About IBM Security SOAR
IBM Security SOAR, formerly Resilient, is designed to help security teams respond to cyberthreats with confidence, automate with intelligence and collaborate with consistency. It guides your team in resolving incidents by codifying established incident response processes into dynamic playbooks. The open and agnostic platform helps accelerate and orchestrate their response by automating actions with intelligence and integrating with other security tools.
Functions, Workflows and Rules
Clients can also create custom workflows to key off of Recorded Future Data to either take a specific action or progress the workflow to the next step. When you import the Recoded Future for IBM Security SOAR app, you will see two example workflows.
Recorded Future workflow 1: Transforms data and put it in the description section of Artifact.
Recorded Future workflow 2: Creates a Note with Risk score and Intelligence Card URL in Incident if the Risk Score is >= 50.
IBM Each Workflow is part of a sample rule that comes with the Recorded Future for IBM Security SOAR package
Recorded Future Check is the automatic rule and triggers every time an artifact is created. It uses Workflow #2 under the hood.
Recorded_Future_Lookup is the manual rule and can be run through the options menu on the artifacts page. It uses Workflow #1 under the hood.
Artifact Enrichment
You can configure your deployment of IBM Security SOAR to either automatically or manually enrich Artifacts added to Incidents with threat intelligence context from Recorded Future. When an incident responder captures an artifact in IBM Security SOAR, the integration automates a request to Recorded Future for the current threat intelligence enrichment. The enrichment lookup happens as a background task, and the artifact is flagged to the incident responder in IBM Security SOAR when the enrichment is available.
The enriched artifact types are:
- DNS Name
- Threat CVE ID
- MD5 Hash, SHA1 Hash, SHA256 Hash
- URL
- IP Address
Example: creating an IP artifact
Example: Manually enrich artifacts attached to an incident
Example: Hover-over Enrichment details for an enriched artifact
Example: Click through full enrichment for an artifact attached to an incident
Installation
Installation and usage instructions can be downloaded directly from the IBM App Exchange.
Other Resources