IBM Security SOAR

Expand all | Collapse all

Best practices for creating incidents (cron job -> script?)

  • 1.  Best practices for creating incidents (cron job -> script?)

    Posted Thu June 17, 2021 11:12 AM
    I'm wondering what the best approach is for automatically creating new incidents in Resilient. Currently, I have a python script sitting on the integration-server outside of the Resilient framework. This script polls a 3rd party service and checks if there are any new incidents to pull into Resilient. Is there any way to wrap this in a workflow / function?

    I anticipate that a cronjob via systemd will be a pain for end-users during setup and troubleshooting. 

    Thanks for any tips!

    ------------------------------
    Tom Prenderville
    ------------------------------


  • 2.  RE: Best practices for creating incidents (cron job -> script?)

    Posted Fri June 18, 2021 07:46 AM

    Hi Tom,


    What you're describing is functionality we refer to as a poller. We've written a number of pollers as part of integration packages which get installed and run within our resilient-circuits framework. In the end, the operation is pretty much the same: logic runs on a timer to check for items which should be escalated to Resilient (IBM SOAR) as incidents.

    Currently, there is no way to wrap this into a workflow, but future releases are considering this capability.

    To name a few examples you can review, see these apps we published to github:

    Proofpoint Tap: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_proofpoint_tap/fn_proofpoint_tap/components/fn_pp_threat_polling.py

    Secureworks CTP: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_secureworks_ctp/fn_secureworks_ctp/components/scwx_ctp_poll.py

    Symantec DLP: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_symantec_dlp/fn_symantec_dlp/components/dlp_incident_listener.py

    Good luck.

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Best practices for creating incidents (cron job -> script?)

    Posted Mon June 21, 2021 10:03 AM
    Thank you. I noticed none of these examples use cronjobs, and instead use python threading.. Is there a good reason for this?

    It seems much simpler to use crontab and run a python script every 10 mins instead. This will also persist after reboots.

    Currently, I have a script being called every 10 minutes to poll for new incidents.. it's working well, but I worry about customer implementations of the app-host and if cronjobs would not be ideal for their setup?

    Really just looking for some clarification as to how to keep things "always running". Same goes for resilient-circuits... as an integration developer, do I need to handle instructions for keeping the resilient-circuits running?

    Thank you,
    Tom

    ------------------------------
    Tom Prenderville
    ------------------------------



  • 4.  RE: Best practices for creating incidents (cron job -> script?)

    Posted Mon June 21, 2021 08:07 PM
    In the end it's about visibility and maintenance. The poller method is initialized when all your other functions are initialized and then logged in the same app.log file. A cron method is just a separate environment which may provide the same visibility and maintenance aspects for your environment.

    Good luck.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: Best practices for creating incidents (cron job -> script?)

    Posted Tue June 22, 2021 08:30 AM
    @Tom Prenderville,

    I created an idea in the Aha portal for this last summer, I agree that a 'higher-level' job manager would be a useful addition to the SOAR platform. Essentially, I recommended the ability to have SOAR manage jobs on an app host, via systemd (or cron). There are certainly security considerations that would need to be accounted for, but this would make the use case you described and that we have run into less 'clunky' and more streamlined.

    See here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-892


    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------