Thank you. I noticed none of these examples use cronjobs, and instead use python threading.. Is there a good reason for this?
It seems much simpler to use crontab and run a python script every 10 mins instead. This will also persist after reboots.
Currently, I have a script being called every 10 minutes to poll for new incidents.. it's working well, but I worry about customer implementations of the app-host and if cronjobs would not be ideal for their setup?
Really just looking for some clarification as to how to keep things "always running". Same goes for resilient-circuits... as an integration developer, do I need to handle instructions for keeping the resilient-circuits running?
Thank you,
Tom
------------------------------
Tom Prenderville
------------------------------
Original Message:
Sent: Fri June 18, 2021 07:46 AM
From: Mark Scherfling
Subject: Best practices for creating incidents (cron job -> script?)
Hi Tom,
What you're describing is functionality we refer to as a poller. We've written a number of pollers as part of integration packages which get installed and run within our resilient-circuits framework. In the end, the operation is pretty much the same: logic runs on a timer to check for items which should be escalated to Resilient (IBM SOAR) as incidents.
Currently, there is no way to wrap this into a workflow, but future releases are considering this capability.
To name a few examples you can review, see these apps we published to github:
Proofpoint Tap: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_proofpoint_tap/fn_proofpoint_tap/components/fn_pp_threat_polling.py
Secureworks CTP: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_secureworks_ctp/fn_secureworks_ctp/components/scwx_ctp_poll.py
Symantec DLP: https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_symantec_dlp/fn_symantec_dlp/components/dlp_incident_listener.py
Good luck.
Mark
------------------------------
Mark Scherfling
Original Message:
Sent: Thu June 17, 2021 11:11 AM
From: Tom Prenderville
Subject: Best practices for creating incidents (cron job -> script?)
I'm wondering what the best approach is for automatically creating new incidents in Resilient. Currently, I have a python script sitting on the integration-server outside of the Resilient framework. This script polls a 3rd party service and checks if there are any new incidents to pull into Resilient. Is there any way to wrap this in a workflow / function?
I anticipate that a cronjob via systemd will be a pain for end-users during setup and troubleshooting.
Thanks for any tips!
------------------------------
Tom Prenderville
------------------------------