IBM Resilient

Click roadmap title to expand/collapse roadmap

Getting Started with IBM Resilient SOAR Platform

The total time required to complete this roadmap is 5h 9m.

This roadmap is designed to provide an initial introduction to Resilient Incident Response Program.

Overview and install

These courses help you to understand how Resilient can be integrated into your environment and provide the tools to get started.

On-premises setup

Learn how to perform the initial configuration to start using Resilient.

User management and authentication

Learn how to configure user access

Common use cases

Learn about typical scenarios for using Resilient.

Badges and Certifications

Official IBM badges and professional certifications related to this role that can be earned

Click roadmap title to expand/collapse roadmap

Playbook Designer/ Developer

The total time required to complete this roadmap is 9h 43m.

This roadmap instructs the designer in the features available for creating playbooks within Resilient

Foundations of Design

These courses are about using the design components which make up a playbook in the Resilient SOAR platform.

Automation and Integrations

These courses teach you about automation of your playbooks in the Resilient SOAR platform.

Click roadmap title to expand/collapse roadmap

Security Analyst

The total time required to complete this roadmap is 48m.

As a Security Analyst you will learn how to manage, use and respond to security events using Resilient playbooks.

Resilient Security Foundations

These courses teach you how to investigate and remediate security incidents using Resilient.

Resilient Dashboards and Reporting

These courses teach you how to create custom dashboards and reports from your incident data

Artifacts and Threat Feeds

These courses will teach you how threat intelligence can perform automatic enrichment for artifacts.

Click roadmap title to expand/collapse roadmap

Privacy Officer

The total time required to complete this roadmap is 37m.

As a Privacy Officer/ Analyst you will learn how to configure Resilient Privacy and to manage, use and respond to privacy events in your organization.

Resilient Privacy Foundations

These courses will teach you how to manage and respond to privacy events using Resilient SOAR platform.

Tour Resilient on the Security Learning Academy

Join the IBM Security Learning Services team for an in-depth tour of the Security Learning Academy, with a focus on IBM Security Resilient SOAR course offerings. During this webinar, you will see how to navigate the platform, search the course catalog, enroll in a course, view your enrollments on your dashboard, create progress reports, and see how Security Learning Academy is integrated with IBM VIP Rewards for Security.

Contents

  • Introduction
  • Content requirements process
  • Tour the IBM Security Learning Academy home page
  • Take a deeper look at Resilient courses and course roadmaps
  • Your personal dashboard
  • Progress reports
  • Integration between the Academy and the IBM VIP Rewards for Security program


Duration: 36 minutes


Building the MITRE ATT&CK Framework into your Resilient Incident Response

The MITRE ATT&CK Framework is a globally-accessible knowledge base of advisory tactics and techniques based on real-world observations.

The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and services community.

This video provides and overview of the MITRE ATT&CK Framework, followed by a discussion of how IBM Resilient and other IBM Security products use MITRE ATT&CK with a live demonstration and a Q&A.


Introduction to IBM Resilient SOAR

Overview

This course is designed to provide an initial introduction to Resilient SOAR platform. It will help you understand how Resilient can be integrated in your environment and provide the tools to get started. The Resilient SOAR platform provides your security team the ability to automate case management for security or privacy events and can be used to automate and document your incident response plans.

Agenda

  1. Introduction to Resilient and the Resilient SOAR User Interface
  2. How Resilient Aligns to your Organization
  3. Installing & Administering Resilient
  4. Developing Playbooks
  5. Resources and Support


Common Resilient use cases

Overview

This course covers 4 common scenarios that demonstration of how the Resilient Incident Response Platform can be used to

  • Automate the escalation and collection of data
  • Manage a ransomware attack
  • Deal with a data breach involving an inside actor
  • Accelerate your Response to Phishing Attacks
Closed captions: English, French, German, Spanish and Japanese

Getting started with IBM Resilient

Overview

Resilient Incident Response Platform is a central hub for incident responses that helps make incident response efficient and compliant. The platform is based on a knowledge base of incident response best practices, industry standard frameworks, and regulatory requirements.

The Resilient platform implements incident responses through the use of dynamic playbooks. A dynamic playbook is the set of rules, conditions, business logic, workflows and tasks used to respond to an incident. The Resilient platform updates the response automatically as the incident progresses and is modified.
In this course, you learn the Resilient basic concepts, platform architecture, and will review a demonstration of the installation process.

Objectives

  • Learn the value of IBM Resilient
  • Review the introduction video to the IBM Resilient platform
  • Learn the IBM Resilient Platform architecture
  • Learn about necessary prerequisites
  • Review the installation process
  • Describe the value of dynamic playbooks
Closed captions: English, French, German, Spanish and Japanese

Initial configuration of the IBM Resilient appliance

Overview

This course contains 6 videos that cover various topics important to understand when installing and configuring the IBM Resilient Appliance.



Agenda
  • Configuring SSL/TSL certificates
  • Importing the Resilient License Key
  • Updating the Resilient Appliance Software
  • Installing optional packages
  • Setting the time zoneSMTP Email configuration
Closed captions: English, French, German, Spanish and Japanese

Introduction to Resilient

Overview

This course is designed to provide an initial introduction to Resilient Incident Response Program. It will help you understand how Resilient can be integrated in your environment and provide the tools to get started.



