Hi Sunil,
If my understanding correctly, you already implemented it following my 2nd option "
Through App/Function" the only issue is hits is not added to the corresponding artifact and there is no color coding? If that's the case, the last thing you need to do is just adding hits to artifact using script. Again, in this blog , there is an example showing how to add hits to artifact. I just copy it here.
def add_hit_card():
hit = [
{
"name": "Positives",
"type": "string",
"value": "{} out of {}".format(playbook.functions.results.report.scan.get('positives'), playbook.functions.results.report.scan.get('total'))
},
{
"name": "Scan Date",
"type": "string",
"value": "{}".format(playbook.functions.results.report.scan.get('scan_date'))
},
{
"name": "Scan Report",
"type": "uri",
"value": "{}".format(playbook.functions.results.report.scan.get('permalink'))
}
]
artifact.addHit("VT Function hits added", hit)
As you can see, the hits are a list of [name, type, value] objects which will be shown as hit cards of the artifact, once the hits are added the artifact will be red-colored. Please also note the first parameter of "artifact.addHit()" is the threat source name and should be a fixed string so all the hits from this script will be aggregated. In addition, the rule/playbook must be an artifact type so you can use "artifact.addHit" method in script.
Again, my 1st option and 2nd option are totally different approaches in terms of how the artifacts get enriched and the way to implement, you cannot just register your current app/function works as a custom threat source. I think for most cases, app/function (2nd option) should be enough, you or customer can create auto/manual rules/playbook to enrich artifact when it's added or whenever user wants to trigger the rule.
If you still want to go for 1st option (the custom threat source), I think the easiest way is starting from
this repo, looks for "rc-cts-xxx". Also be noted the deployment modal of this option is different from the app/function, customer usually will need to setup/run the custom threat source by themselves. You can also check out apps on IBM XForce App Exchange, for example, McAfee Threat Intelligence Exchange Threat Service for SOAR or Recorded Future for SOAR
Thanks.
------------------------------
Gilbert Liao
------------------------------
Original Message:
Sent: Tue May 17, 2022 05:06 AM
From: Sunil I B
Subject: Group IB Threat intel to Resilient
Hi Gilbert Liao,
Thanks for the response, we developing similarly one for Group IB, based on your recommendations, the workflow & actions shows successfully, noted has been added to incident with the details, However not showing like virus total or Xforce results with color coding.
Could you please let us know on this, how to register as threat source instead of executing the functions & getting the results.
------------------------------
Sunil I B
Original Message:
Sent: Tue April 12, 2022 04:37 AM
From: Gilbert Liao
Subject: Group IB Threat intel to Resilient
Hi Sunil,
XForce App Exchange provides many integration but unfortunately GROUPIB is no included so you will need to develop it by yourself.
IBM SOAR provides couple ways to integration 3rd party threat intelligent providers.
- Custom threat service - it will be added to the threat sources page and scanned/re-scanned artifacts just like other built-in ones, e.g. VirusTotal. You need to follow this guide to develop a REST service/app and then use "resutil threatserviceedit" command to register the service to IBM SOAR. We already provide a python based framework to create a custom threat service and several working integrations. (You can check on this repo, looks for "rc-cts-xxx").
- Through App/Function - you can develop your own app/function and leverage the playbook/rule to send your artifact to 3rd party threat source whenever you need, e.g. when artifact is added. However, it won't automatically rescan the artifact like custom threat service. Once you create the function you can follow this blog to add hits to the artifact.
Hope the above information helps.
------------------------------
Gilbert Liao
Original Message:
Sent: Mon April 11, 2022 10:09 AM
From: Sunil I B
Subject: Group IB Threat intel to Resilient
Thanks for the details. We integrate with IBM Resilient SOAR, not with SIEM.
Yes we provided all the information's, based on my understanding we done some mistake while register using threat service edit, please refer below details & recommend the right steps based on your expertise.1) For example when we execute command using curl, we use below syntax
curl 'https://tap.group-ib.com/api/v2/search?q=8.8.8.8' -u 'sunil@xxxxx.com.my:xxxxxxx' -H 'Accept:*/*'
While doing resilient threatservice we use below URL, so worried may be after ?q artifact will pick by resilient automatically, so may be failed due to wrong URL?
i.e URL with Artifact
sudo resutil threatserviceedit -name GROUPIB -resturl https://tap.group-ib.com/api/v2/search?q= -user sunil@xxxxx.com.my -password xxxxxx
2) FYI, Group IB supports only the following format, if so how to include right URL Methods for Resilient threatservicedit ?
a) curl 'https://tap.group-ib.com/api/v2/search?q=8.8.8.8'; -u 'LOGIN:API_KEY'
-H 'Accept:*/*'
b) curl 'https://tap.group-ib.com/api/v2/compromised/account?limit=10&df=2019-
01-01&dt=2020-01-01&q=John' -u 'LOGIN:API_KEY' -H 'Accept:*/*'
c) GET /api/v2/<collection>/updated?seqUpdate=<seqUpdate_param>
d) GET <group-ib-url>/api/v2/<collection>/updated
So please help us on this, so mostly resilient threatedit URL issue, not compatible one.
Debug O/P
[root@resilient components]# sudo resutil -debug threatservicetest -name GROUPIB -v
Including specified authorization
GROUPIB returned status code 404
Failed to connect to GROUPIB
[root@resilient components]#
Another time
HTTP 405 that was returned. The 3rd party threat service may not be compatible with Resilient?
------------------------------
Sunil I B
Original Message:
Sent: Mon April 11, 2022 03:35 AM
From: Farhan Saleem
Subject: Group IB Threat intel to Resilient
Hi Sunil,
Hope this finds you well.
Need your help to integrate GIB TI&A application with QRadar and we are unable to integrate the application since we are facing errors and issues. We have provided below mentioned details required to integrate the application.
1 - URL.
2- Username.
3 - API Key.
4 - Security Token.
BR,
Farhan
------------------------------
Farhan Saleem
Original Message:
Sent: Thu December 02, 2021 11:00 AM
From: Sunil I B
Subject: Group IB Threat intel to Resilient
How to integrate Resilient to Group IB Threat intel like Virus Total or Xforce etc.
Please refer below links which shows for MISP & Qradar, Could you please share the method we need to follow
https://github.com/Group-IB/TI_MISP_APIv1
https://github.com/Group-IB/TI_QRadar_APIv1
------------------------------
Sunil I B
------------------------------