IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Multiple Organizations app.config resilient configurations

  • 1.  Multiple Organizations app.config resilient configurations

    Posted Fri February 21, 2020 06:25 AM
    Hello,

    I'm using Resilient for multiple organizations (MSSP) , i want to know what to put in the configuration file 'app.config' :

    [resilient]
    # Basic service connection
    host=resilient.*****
    port=443

    # Use (api_key_id, api_key_secret)
    #api_key_id=ApiKeyId
    #api_key_secret=ApiKeySecret
    # Or (email, password)
    email=asabri@********
    password=*********

    org={Should i put the configuration organization here}

    # Actions Module connection
    #stomp_port=65001

    # Directory containing additional components to load
    # componentsdir=components
    # Existing directory to write logs to, or set with $APP_LOG_DIR
    logdir=/tmp
    logfile=app.log
    loglevel=DEBUG


    Thank you

    ------------------------------
    Ayman Sabri
    ------------------------------


  • 2.  RE: Multiple Organizations app.config resilient configurations

    Posted Mon February 24, 2020 02:16 AM
    Hi Ayman,

    Please take a look at the Integration Server guide https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/Integration_Server/mssp_deploy.html for more information.

    In short, you need to reference the configuration org to install your apps/functions to the configuration org (resilient-circuits customize) but this instance of Resilient Circuits is only really to be used when adding/removing/updating these apps/functions so that they can be pushed down to the child orgs.

    You also need an instance of Resilient Functions for each child org as these instances are what will run the specific apps/functions when you call rules/workflow in the child orgs. In each instance you need to install the same apps/functions but you do not run resilient-circuits customize.

    If you search within the community you will find some other pages where this has been asked, for example https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=9b298549-795f-4242-a296-5644cfbc3044&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm9b298549-795f-4242-a296-5644cfbc3044

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 3.  RE: Multiple Organizations app.config resilient configurations

    Posted Tue February 25, 2020 09:28 AM
    Hello, 

    I still have one question, i should install functions in the configuration orgnaization and push the config to all child orgs , and then configure resilient circuits on each child org, then the functions will work ?

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 4.  RE: Multiple Organizations app.config resilient configurations

    Posted Tue February 25, 2020 10:20 AM
    Hi Ayman,

    Yes. The instance that points to the configuration org will "push" (resilient-circuits customize) to the configuration org. This org will config push to the child orgs.

    You then need to have an instance of Resilient Circuits for each child org and these instances will NOT run resilient-circuits customize but they will run the calls to the functions and apps when they are triggered in the child orgs.

    Hope that makes sense.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 5.  RE: Multiple Organizations app.config resilient configurations

    Posted Tue February 25, 2020 12:18 PM
    Hi Williams,

    Sorry but i need more help. Lets see an example :

    I have and configuration org called configORG, and child org called childORG
    I need to install resilient circuits for the configORG and configure the app.config then install my functions and run customize and push the configuration to childORG.
    now in the virtual envirenment, i need to install resilient circuits , "without installing the functions? or i should install the functions also in the childORG ?",  and configure the app.config then run circuits .

    So the resilient circuits should be run in both the configORG and childORG (without running customize in the child)and the functions of childORG should work right  ?

    Thank you soo much for help (y)

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 6.  RE: Multiple Organizations app.config resilient configurations

    Posted Tue February 25, 2020 01:13 PM
    Hi Ayman,

    "Now in the virtual envirenment, i need to install resilient circuits , "without installing the functions? or i should install the functions also in the childORG ?", and configure the app.config then run circuits."

    You need to install the functions as you have for the instance pointing to configORG.

    "So the resilient circuits should be run in both the configORG and childORG (without running customize in the child)and the functions of childORG should work right ?"

    Correct. A small difference is that the Resilient Circuits instance configured to use configORG does not need to be running all the time since all it is used for is to "push" up to the configORG.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 7.  RE: Multiple Organizations app.config resilient configurations

    Posted Wed February 26, 2020 05:47 AM
    Hello Williams,

    Thank you soo much, functions work perfectly for child organizations.


