cyber threats with confidence, automate with intelligence, and collaborate with consistency. It codifies established incident response processes into dynamic playbooks to resolve incidents.

CyberProof provides CLI commands to cater to different user actions from CDC to IBM SOAR, such as:

• Create Incident
• Create Task
• Add Attachments

While creating incidents, CDC observables are mapped to the artifacts of IBM SOAR. Unmapped observables from the CDC are mapped to the Notes section in incidents of IBM SOAR.

CyberProof also provides a task creation for incidents, using a custom input adaptive card form.

Integration Type:SOAR
Information read:Incident and Task Details
API Supported:Custom API
Input:CDC Incident, Attachment, Task details
Output:Incident created, updated, closed and Task created in IBM SOAR

Customer Configuration

No customer configuration


CDC Command Lines

* **create_incident_in_ibm_soar_cli**
Workflow for the creation of incidents in IBM XSOAR.

OptionTypeDescriptionRequired

* **create_task_cli**
Creates a task with given details.

OptionTypeDescriptionRequired
task_namestringThe name of the task to be createdTrue
phasestringThe phase of the task.False
ownerstringThe owner of the task.False
due_datestringThe due date of the task.False
due_timestringThe due time of the task.False
privatebooleanThe task ID - private or not.False
instructionsstringThe instructions for the task.False

* **add_task_form_cli**
Populates a form to add a task in an incident.

OptionTypeDescriptionRequired

* **send_attachments_to_ibm_soar_cli**
Sends CDC files to IBM XSOAR attachments.

OptionTypeDescriptionRequired
file_idsarrayFile IDs from the CDC.True

Workflows

* **observable_added_in_incident**
Observables added or alerts added in the incident.

* **observable_artifact_mapping_subworkflow**
Workflow for mapping CDC observables to IBM_XSAOR artifacts.

* **priority_changed**
Priority changed for a CDC incident.

* **get_cdc_incident_details_with_external_id**
Workflow to get CDC incident details, and an external ID that can be reused.

* **close_incident_in_ibm_xsoar**
Workflow for closing an incident in IBM XSOAR. If the incident does not exist, then create and close.

* **automatic_incident_creation_in_ibm_xsoar**
Workflow for the creation of an incident in IBM XSOAR.

* **cdc_incident_created_with_alert**
Workflow for checking and mapping incident data with IBM incidents.

* **post_send_attachments_to_ibm_soar**
Post send-attachments-to-ibm-soar in the CDC, by the ID of the incident/message/channel.

* **cdc_to_ibm_soar_mapping_workflow**
Workflow for the mapping of CDC incident data to Artifact Incident data.

* **send_attachments_to_ibm_soar**
Sends attachments to IBM XSOAR.

* **post_create_task**
Post create-task in the CDC, by the ID of the incident/message/channel.

* **get_cdc_alert_data**
Workflow for fetching alert data of the first alert.

* **send_attachments**
Sends attachments.

* **create_incident_in_ibm_soar**
Workflow for the creation of incidents in IBM XSOAR.

* **post_create_task_from_form**
Post create-task-from-form in the CDC, by the ID of the incident/message/channel.


Rules

* **ibm_xsoar_close_incident_rule**
IBM XSOAR close incident rule.

* **create_incident_by_priority_rule**
Create incident by priority rule.

* **cdc_incident_created_with_alert_rule**
CDC incident created with alert rule.

* **ibm_xsoar_priority_changed**
Triggered when a CDC incident priority is changed.

* **observable_added_to_incident**
Triggered when new observables are added in a CDC incident.


Sensors

No sensors


Triggers

No triggers


Known Issues

No known issues


Was this article helpful?