Agenda

  1. Introduction to Resilient
  2. How Resilient Aligns to your Organization
  3. Installing & Administering Resilient
  4. Developing Playbooks
  5. Resources and Support

Managing GDPR Data Breach Notification Requirements with the Resilient Incident Response Platform

Overview

The Resilient Incident Response Platform has been updated to incorporate the new data breach notification requirements of the EU General Data Protection Regulation (GDPR). This video demonstrates these enhancements by walking through how notifications would be handled during a ransomware attack at a hospital where personal data was exposed.

Closed captions: English, French, German, Spanish and Japanese

Managing logs in the IBM Resilient appliance

Overview

This course demonstrates how to manage logs in the IBM Resilient appliance. This includes how to configure logging, audit logging and syslog.




Agenda

  • 1. Log configuration
  • 2. Configuring audit logs
  • 3. Configuring syslog

Duration: 8 minutes

Closed captions: English, French, German, Spanish and Japanese

Managing users and groups in Resilient

Overview

This course covers aspects of managing users and groups in IBM Resilient such as creating users using the Resilient user-interface or by using terminal commands and how to reassign incidents and tasks to a different user.



Agenda

  1. Creating a user using using the UI
  2. Creating a user using terminal commands
  3. Reassigning incidents and tasks
  4. Enabling LDAP authentication
  5. Enabling LDAP users in groups and deleting LDAP users
Closed captions: English, French, German, Spanish and Japanese

Publishing to the App Exchange

In the fourth and final session of the Resilient Developer's Corner series, learn how to publish your integration to the App Exchange. This talk will walk through the steps to complete your integration and submit it for publication on the App Exchange. It will include how to follow the validation process and what steps to take to ensure successful validation.

Join Mark Scherfling, Resilient Engineering Manager, for this technical webinar and an in-depth look at the inner-workings of the Resilient SOAR Platform and integrations.

Agenda

  • Introduction
  • Why publish?
  • Requirements checklist
  • Files to change
  • Additional tools
  • Submission prep
  • Submission demonstration
  • Validation process
  • References


Duration: 26 minutes


Resilient Data Feeder Integration

Learn about the newest integration and how it can be leveraged in your environment. Utilize data in Resilient the way you want to by leveraging the newly released Data Feeder extension. This extension allows you to maintain “replica” data of a Resilient system for the purposes of reporting. It also allows enhanced accessibility of your data by allowing you to run business intelligence (BI) queries from other tools.
Join Ray Suarez, Product Manager for Resilient, in this month’s update to learn about one of our newest integrations.

Agenda

  • Introduction
  • The need for SOAR data
  • Resilient & Data Feeder Integration
  • Resilient Data Storage Overview
  • app.config Configuration File
  • Specify Incident Range
  • A Tour of the App Exchange
  • Resilient Actions Demonstration
  • Review of the Resilient integrations
  • Questions and answers

Duration: 19 minutes

Resilient Developer's Corner - Integration First Steps

This is the first session of the multi-part Resilient Developer's Corner series. As additional parts are published, links will be added to the Quick references section below.

Learn how to start writing an integration and how to use the template files auto-generated from Resilient functions.

Agenda

  • Introduction
    • Future recordings in this series
    • Requirements
  • Integration Taxonomy
  • Integration Environment
  • Demonstration using Resilient Console
    • Customization settings
      • Message Destinations
      • Functions
      • Rules
    • Using codegen to automate the generation of Python integration code
    • Detailed example of building out an integration in Python

Duration: 30 minutes


Resilient Developer's Corner: Rules and Workflows

In the second session of the Resilient Developer's Corner series, learn about the best ways to define and include your integrations Rules and Workflows in your integration package.


Agenda

  • Rules
    • Activity Fields
    • Conditions
  • Workflows
    • Properties
    • Branching
  • Workflow Status
  • Action Status


Duration: 26 minutes


Resilient Intelligent Orchestration

Resilient Intelligent Orchestration was originally presented as a series of 4 Developer's Corner web seminars in the fall of 2019. This course covers the following:

Objectives:
  • Learn how to start writing an integration and how to use the template files auto-generated from Resilient functions.
  • Learn about the best ways to define and include your integrations Rules and Workflows in your integration package.
  • Learn how to use resilient-lib python library, which contains convenient functions for common integration development requirements, to speed up integration development.
  • Learn how to publish your integration to the App Exchange, complete your integration, and submit it for publication on the App Exchange.
  • Learn how to follow the validation process and what steps to take to ensure successful validation.

Agenda

  1. Resilient Integration First Steps (30 min)
  2. Rules and Workflows (26 min)
  3. Speed Integration Development with resilient-lib (18 min)
  4. Publishing to the App Exchange (26 min)

Resilient Metrics Systems Administration

In this course, you learn how to use the Resilient platform to track time that is spent on incident field values and you see examples of graphing incidents over time.

The tutorial shows you how to configure the Resilient platform to track time changes to incident field values.

