IBM Security QRadar SOAR

 View Only
  • 1.  Group IB Threat intel to Resilient

    Posted Thu December 02, 2021 11:00 AM
    How to integrate Resilient to Group IB Threat intel like Virus Total or Xforce etc.

    Please refer below links which shows for MISP & Qradar, Could you please share the method we need to follow 
    https://github.com/Group-IB/TI_MISP_APIv1
    https://github.com/Group-IB/TI_QRadar_APIv1

    ------------------------------
    Sunil I B
    ------------------------------


  • 2.  RE: Group IB Threat intel to Resilient

    Posted Fri April 08, 2022 03:38 AM
    Anyone Done Group IB Threat Intelligent lookup integrations with Resilient SOAR

    Please refer the attached Group-IB TI&A Integration Guide, so whether we use Resilient threatserviceedit services?

    ------------------------------
    Sunil I B
    ------------------------------



  • 3.  RE: Group IB Threat intel to Resilient

    Posted Mon April 11, 2022 09:15 AM

    Hi Sunil,

    Hope this finds you well.

    Need your help to integrate GIB TI&A application with QRadar and we are unable to integrate the application since we are facing errors and issues. We have provided below mentioned details required to integrate the application.

    1 - URL.
    2- Username.
    3 - API Key.
    4 - Security Token.

    BR,
    Farhan



    ------------------------------
    Farhan Saleem
    ------------------------------



  • 4.  RE: Group IB Threat intel to Resilient

    Posted Mon April 11, 2022 10:10 AM
    Thanks for the details. We integrate with IBM Resilient SOAR, not with SIEM. 

    Yes we provided all the information's, based on my understanding we done some mistake while register using threat service edit, please refer below details & recommend the right steps based on your expertise.

    1) For example when we execute command using curl, we use below syntax

    curl 'https://tap.group-ib.com/api/v2/search?q=8.8.8.8' -u 'sunil@xxxxx.com.my:xxxxxxx' -H 'Accept:*/*'

    While doing resilient threatservice we use below URL, so worried may be after ?q artifact will pick by resilient automatically, so may be failed due to wrong URL?

    i.e URL with Artifact

    sudo resutil threatserviceedit -name GROUPIB -resturl https://tap.group-ib.com/api/v2/search?q= -user sunil@xxxxx.com.my -password xxxxxx

    2) FYI, Group IB supports only the following format, if so how to include right URL Methods for Resilient threatservicedit ?

    a) curl 'https://tap.group-ib.com/api/v2/search?q=8.8.8.8'; -u 'LOGIN:API_KEY'

    -H 'Accept:*/*'

    b) curl 'https://tap.group-ib.com/api/v2/compromised/account?limit=10&df=2019-

    01-01&dt=2020-01-01&q=John' -u 'LOGIN:API_KEY' -H 'Accept:*/*'

    c) GET /api/v2/<collection>/updated?seqUpdate=<seqUpdate_param>

    d) GET <group-ib-url>/api/v2/<collection>/updated

    So please help us on this, so mostly resilient threatedit URL issue, not compatible one.

     

    Debug O/P
    [root@resilient components]# sudo resutil -debug threatservicetest -name GROUPIB -v
    Including specified authorization
    GROUPIB returned status code 404
    Failed to connect to GROUPIB
    [root@resilient components]#

    Another time 
    HTTP 405 that was returned. The 3rd party threat service may not be compatible with Resilient? 

    ------------------------------
    Sunil I B
    ------------------------------



  • 5.  RE: Group IB Threat intel to Resilient

    Posted Tue April 12, 2022 04:37 AM
    Edited by Gilbert Liao Tue April 12, 2022 04:41 AM
    Hi Sunil,

    XForce App Exchange provides many integration but unfortunately GROUPIB is no included so you will need to develop it by yourself.
    IBM SOAR provides couple ways to integration 3rd party threat intelligent providers.
    • Custom threat service - it will be added to the threat sources page and scanned/re-scanned artifacts just like other built-in ones, e.g. VirusTotal. You need to follow this guide to develop a REST service/app and then use "resutil threatserviceedit" command to register the service to IBM SOAR. We already  provide a python based framework to create a custom threat service and several working integrations. (You can check on this repo, looks for "rc-cts-xxx").
    • Through App/Function - you can develop your own app/function and leverage the playbook/rule to send your artifact to 3rd party threat source whenever you need, e.g. when artifact is added. However, it won't automatically rescan the artifact like custom threat service. Once you create the function you can follow this blog to add hits to the artifact. 
    Hope the above information helps.

    ------------------------------
    Gilbert Liao
    ------------------------------



  • 6.  RE: Group IB Threat intel to Resilient

    Posted Tue May 17, 2022 05:06 AM
    Hi Gilbert Liao, 

    Thanks for the response, we developing similarly one for Group IB, based on your recommendations, the workflow & actions shows successfully, noted has been added to incident with the details, However not showing like virus total or Xforce results with color coding. 