    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 8.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri February 28, 2020 05:23 AM
    Hello Williams,

    i have an error when running run.py :

    (dataprotect) -bash-4.2$ python run.py
    2020-02-28 11:16:15,312 INFO [app] Configuration file: app.config.dataxxxxt
    2020-02-28 11:16:15,314 INFO [app] Resilient server: resilient.xxxxxxx.ma
    2020-02-28 11:16:15,315 INFO [app] Resilient user: asabri@xxxxxxx.ma
    2020-02-28 11:16:15,316 INFO [app] Resilient org: ChildORG
    2020-02-28 11:16:15,316 INFO [app] Logging Level: INFO
    2020-02-28 11:16:15,318 WARNING [co3] Unverified HTTPS requests (cafile=false).
    2020-02-28 11:17:57,595 INFO [filelock] Lock 140296961410448 released on datxxxxt.lock.file
    Traceback (most recent call last):
    File "run.py", line 11, in <module>
    app.run()
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/app.py", line 333, in run
    application = App(*args, **kwargs)
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/app.py", line 181, in __init__
    self.do_initialization()
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/app.py", line 207, in do_initialization
    self.action_component = Actions(self.opts)
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 262, in __init__
    super(Actions, self).__init__(opts)
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 88, in __init__
    self._get_fields()
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient_circuits/actions_component.py", line 146, in _get_fields
    for dest in client.cached_get("/message_destinations")["entities"])
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/cachetools/__init__.py", line 87, in wrapper
    v = method(self, *args, **kwargs)
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient/co3.py", line 282, in cached_get
    return self.get(uri, co3_context_token, timeout)
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient/co3.py", line 276, in get
    _raise_if_error(ex.get_response())
    File "/home/resadmin/dataprotect/dataprotect/lib/python2.7/site-packages/resilient/co3.py", line 211, in _raise_if_error
    raise SimpleHTTPException(response)
    resilient.co3.SimpleHTTPException: Forbidden: {"success":false,"title":null,"message":"Forbidden","hints":[],"error_code":"generic"}


    How can i resolve that please ?

    Thank you,,

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 9.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri February 28, 2020 05:33 AM
    Hi Ayman,

    Generally the "forbidden" return code means the account you are using does not have the right permissions/roles. Please grant that account (or use another) Master Administrator access.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 10.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri February 28, 2020 07:31 AM
    Uhh, that's right . Thank you

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 11.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 07:07 AM
    Hello Wiliams,

    I would like to know, how can i keep the script run.py running , i'm connected to the virtual envirenment of a child org and the run.py is running using the command python run.py , if i exit from ssh i guess the script will stop running.

    Thank you,,

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 12.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 08:17 AM
    Hi Ayman,

    It might be better asking in it's own thread.

    From a supported perspective you can use systemd (https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/Integration_Server/linux_install_restart.html) but that will start/stop Resilient Circuits not just that instance of python.

    Documentation states that each child org should have it's own instance of Resilient Circuits. If you have it set up in that way then you can use systemd.

    We recently announced (https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=a5b0c640-7431-422f-b05b-a8197e51629f&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bma5b0c640-7431-422f-b05b-a8197e51629f) which might be of interest to you. The MSSP model will require a number of instances of Resilient Circuits so running these in containers might be beneficial to you.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 13.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 09:28 AM
    Hi Williams,

    Thanks for your reply.

    Can i use this configuration for to run the run.py  (systemd)

    [Unit]
    Description=Resilient-Circuits Service
    After=resilient.service
    Requires=resilient.service

    [Service]
    Type=simple

    ExecStart=~/DATAPROTECT/DATAPROTECT/bin/python  ~/DATAPROTECT/DATAPROTECT/lib/python2.7/site-packages/resilient_circuits/
    Restart=always
    TimeoutSec=10
    Environment=APP_CONFIG_FILE=~/DATAPROTECT/DATAPROTECT/lib/python2.7/site-packages/resilient_circuits/dataprotect.app.config
    Environment=APP_LOCK_FILE=/home/integration/.resilient/dataprotect.lock.file

    [Install]
    WantedBy=multi-user.target


    Thanks again .

    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 14.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 11:33 AM
    Hi Ayman,

    I don't believe that will work I'm afraid. The .service file configuration in https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/Integration_Server/linux_install_restart.html starts/stops Resilient Circuits not "python run.py."

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 15.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 11:49 AM
    Hi Williams,

    So if the resilient circuits are running in the virtual envirenment , it means that the functions are running , without running the run.py script.


    ------------------------------
    Ayman Sabri Cyber Security Analyst II
    ------------------------------



  • 16.  RE: Multiple Organizations app.config resilient configurations

    Posted Fri March 06, 2020 12:07 PM
    Hi Ayman,

    I do not follow. You can start Resilient Circuits using systemd or by running "resilient circuits run."

    I think it might be better to create a new thread for this query as I have provided the supported means of starting Resilient Circuits, anything else is not tested and verified for use within a production environment.

    ------------------------------
    BEN WILLIAMS
    ------------------------------