IBM Security QRadar SOAR

A handful of new Community Apps are live and available on the IBM Security App Exchange. These apps cover a wide range of use cases and contain various functions that can be implemented into a Resilient workflow. Please comment on this thread with any feedback or questions about the newest releases. Below is a description of the functionality of each app:

Apility.io:

This integration package allows a Resilient user to query https://apility.io/ to get a reputation score for email addresses, domain names and IP addresses. This function can be set up in a workflow to retrieve investigative context around these artifacts.

AWS Utilities:

This package contains a number of AWS functions that enables Resilient users to accomplish AWS related actions from a workflow. This app leverages AWS to perform these actions:

• Send SMS messages via SNS
• Call Lambda functions and return the results
• Call Step functions and return the results (both synchronous and asynchronous)

ClamAV:

ClamAV is an open-source antivirus engine that detects trojans, viruses, malware, and other malicious threats. In Resilient, attachments within Incidents and Tasks can be scanned for malicious content by ClamAV from a workflow. The results of the scan are returned as a note in the Incident and can provide more context for suspected malicious attachments.

This integration performs the following operations:

• Scan an incident or task attachment
• Scan an artifact attachment for artifact types which support attachments

Digital Shadows Search Function:

Use this function within Resilient to instantly access Digital Shadow's comprehensive collection of evolving historical threat intelligence assets, and expert security sources. Results returned from the function's query are displayed in a customizable data table within Resilient.

ElasticSearch:

This updated function allows Resilient users to connect to and query an ElasticSearch Database automatically or manually within a workflow.

GRR Rapid Response Search:

GRR Rapid Response is an incident response framework focused on remote live forensics. This integration allows you to deploy Resilient workflows that search for GRR Agents using IP addresses, Host or User names, and then updates the Incident in Resilient with an attached note. From there a user can take manual or automated actions based on the results.

HTML2PDF Utility:

Easily share and analyze data from suspicious artifacts in PDF format. This simple function performs an action on artifacts within an Incident to convert HTML data or a web URL to a base64 coded PDF document that can be saved as an attachment.

MISP Threat Service:

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise. This integration with Resilient allows for an automatic query of MISP on many types of artifacts for qualification and data enrichment from a workflow.

Phish.AI:

This function connects Resilient with Phish.AI via it's API to submit URLs to Phish.AI for malicious intent analysis. The verdict of the URL is returned along with an incident note that contains a link to the report on Phish.AI.

Query TOR:

The TOR Network is often misused by malicious actors. This integration with Resilient queries IP address and DNS name artifacts to search against TOR Network Exit Nodes and returns the data as a note within an Incident in Resilient. This information is helpful to provide more context surrounding an artifact.

Whois Function:

This package contains one function which provides threat enrichment information about a submitted domain's WHOIS information. It performs these actions:

• Takes an IP address or URL as an input and queries WHOIS for related information
• Saves results in a RichText note as an attachment

Happy New Year

A handful of new Community Apps are live and available on the IBM Security App Exchange. These apps cover a wide range of use cases and contain various functions that can be implemented into a Resilient workflow. Please comment on this thread with any feedback or questions about the newest releases. Below is a description of the functionality of each app:

Apility.io:

This integration package allows a Resilient user to query https://apility.io/ to get a reputation score for email addresses, domain names and IP addresses. This function can be set up in a workflow to retrieve investigative context around these artifacts.

AWS Utilities:

This package contains a number of AWS functions that enables Resilient users to accomplish AWS related actions from a workflow. This app leverages AWS to perform these actions:

• Send SMS messages via SNS
• Call Lambda functions and return the results
• Call Step functions and return the results (both synchronous and asynchronous)

ClamAV:

ClamAV is an open-source antivirus engine that detects trojans, viruses, malware, and other malicious threats. In Resilient, attachments within Incidents and Tasks can be scanned for malicious content by ClamAV from a workflow. The results of the scan are returned as a note in the Incident and can provide more context for suspected malicious attachments.

This integration performs the following operations:

• Scan an incident or task attachment
• Scan an artifact attachment for artifact types which support attachments

Digital Shadows Search Function:

Use this function within Resilient to instantly access Digital Shadow's comprehensive collection of evolving historical threat intelligence assets, and expert security sources. Results returned from the function's query are displayed in a customizable data table within Resilient.

ElasticSearch:

This updated function allows Resilient users to connect to and query an ElasticSearch Database automatically or manually within a workflow.

GRR Rapid Response Search:

GRR Rapid Response is an incident response framework focused on remote live forensics. This integration allows you to deploy Resilient workflows that search for GRR Agents using IP addresses, Host or User names, and then updates the Incident in Resilient with an attached note. From there a user can take manual or automated actions based on the results.

HTML2PDF Utility:

Easily share and analyze data from suspicious artifacts in PDF format. This simple function performs an action on artifacts within an Incident to convert HTML data or a web URL to a base64 coded PDF document that can be saved as an attachment.

MISP Threat Service:

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise. This integration with Resilient allows for an automatic query of MISP on many types of artifacts for qualification and data enrichment from a workflow.

Phish.AI:

This function connects Resilient with Phish.AI via it's API to submit URLs to Phish.AI for malicious intent analysis. The verdict of the URL is returned along with an incident note that contains a link to the report on Phish.AI.

Query TOR:

The TOR Network is often misused by malicious actors. This integration with Resilient queries IP address and DNS name artifacts to search against TOR Network Exit Nodes and returns the data as a note within an Incident in Resilient. This information is helpful to provide more context surrounding an artifact.

Whois Function:

This package contains one function which provides threat enrichment information about a submitted domain's WHOIS information. It performs these actions:

• Takes an IP address or URL as an input and queries WHOIS for related information
• Saves results in a RichText note as an attachment

Happy New Year