IBM Resilient
App Vendor: IBM
App Category: IT Services
Connector Version: 1.0.0
API Version: 47.0.8308
About App
The IBM Resilient SOAR platform provides your security team the ability to automate case management for security or privacy events and can be used to automate and document your incident response plans.
The IBM Resilient app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Notes | This action adds notes to an incident. |
Close Incident | This action closes the incident. |
Create Artifact | This action creates an artifact. |
Create Incident | This action creates an incident. |
Create Incident Artifact | This action creates artifacts related to an incident. |
Fetch Related Incidents | This action fetches related incidents. |
Generic Action | This is a generic action to perform any additional use case that you want on IBM Resilient. |
Get Action Orders | This action gets orders of action. |
Get All API Keys | This action gets all API keys. |
Get All Attachments | This action gets all attachments. |
Get All Groups | This action gets all groups. |
Get All Inbound Mailboxes | This action gets all inbound mailboxes. |
Get Artifact Types | This action gets artifact types. |
Get Org Configs | This action gets configurations from an organization. |
Get Server Constants | This action retrieves various constants of the server. |
Get Simulations | This action retrieves simulations. |
Query Artifacts | This action queries artifacts. |
Query Incidents | This action queries incidents. |
Query Users | This action queries users. |
Update Incident | This action updates an incident. |
Update Incident Member | This action updates the incident member. |
Configuration Parameters
The following configuration parameters are required for the IBM Resilient app to communicate with the IBM Resilient enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to authenticate with IBM Resilient. | Text | Required | |
Organization ID | Enter the organization ID to authenticate with IBM resilient. | Integer | Required | |
API Key ID | Enter the API key ID to authenticate with IBM Resilient. | Text | Required | |
API Key Secret | Enter the API key secret to authenticate with IBM Resilient. | Password | Required | |
Verify | Choose your preference to verify SSL while making the request. It is recommended to set this option to yes. If no is passed, it may result in an incorrect establishment of the connection, potentially causing it to become broken. | Boolean | Optional | Allowed values:
|
Action: Add Notes
This action adds notes to an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to add the note. Example: 1102 | Integer | Required | You can retrieve this ID using the action Query Incidents. |
Comment | Enter the comment to add to the incident. Example: "This incident is malicious" | Text | Required | |
Format | Enter the format of the comment. Example: "text" | Text | Optional | Allowed values:
|
Example Request
[
{
"inc_id": "2194",
"comment": "This incident is malicious."
}
]Action: Close Incident
This action closes the incident
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to close the incident. Example: 2196 | Integer | Required | You can retrieve this ID using the action Query Incidents. |
Resolution | Enter the reason for closing the incident. Example:
| Text | Optional | |
Summary | Enter the resolution summary. Example: "This is a false positive" | Text | Optional |
Example Request
[
{
"inc_id": 2196,
"summary": "This is a false positive",
"resolution": "Unresolved"
}
]Action: Create Artifact
This action creates an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Artifact Type | Enter the type of artifact to create. Example: "Email attachment name" | Text | Required | Allowed values:
|
Value | Enter the value of the artifact to create. Example: "SampleAttachment" | Text | Required | |
Threat scan | Choose to scan the artifact for threats. Example: "on" | Text | Optional | Allowed values:
|
Relate to Incident | Choose whether to relate the artifact to the incident. Example: true | Boolean | Optional | Allowed values:
|
Description | Provide the description of the artifact to create. Example: "This is a test artifact" | Text | Optional | |
Tags | Enter the list of tags to create an artifact. Example: $LIST['tag1', 'tag2'] | List | Optional |
Example Request
[
{
"type": "Email Attachment Name",
"value": "SampleAttachment",
"threat_scan": "on"
}
]Action: Create Incident
This action creates an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident Name | Enter the name of the incident to create. Example: "phishing incident" | Text | Required | |
Discovered Date | Enter the date when the incident was discovered. The default value is the current date. | Text | Optional | |
Description | Enter the description of the incident to create. Example: "This is a phishing incident" | Text | Optional | |
Confirmed | Choose if the incident disposition must be confirmed or not. Example: false | Boolean | Optional | Allowed values:
|
Nist Attack Vectors | Enter the Nist 800-61 attack vectors. Example. $list[3, 5] | List | Optional | Use the action Get Server Constants for nist_attack_vectors IDs. |
Incident Type IDs | Enter the list of incident type IDs to associate with the incident. | List | Optional | |
Return Full Data | Choose to return full data. Example: true | Boolean | Optional | Allowed values:
|
Severity Code | Set the severity of the incident. Example: low | Text | Optional | Allowed values:
Default value:
|
Phase ID | Enter the phase the incident is currently in. Example: 1000 | Integer | Optional | Allowed values:
|
Tasks | Choose to include DTO tasks. Example: true | Boolean | Optional | Allowed values:
|
Extra Params | Specify any extra parameters to be passed. Example: {'handle_format': 'names'} | Key Value | Optional |
Example Request
[
{
"tasks": true,
"phase_id": 1000,
"confirmed": false,
"description": "This is a test incident",
"incident_name": "Final Test (Resilient1)",
"severity_code": "High",
"discovered_date": "now",
"nist_attack_vectors":[3,5]
}
]Action: Create Incident Artifact
This action creates an artifact related to an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to create the artifact. Example: 1102 | Integer | Required | |
Artifact Type | Enter the type of artifact to create. Example: "URL" | Text | Required | |
Artifact value | Enter the value of the artifact to create. Example: "www.google.com" | Text | Required | |
Description | Enter the description of the artifact to create. Example: "This is a test artifact" | Text | Optional |
Example Request
[
{
"type": "URL",
"value": "www.google.com",
"inc_id": 1102
}
]Action: Generic Action
This is a generic action to perform any additional use case you want on IBM Resilient.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint to perform a generic action. Example: "/incidents/1102/comments" | Text | Optional | |
Query params | Specify the query parameters to use. Example: {'text': 'this is a test comment'} | Key Value | Optional | |
Payload JSON | Enter the payload in JSON format. Example: {'text': 'this is a test comment'} | Key Value | Optional | |
Method | Enter the HTTP method to use for the request. Example: "POST" | Text | Optional | Allowed values:
|
Example Request
[
{
"endpoint": "/incidents/1102/comments",
"method": "GET",
"query_params":[
{
"offset":0,
"limit":10
}
]
}
]Action: Get Action Orders
This action retrieves the list of action orders
Action Input Parameters
This action does not require any input parameters.