You can configure the Resilient platform to track time for incident fields for select and boolean field types, for both custom and default fields. This enables you to track the time you take to perform various tasks, activities, and processes when you respond to an incident.


Agenda

  • Tracking time spent on incident field values
  • Creating custom graphs in the Resilient application
  • Tutorial: Time tracking incident field states
    • Step 1: Edit Incident field
    • Step 2: Tracking a custom field
    • Step 3: Adding time tracking data to a custom tab
    • Step 4: Creating a time tracking custom graph

Resilient Rules and Workflows

This video demonstrates when and how to use rules and workflows configuration objects in Resilient to implement dynamic incident response playbooks.

Agenda

  • Introduction
  • When to use rules
  • When to use workflows
  • Summary

Duration: 11 minutes

Resilient security

Overview

This course reviews key issues in managing security in IBM Resilient. Topics cover a broad range of issues such as how to defang a URL, change ciphers and protocols, how to work with keyvaults, keystores and secrets as well as how to encrypt and backup the keyvault password.

Agenda

    1. Defanging URLs
      • This video demonstrates how to "defang" your URLs in IBM Resilient to help assure users do not inadvertently click on malicious links.
    2. Changing Ciphers and Protocols in IBM Resilient
      • This video demonstrates how to change the ciphers and protocol in IBM Resilient. There is a review of which ciphers and protocols are used by default using the nmap application, followed by a demonstration of which files need to be edited in order to adjust the ciphers and protocols being used.
    3. Keyvaults, Keystores and Secrets
      • This video discusses keyvaults, keystores and secrets within IBM Resilient.
    4. Encrypting the keyvault password
      • This video describes how to encrypt a keyvault password in IBM Resilient. The keyvault password is stored as an unencrypted file by default but can be encrypted using gpg to protect it and decrypted whenever needed.
    5. Backing up the keyvault
      • The keyvault stores all passwords used within IBM Resilient. If the keyvault were lost, it would result in a considerable loss of data. For that reason, the Resilient platform runs a backup of keyvault files to the system database anytime passwords are added or removed and after each system upgrade. This video shows how to use the resutil keyvaultrestore command to restore keyvault files from the system database.


    Duration: 19 minutes

    Closed captions: English, French, German, Spanish and Japanese


    Scale and Improve Automation in Resilient

    This video demonstrates how Resilient Task Helper Functions can help clean and consolidate notes to improve visibility into completed tasks and ultimately cut down the time to respond for your security team.

    Agenda

    • Introduction
    • Cleaning up your results
    • Live Demonstration
      • Automation
      • Workflows & Artifacts
      • Phases and Tasks
      • Attachments
      • Task Helper Functions
      • Workflow execution at the task level
    • Q&A

    Duration: 29 minutes


    Setting up alternative authentication mechanisms in the IBM Resilient appliance

    Overview

    This course covers several alternative mechanisms for authenticating users in the IBM Resilient product, including LDAP, SAML and two-factor authentication.




    Agenda

    1. LDAP authentication
    2. SAML authentication configuration
    3. Two-factor authentication

    Duration: 22 minutes

    Closed captions: English, French, German, Spanish and Japanese

    Customize Your Framework to Comply with a Federal Trade Commission Consent Order

    The Federal Trade Commission (FTC) is the primary federal data security regulator in the US. The FTC has brought numerous data security enforcement actions under Section 5 of the FTC Act for unfair or deceptive trade practices.

    The FTC typically enters into consent decree with violating organizations, rather than litigating data breach cases. The FTC may seek redress in the form of civil penalties in some data breach enforcement actions. When recovering a civil penalty, the FTC must file suit in federal court. Generally, the FTC will negotiate the terms of a stipulated judgment with the violating organization prior to filing suit and then concurrently files its civil complaint and stipulated judgment. In recent Consent Decrees, the FTC has negotiated language requiring the violating organization to report any notifiable data breaches and submit compliance reports with specific criteria to the FTC.

    In this course, you will learn how to use Resilient’s customization features to develop a framework to comply with the data breach notification requirements of an FTC consent decree.

    Agenda

    • Federal Trade Commission (FTC): An Overview
    • FTC Enforcement Actions
    • Obligations to Report Covered Incidents to the FTC
    • Using Resilient

    Working with Resilient roles

    Overview

    This course will show you how to understand roles in the IBM Resilient product. A role is a specific set of permissions, which you can assign to users and groups. The Roles tab allows you to define and manage roles. You can assign multiple roles to a user, which gives the user a superset of all the permissions in the roles.The course demonstrates how to create and delete roles, describes the difference between global and workspace roles, which roles are predefined and explains how Resilient uses role categories.

    Working with Resilient workspaces

    Overview

    This course teaches how the IBM Resilient product uses workspaces. The course covers key workspace concepts, how to create them and how to delete them.



    Agenda
    1. Workspace key concepts
    2. Create workspace
    3. Delete workspace

    Duration: 7 minutes
    Closed captions: English, French, German, Spanish and Japanese

    Guardium and Resilient integration: Email Connector

    Overview

    In this video, you will see how to set up IBM Guardium email alerts in an IBM Resilient incident response workflow using the Resilient Email Connector.