Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][CASE] IBM Resilient Connector #63377

Closed
2 tasks done
cnasikas opened this issue Apr 13, 2020 · 3 comments
Closed
2 tasks done

[SIEM][CASE] IBM Resilient Connector #63377

cnasikas opened this issue Apr 13, 2020 · 3 comments
Assignees
Labels
enhancement New value added to drive a business result Meta Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0

Comments

@cnasikas
Copy link
Member

cnasikas commented Apr 13, 2020

Feature:

  • Create IBM Resilient Connector (Action)
  • Create IBM Resilient Connector UI form

Notes:

Fields (IBM to SIEM):

  • name -> title
  • description -> description
  • notes -> comments
  • discovered_date -> created_at

IBM Resilient REST API:

  • Base path: https://server/rest/orgs/<org_id>. Default https://app.resilientsystems.com/rest/orgs/<org_id>
  • Link to incident: https://<host>/#incidents/<incident_id>
  • Common query params: text_content_output_format=always_text&handle_format=names
  • Incident:
    • GET: /incidents - Get all incidents
    • GET: /incidents/<incident_id> - Get incident by id
    • POST: /incidents - Create incident
    • PATCH: /incidents/<incident_id> - Patch incident by id
  • Authentication:
    • Two types of authentication: a) email, password b) api_key, api_secret
    • By API key: You need to get the API handle key (principle ID for an api key) by GET https://server/rest/session (Basic auth is sufficient). Basic auth: api_key, api_secret
    • By email, password: You need to POST https://server/rest/session. Body: email, password. The response contains: csrf_token that has to be sent as X-sess-id header and a cookie (JSESSIONID).
    • A user can have access to multiple organizations
    • You can either use API key-based authentication or cookie-based authentication. You cannot send the API key and the session id.
    • API key should be preferred.
  • Updates:
    • Server might return 409 Conflict (DB-level conflict)
    • First GET, after PUT and if there is a conflict loop again (Ref)
    • Overwrite conflicts?
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@cnasikas cnasikas self-assigned this Apr 13, 2020
@cnasikas cnasikas added the enhancement New value added to drive a business result label Apr 14, 2020
@cnasikas
Copy link
Member Author

Implemented in #66385

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Meta Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0
Projects
None yet
Development

No branches or pull requests

3 participants