Action: Get All API Keys
This action retrieves all the API keys.
Action Input Parameters
This action does not require any input parameters.
<div></div>Action: Get All Attachments
This action retrieves all attachments.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to get attachments for. Example: 1102 | Text | Required |
Example Request
[
{
"inc_id": "1102"
}
]Action: Get All Groups
This action retrieves all groups.
Action Input Parameters
This action does not require any input parameters.
Action: Get All Inbound Mailboxes
This action gets all inbound mailboxes.
Action Input Parameters
This action does not require any input parameter.
Action: Get Artifact Types
This action retrieves artifact types.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Include Deleted Artifact Types | Choose whether to include deleted artifact types in the response. Example: true | Boolean | Optional | Allowed values:
|
Example Request
[
{
"want_deleted": false
}
]Action: Get Org Configs
This action retrieves configurations from an organization.
Action Input Parameters
This action does not require any input parameter.
Action: Get Server Constants
This action retrieves various constants of the server. Example: crimestatus id, nist attack vectors id
Action Input Parameters
This action does not require any input parameter.
Action: Get Simulations
This action gets simulations.
Action Input Parameters
This action does not require any input parameter.
Action: Query Artifacts
This action queries artifacts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the filters to use for the query. Example: [{'field_name': 'type', 'method': 'equals', 'value': 'file'}] | List | Optional | |
Sort | Enter the sort order to use for the query. Example: [{'field_name': 'type', 'type': 'asc'}] | List | Optional | |
Start | Enter the start index of the returned records. Example: 0 | Integer | Optional | |
Length | Enter the number of records to return. Example: 10 | Text | Optional | |
Total records | Enter the total number of records to return. Example: 100 | Integer | Optional | |
Related incident count | Choose whether to include the number of related incidents in the response. Example: true | Boolean | Optional | |
Extra params | Enter any extra parameters to be passed to the API. Example: {'param1': 'value1', 'param2': 'value2'} | Key Value | Optional |
Example Request
[
{
"start": "0",
"length": "10",
"related_incident_count": true
}
]Action: Query Incidents
This action queries the incidents.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters to apply to the query. Example: [incident.name=phishing incident] | List | Optional | |
Sorts | Enter the sorts to apply to the query. Example: [incident.name=asc] | List | Optional | |
Extra params | Enter additional parameters to use for the query. Example: {'handle_format': 'names'} | Key Value | Optional |
Example Request
[
{
"query": {'handle_format': 'names'}
}
}
]Action: Query Users
This action queries users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the filter to use for the query. Example: firstname:john | Text | Optional | |
Sort | Enter the sort order to use for the query. Example: firstname:asc | Text | Optional | |
Start | Enter the start index of the returned records. Example: 0 | Integer | Optional | |
Length | Enter the number of records to return. Example: 10 | Text | Optional | |
Return level | Enter the level of detail to return in the response. Example:partial | Text | Optional | Allowed values:
|
Extra params | Enter any extra parameters to be passed to the API. Example: {'param1': 'value1', 'param2': 'value2'} | Key Value | Optional |
Example Request
[
{
"filter": "firstname:john",
"return_level": "partial"
}
]Action: Update Incident
This action updates an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to update. Example: 1102 | Integer | Required | |
Current incident name | Enter the current name of the incident to update. Example: incident 1 | Text | Required | |
New incident name | Enter the new name of the incident to update. Example: incident 2 | Text | Required | |
Current severity code | Enter the current severity code of the incident to update. Example: 5 | Integer | Required | Allowed values:
|
New severity code | Enter the new severity code of the incident to update. Example: 6 | Integer | Required | Allowed values:
|
Extra params | Enter any extra parameters to be passed to the API. Example: {'description': 'this is a test incident'} | Key Value | Optional |
Example Request
[
{
"inc_id": "2193",
"new_incident_name": "Update_Incident",
"new_severity_code": "5",
"current_incident_name": "TestIncident1",
"current_severity_code": "6"
}
]Action: Update Incident Member
This action updates the incident member.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to update. Example: 1102 | Integer | Required | |
Member type | Enter the type of member to add to the incident. | Text | Optional | |
Member ID | Enter the ID of the member to add to the incident. Example: 2 | Integer | Optional | |
Incident version | Enter the version of the incident to update. Example: 18 | Integer | Required |
Example Request
[
{
"inc_id": "2191",
"member_type": "user",
"incident_version": "18"
}
]