Overview
Use this integration to manage and orchestrate your IBM Resilient Systems incident response from Demisto.
Configure the IBM Resilient Systems Integration on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for IBM Resilient Systems.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance
- Server URL
- Credentials (either username and password or API key ID and API key secret, see here for more details about API key ID and secret)
- Organization name
- Do not validate server certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
- Click Test to validate the URLs and token.
Fetched Incidents Data
Need more information.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for incidents: rs-search-incidents
- Update an incident: rs-update-incident
- Get a list of incident members: rs-incident-get-members
- Get incident information: rs-get-incident
- Update information for an incident member: rs-incidents-update-member
- Get a list of users: rs-get-users
- Close an incident: rs-close-incident
- Create an incident: rs-create-incident
- Get artifacts for an incident: rs-incident-artifacts
- Get attachments of an incident: rs-incident-attachments
- Get related incidents: rs-related-incidents
- Get tasks for an incident: rs-incidents-get-tasks
Search for incidents: rs-search-incidents
Search for incidents in your IBM Resilient system.
Command Example
!rs-search-incidents severity=Low,Medium incident-type=CommunicationError
Input
Parameter | Description |
severity |
Incident severity (comma separated)
|
date-created-before | Created date of the incident before a specified date (YYYY-MM-DDTHH:MM:SSZ, for example, 2018-05-07T10:59:07Z) |
date-created-after | Created date of the incident after a specified (format YYYY-MM-DDTHH:MM:SSZ, for example, 2018-05-07T10:59:07Z) |
date-created-within-the-last | Created date of the incident within the last time frame (days/hours/minutes). Should be entered as a number, and used with the timeframe argument. |
timeframe | Time frame to search within for incident. Should be used with within-the-last/due-in argument. |
date-occurred-within-the-last | Occurred date of the incident within the last time frame (days/hours/minutes). Should be entered as a number, and used with with the timeframe argument. |
date-occurred-before | Occurred date of the incident before given date (YYYY-MM-DDTHH:MM:SSZ, for example, 2018-05-07T10:59:07Z) |
date-occurred-after | Occurred date of the incident after a specified date (YYYY-MM-DDTHH:MM:SSZ, for example, 2018-05-07T10:59:07Z) |
incident-type | Incident type |
nist | NIST Attack Vectors |
status | Incident status |
due-in | Due date of the incident in a specific timeframe (days/hours/minutes). Should be entered as a number, along with with the timeframe argument. |
Context Output
Path | Description |
Resilient.Incidents.CreateDate | Created date of the incident |
Resilient.Incidents.Name | Incident name |
Resilient.Incidents.DiscoveredDate | Discovered date of the incident |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Phase | Incident phase |
Resilient.Incidents.Severity | Incident severity |
Resilient.Incidents.Description | Incident description |
Raw Output
DiscoveredDate:2018-05-18T08:49:38Z Id:2112 Name:Incident Name Owner:Owner Name Phase:Respond Severity:Low
Update an incident: rs-update-incident
Updater an incident in your IBM Resilient system.
Command Example
!rs-update-incident incident-id=2222 severity=High incident-type=Malware
Input
Parameter | Description |
incident-id | Incident ID to update |
severity | Severity to update |
owner | User's full name set as the incident owner |
incident-type | Incident type (added to the current incident types list) |
resolution | Incident resolution |
resolution-summary | Incident resolution summary |
description | Incident description |
name | Incident name |
nist | NIST Attack Vectors (added to the current list of NIST attack vendors) |
Context Output
There is no context output for this command.
Raw Output
Incident was updated successfully.
Get a list of incident members: rs-incident-get-members
Get a list of members associated with the incident.
Command Example
!rs-incidents-get-members incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get members of |
Context Output
Path | Description |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Members.FirstName | Member's first name |
Resilient.Incidents.Members.LastName | Member's last name |
Resilient.Incidents.Members.ID | Member's ID |
Resilient.Incidents.Members.Email | Member's email address |
Raw Output
[ { Email:user1@mail.com FirstName:User1First ID:4 LastName:User1Last }, { Email:demisto@demisto.com FirstName:Demisto ID:1 LastName:Demisto } ]
Get incident information: rs-get-incident
Get information for an incident.
