Resilient

In the Resilient track at Virtual Master Skills University, you'll take a technical deep dive into advanced features, processes, and workflows that you might not be taking advantage of today. On Day 1, you'll take a deep dive into the new App Host and hear more about what's new and coming soon, including compatibility with Cloud Pak for Security. On Day 2, you'll focus on best practices for using Resilient day-to-day, including playbook and workflow design best practices and installing and configuring integrations for different use cases. And on Day 3, you'll learn tips and tricks for problem solving with Resilient, including metrics and reporting and performing health checks on your environment. Plus, you'll get hands-on with virtual labs each day to practice what you've learned.

Click roadmap title to expand/collapse roadmap

Master Skills University 2020 - Resilient

The total time required to complete this roadmap is 23h 4m.

Welcome to Virtual Master Skills University 2020! This is IBM Security's very first virtual Master Skills event, and we're thrilled that you've chosen to spend part of your week with us. Each day, you'll experience advanced-level knowledge transfer from our top subject matter experts, get hands-on with self-paced virtual labs, and have opportunities to chat live with our experts. Here on Security Learning Academy, you'll find replays of the live Master Skills University sessions, all of the hands-on virtual Master Skills University labs, a virtual Escape Room game, additional relevant courses to help you continue your learning, and more.

To join the live sessions each day, use the “Attendee Catalog” link in your event confirmation and reminder emails. When they are available, recordings of the live sessions will become available here on Security Learning Academy. You cannot access the live sessions from Security Learning Academy.


Day 1: Monday, Sept 21, 2020


Day 2: Tuesday, Sept 22, 2020


Day 3: Wednesday, Sept 23, 2020


Day 4: Thursday, Sept 24, 2020 (Cloud Pak for Security)


Additional Learning


Inbound Mail Parsing and Configuration of Outbound Email for Resilient

IBM Security Resilient can help you automate and improve your response to Security and Privacy events by improving your overall time to response, detection, and remediation. This lab guide is designed to introduce you to the process of writing your own inbound email parsing scripts to automate the generation of Incidents, and to install and customize the Outbound Email Function for IBM Resilient SOAR Platform. The exercises in this lab demonstrate how you can store all the correspondence in the Notes section of an Incident to generate a trackable and auditable record of the investigation.
To generate an incident from an email message, first set up a connection to a mailbox, then create a simple script, which parses the email into an incident, assigns a title, and adds some additional information. Finally, create a rule, which reads the inbox that you configured and runs the script automatically.



Resilient App Host installation

An IBM Security Resilient App Host is a Kubernetes-based container deployment environment that hosts Resilient app containers. An App Host is paired to only one Resilient organization; however, a single Resilient organization can be paired to multiple App Hosts to help organize apps or access different network zones.
This lab walks you through an App Host installation.


IBM Resilient SOAR and IBM QRadar integration

This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The IBM QRadar SIEM solution helps you monitor and detect security threats. Based on the QRadar correlation rule engine (CRE), the product can generate offenses that require the attention of a security analyst.

Then, to conduct a more comprehensive investigation, you can bring offenses to the Resilient platform as incidents to take advantage of the Resilient playbooks and, if needed, make corrections in QRadar. Also, the integration keeps notes that are related to offenses and incidents in sync on both products, including the closing of offenses and incidents.

Thus, the integration is bidirectional, and according to the previous diagram, it has two components:
  • The IBM Resilient QRadar Integration app
    The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms.
  • The QRadar Functions for Resilient app
    The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.

Some of the topics covered in the lab are:

  • Install QRadar app for Resilient
  • Configure QRadar app for Resilient
  • Customize the Resilient configuration
  • Customize the Jinja templates
  • Configure Custom Actions and synchronization
  • Install QRadar functions for Resilient
  • Create table with artifacts by using the QRadar functions
  • Create action to search QRadar for file hashes from a log source
  • Test the apps integration and customization using the QRadar offenses