IBM Resilient

Click roadmap title to expand/collapse roadmap

Getting Started with IBM Resilient SOAR Platform

The total time required to complete this roadmap is 5h 9m.

This roadmap is designed to provide an initial introduction to Resilient Incident Response Program.

Overview and install

These courses help you to understand how Resilient can be integrated into your environment and provide the tools to get started.

On-premises setup

Learn how to perform the initial configuration to start using Resilient.

User management and authentication

Learn how to configure user access

Common use cases

Learn about typical scenarios for using Resilient.

Badges and Certifications

Official IBM badges and professional certifications related to this role that can be earned

Click roadmap title to expand/collapse roadmap

Playbook Designer/ Developer

The total time required to complete this roadmap is 9h 28m.

This roadmap instructs the designer in the features available for creating playbooks within Resilient

Foundations of Design

These courses are about using the design components which make up a playbook in the Resilient SOAR platform.

Automation and Integrations

These courses teach you about automation of your playbooks in the Resilient SOAR platform.

Click roadmap title to expand/collapse roadmap

Security Analyst

The total time required to complete this roadmap is 48m.

As a Security Analyst you will learn how to manage, use and respond to security events using Resilient playbooks.

Resilient Security Foundations

These courses teach you how to investigate and remediate security incidents using Resilient.

Resilient Dashboards and Reporting

These courses teach you how to create custom dashboards and reports from your incident data

Artifacts and Threat Feeds

These courses will teach you how threat intelligence can perform automatic enrichment for artifacts.

Click roadmap title to expand/collapse roadmap

Privacy Officer

The total time required to complete this roadmap is 37m.

As a Privacy Officer/ Analyst you will learn how to configure Resilient Privacy and to manage, use and respond to privacy events in your organization.

Resilient Privacy Foundations

These courses will teach you how to manage and respond to privacy events using Resilient SOAR platform.

Configuring automatic processing of inbound email in Resilient

Overview

You can configure the IBM Security Resilient platform to create new incidents or update existing incidents from incoming email.
In this course, you learn how to configure the Resilient platform to connect to an email inbox and create a rule that processes email messages by using a template with a Python script. As a result of the script, an incident is created with extracted artifacts form the email messages (such as IPs and URLs) and an email notification is sent to the incident owner. 


Objectives

  • Observe automated email parsing in action
  • Configure an inbound email connection
  • Customize a sample email script
  • Create a rule to trigger the script
  • Test the email processing

Resilient App Host installation

An IBM Security Resilient App Host is a Kubernetes-based container deployment environment that hosts Resilient app containers. An App Host is paired to only one Resilient organization; however, a single Resilient organization can be paired to multiple App Hosts to help organize apps or access different network zones.
This lab walks you through an App Host installation.


IBM Resilient SOAR and IBM QRadar integration

This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The IBM QRadar SIEM solution helps you monitor and detect security threats. Based on the QRadar correlation rule engine (CRE), the product can generate offenses that require the attention of a security analyst.

Then, to conduct a more comprehensive investigation, you can bring offenses to the Resilient platform as incidents to take advantage of the Resilient playbooks and, if needed, make corrections in QRadar. Also, the integration keeps notes that are related to offenses and incidents in sync on both products, including the closing of offenses and incidents.

Thus, the integration is bidirectional, and according to the previous diagram, it has two components:
  • The IBM Resilient QRadar Integration app
    The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms.
  • The QRadar Functions for Resilient app
    The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.

Some of the topics covered in the lab are:

  • Install QRadar app for Resilient
  • Configure QRadar app for Resilient
  • Customize the Resilient configuration
  • Customize the Jinja templates
  • Configure Custom Actions and synchronization
  • Install QRadar functions for Resilient
  • Create table with artifacts by using the QRadar functions
  • Create action to search QRadar for file hashes from a log source
  • Test the apps integration and customization using the QRadar offenses

Inbound Mail Parsing and Configuration of Outbound Email for Resilient

IBM Security Resilient can help you automate and improve your response to Security and Privacy events by improving your overall time to response, detection, and remediation. This lab guide is designed to introduce you to the process of writing your own inbound email parsing scripts to automate the generation of Incidents, and to install and customize the Outbound Email Function for IBM Resilient SOAR Platform. The exercises in this lab demonstrate how you can store all the correspondence in the Notes section of an Incident to generate a trackable and auditable record of the investigation.
To generate an incident from an email message, first set up a connection to a mailbox, then create a simple script, which parses the email into an incident, assigns a title, and adds some additional information. Finally, create a rule, which reads the inbox that you configured and runs the script automatically.



Configuring automatic processing of inbound email in Resilient

Overview

You can configure the IBM Security Resilient platform to create new incidents or update existing incidents from incoming email.
In this course, you learn how to configure the Resilient platform to connect to an email inbox and create a rule that processes email messages by using a template with a Python script. As a result of the script, an incident is created with extracted artifacts form the email messages (such as IPs and URLs) and an email notification is sent to the incident owner. 


Objectives

  • Observe automated email parsing in action
  • Configure an inbound email connection
  • Customize a sample email script
  • Create a rule to trigger the script
  • Test the email processing

Calling Red Hat Ansible Playbooks within IBM Resilient SOAR Workflows Workshop [2906]

In this lab, as featured in the 2020 Think Digital Event Experience, you will learn how to create an Ansible Playbook as well as a Resilient Workflow that runs your Ansibile Playbook within the IBM Resilient SOAR ecosystem.