    Could you please let us know on this, how to register as threat source instead of executing the functions & getting the results.

    ------------------------------
    Sunil I B
    ------------------------------



  • 7.  RE: Group IB Threat intel to Resilient

    Posted Wed May 18, 2022 04:28 AM
    Hi Sunil,
    If my understanding correctly, you already implemented it following my 2nd option "Through App/Function" the only issue is hits is not added to the corresponding artifact and there is no color coding? If that's the case, the last thing you need to do is just adding hits to artifact using script. Again, in this blog , there is an example showing how to add hits to artifact. I just copy it here.
    def add_hit_card():
      hit = [
                {
                    "name": "Positives",
                    "type": "string",
                    "value": "{} out of {}".format(playbook.functions.results.report.scan.get('positives'), playbook.functions.results.report.scan.get('total'))
                },
                {
                    "name": "Scan Date",
                    "type": "string",
                    "value": "{}".format(playbook.functions.results.report.scan.get('scan_date'))
                },
                {
                    "name": "Scan Report",
                    "type": "uri",
                    "value": "{}".format(playbook.functions.results.report.scan.get('permalink'))
                }
            ]
      artifact.addHit("VT Function hits added", hit)
    As you can see, the hits are a list of [name, type, value] objects which will be shown as hit cards of the artifact, once the hits are added the artifact will be red-colored. Please also note the first parameter of "artifact.addHit()" is the threat source name and should be a fixed string so all the hits from this script will be aggregated. In addition, the rule/playbook must be an artifact type so you can use "artifact.addHit" method in script.

    Again, my 1st option and 2nd option are totally different approaches in terms of how the artifacts get enriched and the way to implement, you cannot just register your current app/function works as a custom threat source. I think for most cases, app/function (2nd option) should be enough, you or customer can create auto/manual rules/playbook to enrich artifact when it's added or whenever user wants to trigger the rule.
    If you still want to go for 1st option (the custom threat source), I think the easiest way is starting from this repo, looks for "rc-cts-xxx". Also be noted the deployment modal of this option is different from the app/function, customer usually will need to setup/run the custom threat source by themselves. You can also check out apps on IBM XForce App Exchange, for example, McAfee Threat Intelligence Exchange Threat Service for SOAR or Recorded Future for SOAR

    Thanks.

    ------------------------------
    Gilbert Liao
    ------------------------------



  • 8.  RE: Group IB Threat intel to Resilient

    Posted Wed May 18, 2022 09:36 AM
    Hi Gilbert Liao, 

    Thanks for the update, pleas refer below response for your message. 

    1. you already implemented it following my 2nd option "Through App/Function" the only issue is hits is not added to the corresponding artifact and there is no color coding?

    Yes, we using Through App/Functions, Thanks for details for color coding, we will check on this further to improve our logic. 

    2. Custom threat service - it will be added to the threat sources page and scanned/re-scanned artifacts just like other built-in ones, e.g. VirusTotal. You need to follow this guide to develop a REST service/app and then use "resutil threatserviceedit" command to register the service to IBM SOAR

    Yes, for the first option, its never works for us when we register using threatserviceedit command,  we received below error. Could you please right approach for 1st options, we cant find much informations on the document / approach using by Recorded Future for SOAR or Virus Total threat Service. 

    Debug O/P
    [root@resilient components]# sudo resutil -debug threatservicetest -name GROUPIB -v
    Including specified authorization
    GROUPIB returned status code 404
    Failed to connect to GROUPIB
    [root@resilient components]#

    Another time 
    HTTP 405 that was returned. The 3rd party threat service may not be compatible with Resilient? 



    ------------------------------
    Sunil I B
    ------------------------------



  • 9.  RE: Group IB Threat intel to Resilient

    Posted Sun May 22, 2022 08:01 AM
    Sunil,
    Because each threat intelligent service provides different ways/apis to enrich artifact, so there is no way for IBM SOAR to understand how to interact with arbitrary intelligent services. that's how "custom threat service" comes to play. It acts like a proxy which accepts the artifacts sent by SOAR and then calls  3rd party intelligent's API to get enrichment data for the artifact and returns back to IBM SOAR. 


    So in your case, you will need to create the "Custom Threat Service" following this guide  by your own, get the service running and then register it with the "sudo resutil threatserviceedit" command. You CANNOT use the command to register GROUPIB directly because GROUPIB's API does not compatible with our Custom Threat Service guide. 
    A python based framework is provided for you to create your own Custom Threat Service, 
    McAfee Threat Intelligence Exchange Threat Service for SOAR is an example that using this framework, you can probably download it and check the README and source code for reference.


    ------------------------------
    Gilbert Liao
    ------------------------------