Integration Server Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 13

Download
Open PDF In Browser	View PDF

Incident Response Platform
INTEGRATION SERVER GUIDE v32

Resilient Incident Response Platform

Integration Server Guide

Licensed Materials – Property of IBM
© Copyright IBM Corp. 2010, 2019. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp. acknowledgment

Resilient Incident Response Platform Integration Server Guide
Platform
Version
32.0

Publication
January 2019

Notes
Initial publication.

Page 2

Resilient Incident Response Platform

Integration Server Guide

Table of Contents
1.

Introduction ......................................................................................................................................... 5

2.

Architecture ......................................................................................................................................... 5
2.1.

Types of Integrations ................................................................................................................... 5

2.2.

Network Configuration ................................................................................................................. 6

3.

Prerequisites ........................................................................................................................................ 7

4.

Installation ........................................................................................................................................... 8
4.1.

Installing on a Linux System ........................................................................................................ 8

4.2.

Installing on a Windows System .................................................................................................. 9

4.3.

Configure Resilient Circuits for Restart .......................................................................................10

4.4.

Offline Installation .......................................................................................................................10

5.

Updating the Configuration File ........................................................................................................11

6.

Installing Integration Packages .........................................................................................................13

Page 3

1. Introduction
An integration server is the system that you use to deploy integration packages, such as
functions, to the Resilient platform.
This guide provides the procedures to create a Resilient integration server.

2. Architecture
The integration server must be able to connect to the Resilient platform. The Resilient platform
can reside in your own environment (known as an on-premises configuration) or within the IBM
cloud (known as a SaaS configuration).

2.1. Types of Integrations
The following types of integrations require an integration server:


Python-based integrations, used by Resilient functions and Python-based custom actions.
The Resilient platform can be in an on-premises or SaaS configuration. The integration
server communicates with port 65001 of the platform using the STOMP messaging protocol.



Java-based integrations, used by Java-based custom actions. The Resilient platform can be
in an on-premises or SaaS configuration. The integration server communicates with port
65000 of the platform using ActiveMQ OpenWire.



Custom threat services. The Resilient platform must be on-premises. The Resilient platform
communicates with the integration over HTTPS on a port that you choose (by default on port
9000).

Specific integrations may have additional requirements, as described in the integration’s
documentation.
NOTE: There are also integrations in the form of plugins, such as for Splunk and QRadar, which
escalate incidents to the Resilient platform using the REST APIs. You do not need a separate
integration server for these plugins.
The following network diagram is an example of an integration server used for python-based
integrations and a Resilient platform in a SaaS configuration. Resilient users access the platform
from their web browsers.

Resilient Incident Response Platform

Integration Server Guide

2.2. Network Configuration
If you have a Resilient platform in your environment, the integration server can be the same
system as the one hosting the Resilient platform; however, IBM Resilient recommends that you
keep them on separate systems for the following reasons:


Security. Although all apps from the Community App Exchange are code scanned and tested,
it is a security measure to not allow apps that are built in-house to have access to the
command line of the Resilient platform host.



Performance. Although the Resilient integrations are resource efficient, running them on the
Resilient host could have impact on the available resources, especially if your integrations
are heavily using in-memory processing.



Access. The administrator of the integration server maintains, installs, and configures
integrations. This administrator does not require access to the Resilient platform.

If the Resilient platform is beyond a firewall, such as in a SaaS configuration, configure the
firewall to allow access to the following ports:





443. Required for the integration to connect to Resilient data using the REST API.
65000. Only if supporting Java-based integrations.
65001. Only if supporting Python-based integrations.
9000. Only if supporting custom threat feeds, which is not applicable for a Resilient platform
in a SaaS configuration. This is “inbound” to the integration server, where the other
connections are “outbound” from the integration server to the Resilient platform.

The integration server must also be able to access the hosts of the third-party applications that
are integrated with the Resilient platform.
If you are planning to use your own custom threat services, you cannot deploy them to a Resilient
platform in a SaaS configuration. The platform must be in your environment.

Page 6

Resilient Incident Response Platform

Integration Server Guide

3. Prerequisites
The resources required by the integration server are variable due to the requirements of the
integrations installed. Some integrations that operate on files in memory may have additional
memory requirements. Integrations that perform decryption tasks may need more CPU.
Therefore, IBM Resilient recommends the following prerequisites.