Command Example
!rs-get-incident incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get information for |
Context Output
Path | Description |
Resilient.Incidents.CreateDate | Created date of the incident |
Resilient.Incidents.Name | Incident name |
Resilient.Incidents.Resolution | Incident resolution |
Resilient.Incidents.DiscoveredDate | Discovered date of the incident |
Resilient.Incidents.ResolutionSummary | Incident resolution summary |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Phase | Incident phase |
Resilient.Incidents.Severity | Incident severity |
Resilient.Incidents.Description | Incident description |
Resilient.Incidents.Confirmed | Incident confirmation |
Resilient.Incidents.NegativePr | Negative PR likellihood |
Resilient.Incidents.DateOccurred | Date occurred of incident |
Resilient.Incidents.Reporter | Name of reporting individual |
Resilient.Incidents.NistAttackVectors | Incident NIST attack vectors |
Raw Output
{ Confirmed:false CreatedDate:2018-05-22T23:47:25Z DateOccurred:2018-03-30T04:00:00Z Description:Desciprion DiscoveredDate:2018-05-01T04:00:00Z DueDate:2018-05-31T04:00:00Z ExposureType:Individual Id:2111 Name:Incident name NegativePr:true NistAttackVectors:External/RemovableMedia Owner:Owner name Phase:Initial Reporter:Reporter name Resolution:Unresolved ResolutionSummary:summary Severity:Low }
Update information for an incident member: rs-incidents-update-member
Update information for a member associated with an incident.
Command Example
!rs-incidents-update-member incident-id=2111 members=1
Input
Parameter | Description |
incident-id |
Incident ID to get information for |
members |
Members' IDs to set (comma separated) |
Context Output
There is no context output for this command.
Raw Output
Email:demisto@demisto.com FirstName:Demisto ID:1 LastName:Demisto
Get a list of users: rs-get-users
Returns a list of users in the IBM Resilient system.
Command Example
!rs-get-users
Input
There is no input for this command.
Context Output
There is no context output for this command.
Raw Output
[ { Email:demistodev@demisto.com FirstName:Demisto ID:3 LastName:Developer }, { Email:demisto@demisto.com FirstName:Demisto ID:1 LastName:Demisto } ]
Close an incident: rs-close-incident
Close an incident in the IBM Resilient system.
Command Example
!rs-close-incident incident-id=2111
Input
Parameter | Description |
incident-id |
ID of the incident to close |
Context Output
There is no context output for this command.
Raw Output
Incident 2111 was closed.
Create an incident: rs-create-incident
Create an incident in the IBM Resilient system.
Command Example
!rs-create-incident name=IncidentName
Input
Parameter | Description |
name |
Incident name |
Context Output
There is no context output for this command.
Raw Output
Incident was created.
Get artifacts for an incident: rs-incident-artifacts
Return artifacts for an incident in the IBM Resilient system.
Command Example
!rs-incident-artifacts incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get artifacts for |
Context Output
Path | Description |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Name | Incident name |
Resilient.Incidents.Artifacts.CreatedDate | Artifact created date |
Resilient.Incidents.Artifacts.Creator | Artifact creator |
Resilient.Incidents.Artifacts.Description | Artifact description |
Resilient.Incidents.Artifacts.ID | Artifact ID |
Resilient.Incidents.Artifacts.Type | Artifact type |
Resilient.Incidents.Artifacts.Value | Artifact value |
Resilient.Incidents.Artifacts.Attachments.ContentType | Attachment content type |
Resilient.Incidents.Artifacts.Attachments.CreatedDate | Attachment created date |
Resilient.Incidents.Artifacts.Attachments.Creator | Attachment creator |
Resilient.Incidents.Artifacts.Attachments.ID | Attachment ID |
Resilient.Incidents.Artifacts.Attachments.Name | Attachment name |
Resilient.Incidents.Artifacts.Attachments.Size | Attachment size |
Raw Output
{ "Attachments": { "ContentType":"application/json", "CreatedDate":"2018-05-27T06:54:53Z", "Creator":"CreatorName", "ID":"4", "Name":"artifact.json", "Size":"3627" }, { "CreatedDate":"2018-05-27T06:54:53Z", "Creator":"CreatorName", "ID":"5", "Type":"Email Attachment", "Value":"artifact.json" } }
Get attachments of an incident: rs-incident-attachments
Return attachments for an incident in the IBM Resilient system.
