Code42 for IBM Resilient
Overview
This article explains how to install and use Code42 for Resilient. IBM Resilient is a security orchestration, automation, and response (SOAR) solution for automating tasks, coordinating workflows, and enabling incident response. Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment. This article provides instructions for installing, uninstalling, and upgrading, as well as common use cases.
For details on the Code42-specific functions, rules, and workflows, see Code42 for IBM Resilient customization settings.
Requirements
- To use Code42 for Resilient, you must have:
- An existing IBM Resilient environment version 32.0.4502 or later. For directions about how to install and configure an IBM Resilient environment, see IBM Resilient documentation.
- Python version 2.7 or later.
- The system used to run IBM Resilient must have network access to the Code42 cloud on HTTPS. Non-secure HTTP access to the Code42 cloud is not supported.
- Some functions in Code42 for Resilient require a Code42 product plan that includes File Metadata Collection. Contact your Customer Success Manager (CSM) for assistance with licensing.
Code42 Customer Champions can provide support for Code42 for Resilient. However, Code42 can't provide technical support for IBM Resilient itself. Contact IBM support for help with IBM Resilient.
Before you begin
- Prepare a user account in your Code42 environment for configuring Code42 for Resilient. This user account is used to authenticate and access data in your Code42 environment.
- Permissions: Code42 for Resilient returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. Assign the roles in our use case for managing a security application integrated with Code42. After assigning roles, you should test to confirm that the user can access the right data.
- Licensing: As a best practice, create a user in your Code42 environment that is exclusively used to configure Code42 for Resilient. Users without a Code42 agent archive will not consume a license.
- Review sections 1-4 of the IBM Resilient Incident Response Platform Function Developer Guide.
Download and install
Step 1: Download Code42 for Resilient
- Sign in to the IBM app exchange for Resilient and select Code42 for Resilient.
- Click the Download button to download the code42-for-resilient-<version>.zip file to your computer.
- Copy the zip file from your computer to the system on which you're running Resilient Circuits.
Step 2: Install the Code42 functions
- Extract the code42-for-resilient-<version>.zip file.
-
Install the Code42 Python SDK:
pip install py42-<version>.tar.gz -
Install Code42 for Resilient:
pip install code42_for_resilient-<version>.tar.gz
Step 3: Configure resilient-circuits
-
Create or update the resilient-circuits configuration file.
For example:resilient-circuits config-u -
Enter the configuration values in the configuration file required for Code42:
[Code42 for Resilient] # HTTP protocol, host, and port for the Code42 authority url= # Username for authenticating with the Code42 web API username= # Password for authenticating with the Code42 web API # Secure this using the res-keyring utility in the resilient package. password= # Controls whether to verify the server's certificate. Set to true (default), false, or a path to a CA bundle to use. verify_ssl_certs=
Set verify_ssl_certs to true and use the res-keyring utility in the Resilient package. See Chapter 6 in the Resilient Integration Server Guide for more information.
- Apply Code42 custom functions to the Resilient platform:
resilient-circuits customize - Test the configuration
resilient-circuits selftest - Run Resilient circuits:
resilient-circuits run
If you see an error stating the user is not authorized to read from Code42, try restarting the Resilient server.
In your IBM Resilient environment, the custom Code42 rules, workflows, and functions appear in Customization Settings.
Step 4: Add the Code42 File Events data table
To view the results of the Code42: Search file events function, add the Code42 File Events data table to a new or existing incident tab. The example below shows a new tab labeled "Code42".
Use cases
Investigate a departing employee
Scenario
For employees leaving your organization, you can add the User Account artifact to an incident to look for file exposure events, providing visibility into how the user was moving files in the days and weeks leading up to the resignation. The results appear in the Code42 File Events data table, from which you can download a file and investigate its contents.
Steps
- Create an incident.
- Add an artifact with the type User Account.
- Click the Actions menu for the artifact and select Code42: Search for file exposure events.
- Enter an On or After Date. and click Execute.
- Select the Notes tab to view the number of file exposure events matching the query, as well as the number of results added to the data table.
Up to 100 results appear in the data table. If the total count is over 100, use Code42 Forensic Search to view all the results. - Select the tab that contains the Code42 File Events data table to view the results.
- (Optional) Click the action menu for one of the listed file events and select Code42: Download file from backup.
The downloaded file is attached to the incident. It appears appears under Attachments on the left side of the screen and on the Attachments tab.
Find known malicious files
Scenario
If you are concerned about malicious files existing on user devices (for example, a specific piece of known malware), use the Malware MD5 Hash artifact to search for where that malicious file may exist in your environment. The search results appear in the Code42 File Events data table, from which you can download the file and investigate its contents.
Steps
- Create an incident.
- Add an artifact with the type Malware MD5 Hash.
- Click the Actions menu for the artifact and select Code42: Search file events by MD5.
- Select the Notes tab to view the number of file exposure events matching the query, as well as the number of results added to the data table.
Up to 100 results appear in the data table. If the total count is over 100, use Code42 Forensic Search to view all the results. - Select the tab that contains the Code42 File Events data table to view the results.
- (Optional) Click the action menu for one of the listed file events and select Code42: Download file from backup.
The downloaded file is attached to the incident. It appears appears under Attachments on the left side of the screen and on the Attachments tab.
Upgrade
To upgrade to a newer version of Code42 for Resilient, complete the same download, install, and configure process described above. Review the configuration file and update any values, as necessary.
Uninstall
To uninstall Code42 for Resilient:
- Uninstall the the Code42 Python SDK functions:
pip uninstall py42
pip uninstall code42-for-resilient - Manually delete the Code42 functions from the Functions screen in the Resilient user interface.
This may require deleting rules and workflows that use the functions.
Known issues
In the Code42: Download file from backup workflow and function, if the filename contains Unicode characters, a known issue in IBM Resilient may prevent the downloaded file from being attached to the incident.