The v39.0.226 release of the Resilient SDK brings about a number of new features and improvements. Included with this is the release of its
clone command which represents the finished migration of the command from the resilient-circuits package. Along with this migration, a number of new features are exposed with the clone command to support more flexible cloning of action objects. In this blog we will go through some of the new features and provide some example demonstrations of how to use them.
- Ability to clone more object types (Rule, Function etc)
- Ability to clone one of each object type
- Prefix option to clone multiple objects of various types
- --changetype option to change the object type of a cloned object
Using SDK Clone
To get an idea of what is available with the clone command, a number of example commands are available via the commands help flag:
Will print a description of the command as well as examples of each use case supported by clone.
Cloning multiple object types at once
There are currently 5 object types which are supported by the clone command, 4 of which are new. Each of these can be used individually meaning each
resilient-sdk clone invocation will clone 1 object however these new object types are designed to work together and it is possible to clone one of each type or some combination of supported types with only one command invocation. For example:
resilient-sdk clone --workflow old_workflow_name new_workflow_name -f old_function_name new_function_name -r "Display name of Rule" "New Rule Name" -s "Display name of Script" "New Script Name"
Cloning objects and changing their object type
Certain object types such as Workflows and Rules have immutable object types when they are created, that is to say after cloning an object it is not possible to change its object type after the fact. To enable the ability to clone an object such as a Workflow and change its type, a new command line option
--changetype is exposed when cloning certain object types.
resilient-sdk --rule "Remediate this artifact" "Remediate Artifact attached to case" --changetype incident
This will attempt to clone a Rule named "Remediate this artifact" whose current object type is
artifact and before uploading this cloned object will also change its object type to
Cloning multiple objects of differing types
Some use cases that can be achieved include:
- Mass cloning of a number of action objects
- Backing up the state of multiple objects before modifying them
- Implementing a basic versioning system
A note on versioning
Versioning is something that is desired by larger organizations which may have many analysts and security developers making changes to playbooks and their components. With versioning, when a fatal problem is introduced into one of the SOC's playbooks, downtime on any current or future responses can be minimised. This translates to a better time-to-response.
One way that the prefix flag can be used with the
clone command is to achieve a basic versioning of any supported action object. When executing the
resilient-sdk clone command with a provided prefix, this prefix will be prepended to all the objects that have been selected for cloning. When a new version is created, developers can make changes and perform tests on the cloned version with confidence there will be minimal disruption to uses of the production version of the automation.
resilient-sdk clone -pre v2 -r "Start Remediation" "Finish Remediation" -w ansible_block_ip -f ansible_block_ip ansible_isolate_host ansible_run_scan -m fn_ansible""
The work on clone does not stop here. With this release and its new expanded feature set, undoubtedly new use cases will be uncovered that can be achieved with clone. As these use cases are identified, we want to encourage our community to feel empowered to contribute where they can in making the #Resilient#Featured-area-2
clone command or any part of our new Resilient SDK better.