Command Example
!rs-incident-attachments incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get attachments for |
Context Output
Path | Description |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Name | Incident name |
Resilient.Incidents.Owner | Incident owner |
Resilient.Incidents.Attachments.ContentType | Attachment content type |
Resilient.Incidents.Attachments.CreatedDate | Attachment created date |
Resilient.Incidents.Attachments.Creator | Attachment creator |
Resilient.Incidents.Attachments.ID | Attachment ID |
Resilient.Incidents.Attachments.Name | Attachment name |
Resilient.Incidents.Attachments.Size | Attachment size |
Raw Output
{ "ContentType":"image/png", "CreatedDate":"2018-05-28T06:40:28Z", "Creator":"CreatorName", "ID":"7", "Name":"image.png", "Size":"4491" }
Get related incidents: rs-related-incidents
Get incidents related to a specified incident in the IBM Resilient system.
Command Example
!rs-related-incidents incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get related incidents for |
Context Output
Path | Description |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Related.CreatedDate | Created date of related incident |
Resilient.Incidents.Related.Name | Name of related incident |
Resilient.Incidents.Related.ID | ID of related incident |
Resilient.Incidents.Related.Status | Status (Active/Closed) of related incident |
Resilient.Incidents.Related.Artifacts.CreatedDate | Created date of artifact |
Resilient.Incidents.Related.Artifacts.ID | ID of artifact |
Resilient.Incidents.Related.Artifacts.Creator | Creator of artifact |
Raw Output
[ { "Artifacts":[ { "CreatedDate":"2018-05-27T06:26:37Z", "Creator":"v", "ID":3 }, { "CreatedDate":"2018-05-27T06:29:49Z", "Creator":"CreatorName", "Description":"atta", "ID":"4" }, { "CreatedDate":"2018-04-27T23:01:10Z", "ID":2095, "Name":"test Incident 1 - Email", "Status":"Active" } ] ]
Get tasks for an incident: rs-incidents-get-tasks
Get tasks for an incident in the IBM Resilient system.
Command Example
!rs-related-incidents incident-id=2111
Input
Parameter | Description |
incident-id |
Incident ID to get tasks for |
Context Output
Path | Description |
Resilient.Incidents.Id | Incident ID |
Resilient.Incidents.Name | Incident name |
Resilient.Incidents.Tasks.Category | Task category |
Resilient.Incidents.Tasks.Creator | Task creator |
Resilient.Incidents.Tasks.DueDate | Task due date |
Resilient.Incidents.Tasks.Form | Task form |
Resilient.Incidents.Tasks.ID | Task ID |
Resilient.Incidents.Tasks.Name | Task name |
Resilient.Incidents.Tasks.Required | Task required |
Resilient.Incidents.Tasks.Status | Task status (Open/Closed) |
Raw Output
[ { "Category":"Initial" "Creator":"CreatorName" DueDate:2018-05-31T04:00:00Z ID:2251303 Name:task Required:true Status:Open }, { Category:Respond Creator:CreatorName DueDate:2018-05-15T04:00:00Z Form:data_compromised ID:2251302 Instructions:It is critical to determine whether personal information was foreseeably compromised or exposed. If so, this will drive a series of activities based on a myriad of breach notification regulations. Perform the necessary research to determine whether any personal information was possibly exposed to unauthorized individuals and update the value of the Data Compromised field and the information on the Incident Breach Information tab above or on the Details tab on the incident. Name:Investigate exposure of PI Required:true Status:Closed } ]