IBM Security QRadar SOAR

Hi all,

I was wondering is there an API to get to push incidents from the Resilient platform to my custom webpage? I don't wish to query the Resilient server every X amount of minutes if possible. If there is no such push function how do I query the server every X amount of minutes?

I was looking at the interactive API >> GET /orgs/{org_id}/incidents

Many thanks,

------------------------------
Lavesh
------------------------------

You could do this via a Resilient workflow using an automatic rule that triggers on incident creation.

The workflow would need to have a custom function that pushes the incident data to your website (either via REST or by passing the 'incident' object as function input). For this to work, that would mean that your site would need a REST API to interact with (for the incident receive).

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Wed August 07, 2019 03:57 AM
From: Lavesh
Subject: Push update for incidents (API)

Hi all,

I was wondering is there an API to get to push incidents from the Resilient platform to my custom webpage? I don't wish to query the Resilient server every X amount of minutes if possible. If there is no such push function how do I query the server every X amount of minutes?

I was looking at the interactive API >> GET /orgs/{org_id}/incidents

Many thanks,

------------------------------
Lavesh
------------------------------

Hi Jared,

Thanks for the reply! If I understand you correctly, I would first need to create a rule (triggers when a incident is create). After the rule is created I would then need to create a workflow, the workflow then has to have a custom function.

I am currently trying the stuff out, at which stage do I pass the data to my webpage? (Is there a guide on how do I go about doing that?)

Many thanks,

------------------------------
Lavesh
------------------------------

Original Message:
Sent: Wed August 07, 2019 02:21 PM
From: Jared Fagel
Subject: Push update for incidents (API)

You could do this via a Resilient workflow using an automatic rule that triggers on incident creation.

The workflow would need to have a custom function that pushes the incident data to your website (either via REST or by passing the 'incident' object as function input). For this to work, that would mean that your site would need a REST API to interact with (for the incident receive).

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Wed August 07, 2019 03:57 AM
From: Lavesh
Subject: Push update for incidents (API)

Hi all,

I was wondering is there an API to get to push incidents from the Resilient platform to my custom webpage? I don't wish to query the Resilient server every X amount of minutes if possible. If there is no such push function how do I query the server every X amount of minutes?

I was looking at the interactive API >> GET /orgs/{org_id}/incidents

Many thanks,

------------------------------
Lavesh
------------------------------

Hey Lavesh,

In reply to, "at which stage do I pass the data to my webpage?

This will happen inside the Resilient function.

You will need to do the following (in order):

1. Create a function in the UI (something like: "Send Incident to Website")
           --> Include inputs: incident_id and incident (create as a basic text input type)
2. Create a workflow in the UI that looks like:  start --> function: "Send Incident to Website" --> end
3. Inside the workflow in the UI, in the "Send Incident to Website" function pre-processor
         --> Add: inputs.incident_id = incident.id
         --> Add: inputs.incident = str(incident)
4. On your integrations/resilient-circuits server, run the codegen command needed to build a function.
5. Modify the function .py file where it has "# PUT YOUR FUNCTION IMPLEMENTATION CODE HERE"
           --> Try one of these methods:
                      --> Use the REST API to send the incident to your site
                      --> Use json to parse the text and pass it to your site however you'd like
6. Run the "pip install --editable ./pckg_name/" command to complete the custom function install.
7. Restart resilient-circuits
8. Create the automatic rule that calls the workflow on incident creation.
9. Done! (:

Work with your Resilient Sales Engineer for additional guidance.

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Wed August 07, 2019 10:09 PM
From: Lavesh
Subject: Push update for incidents (API)

Hi Jared,

Thanks for the reply! If I understand you correctly, I would first need to create a rule (triggers when a incident is create). After the rule is created I would then need to create a workflow, the workflow then has to have a custom function.

I am currently trying the stuff out, at which stage do I pass the data to my webpage? (Is there a guide on how do I go about doing that?)

Many thanks,

------------------------------
Lavesh

Original Message:
Sent: Wed August 07, 2019 02:21 PM
From: Jared Fagel
Subject: Push update for incidents (API)

You could do this via a Resilient workflow using an automatic rule that triggers on incident creation.

The workflow would need to have a custom function that pushes the incident data to your website (either via REST or by passing the 'incident' object as function input). For this to work, that would mean that your site would need a REST API to interact with (for the incident receive).

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Wed August 07, 2019 03:57 AM
From: Lavesh
Subject: Push update for incidents (API)

Hi all,

I was wondering is there an API to get to push incidents from the Resilient platform to my custom webpage? I don't wish to query the Resilient server every X amount of minutes if possible. If there is no such push function how do I query the server every X amount of minutes?

I was looking at the interactive API >> GET /orgs/{org_id}/incidents

Many thanks,

------------------------------
Lavesh
------------------------------

Hi Jared,

Thanks for the detailed step by step guide!
Now I understand, there is a .py file.

Many thanks,

------------------------------
Lavesh
------------------------------

Original Message:
Sent: Fri August 09, 2019 12:52 PM
From: Jared Fagel
Subject: Push update for incidents (API)

Hey Lavesh,

In reply to, "at which stage do I pass the data to my webpage?

This will happen inside the Resilient function.

You will need to do the following (in order):

1. Create a function in the UI (something like: "Send Incident to Website")
           --> Include inputs: incident_id and incident (create as a basic text input type)
2. Create a workflow in the UI that looks like:  start --> function: "Send Incident to Website" --> end
3. Inside the workflow in the UI, in the "Send Incident to Website" function pre-processor
         --> Add: inputs.incident_id = incident.id
         --> Add: inputs.incident = str(incident)
4. On your integrations/resilient-circuits server, run the codegen command needed to build a function.
5. Modify the function .py file where it has "# PUT YOUR FUNCTION IMPLEMENTATION CODE HERE"
           --> Try one of these methods:
                      --> Use the REST API to send the incident to your site
                      --> Use json to parse the text and pass it to your site however you'd like
6. Run the "pip install --editable ./pckg_name/" command to complete the custom function install.
7. Restart resilient-circuits
8. Create the automatic rule that calls the workflow on incident creation.
9. Done! (:

Work with your Resilient Sales Engineer for additional guidance.

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Wed August 07, 2019 10:09 PM
From: Lavesh
Subject: Push update for incidents (API)

Hi Jared,

Thanks for the reply! If I understand you correctly, I would first need to create a rule (triggers when a incident is create). After the rule is created I would then need to create a workflow, the workflow then has to have a custom function.

I am currently trying the stuff out, at which stage do I pass the data to my webpage? (Is there a guide on how do I go about doing that?)

Many thanks,

------------------------------
Lavesh

Original Message:
Sent: Wed August 07, 2019 02:21 PM
From: Jared Fagel
Subject: Push update for incidents (API)

You could do this via a Resilient workflow using an automatic rule that triggers on incident creation.

The workflow would need to have a custom function that pushes the incident data to your website (either via REST or by passing the 'incident' object as function input). For this to work, that would mean that your site would need a REST API to interact with (for the incident receive).

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Wed August 07, 2019 03:57 AM
From: Lavesh
Subject: Push update for incidents (API)

Hi all,

I was wondering is there an API to get to push incidents from the Resilient platform to my custom webpage? I don't wish to query the Resilient server every X amount of minutes if possible. If there is no such push function how do I query the server every X amount of minutes?

I was looking at the interactive API >> GET /orgs/{org_id}/incidents

Many thanks,

------------------------------
Lavesh
------------------------------