Operating system:
o
o



Red Hat Enterprise or Centos Linux 7.4.
Windows (Windows Enterprise Server 2016 or later is recommended)

For Python-based integrations, Python 2.7.x (where x is 9 or later), or 3.6.x (where x is 4 or
later). Make sure the Python installation includes pip. On a Linux system, you can verify the
version of Python using the following command:
python --version







Minimum of 5GB free disk space.
Minimum of 8 GB RAM.
Dedicated operating system account for running integrations.
Text editor, such as nano, to edit the configuration file.
Access to the Resilient platform. If the platform is beyond a firewall, configure the firewall to
allow access to ports 443, 65000 if supporting Java-based integrations, 65001 if supporting
Python-based integrations, and 9000 if supporting custom threat feeds.

The following lists the prerequisites for the Resilient platform:



Version 30 or later.
Licensed for Resilient Action Module. If using custom threat services, the platform must also
be licensed for the Resilient Security Module. You can verify this by running the following
command on the Resilient platform:
resutil license



Configured with a dedicated Resilient account to use as the API user. With most integrations,
the account must have the permission to view and edit incidents, and view and modify
administrator and customization settings.



The Resilient Circuits components run as an unprivileged user, typically named integration. If
you do not already have an integration user configured on your appliance, create it now.



IBM Resilient recommends that you have a test environment. This can be a separate
Resilient platform or a Resilient organization within your platform dedicated for testing.

Page 7

Resilient Incident Response Platform

Integration Server Guide

4. Installation
To create an integration server, install the Resilient Circuits framework, which includes its
dependent modules. These procedures assume that the integration server has access to the
Internet. If not, see the section, Offline Installation.

4.1. Installing on a Linux System
The Resilient Circuits components run as an unprivileged user, typically named integration. If
you do not already have an integration user configured on your system, create it now.
Install the Resilient Circuits framework as follows:
1. Use the ssh to access the command line interface on the integration server.
2. Install Resilient Circuits using the following command. This command also installs its
dependent modules.
pip install --upgrade resilient-circuits

3. Use the following command to verify that the Python modules, resilient and resilientcircuits, are installed.
pip list

4. Configure Resilient Circuits as follows:
a. Auto generate the app.config file as follows. This creates a directory, .resilient, in your
home directory with a file in it called app.config, which is the default and preferred option.
The Resilient Circuits configurations are maintained in the app.config file.
resilient-circuits config -c

The output of the command shows the directory where it installed the config file. By
default, this directory is:
/home/integration/.resilient/app.config

If you require the configuration file to be in a different location or have a different name,
you need to store the full path to the environment variable, APP_CONFIG_FILE.
resilient-circuits config -c /path/to/.config

b. Open the app.config file in your text editor. If using nano, the command would be:
nano /home/integration/.resilient/app.config

c.

Replace the contents with the following settings. Your actual path names may be
different.
[resilient]
host=localhost
port=443
email=resilient_account@example.com
password=ResilientPassword
org=Dev
# componentsdir=/home/resadmin/.resilient/components
logdir=/home/resadmin/.resilient
logfile=app.log
loglevel=INFO

The email and password settings are for the Resilient account that you are using for
integrations. Use the actual Resilient user name (in the form of an email address) and
password.
Use the actual Resilient organization name for the org name. It is not needed if the user
account does not belong to more than one Resilient organization.

Page 8

Resilient Incident Response Platform

Integration Server Guide

See Updating the Configuration File for a detailed description of all the app.config
settings, especially cafile if your Resilient platform does not have a valid certificate.
d. Save the file.
e. Test your installation by running the following command:
resilient-circuits run

You are ready to download and deploy integration packages.

4.2. Installing on a Windows System
Resilient Circuits can be configured to run as a service on Windows. It requires the pywin32
library, which should be downloaded from sourceforge. Instructions for downloading and installing
the correct package are at the bottom of the sourceforge web page and must be followed
carefully. Do not use the pypi/pip version of pywin32.
Installation of the wrong version of the pywin32 library will likely result in a Resilient service that
installs successfully but is unable to start.
Enter the following command:
resilient-circuits.exe service install

Once installed, you can update the service to start up automatically and run as a user account.

It is recommended that you log in as whichever user account the service will run as to generate
the config file and confirm that the integration runs successfully with “resilient-circuits.exe run”
before starting the service.
Commands to start, stop, and restart the service are provided as well.
resilient-circuits.exe service start
resilient-circuits.exe service stop
resilient-circuits.exe service restart

Page 9

Resilient Incident Response Platform

Integration Server Guide

4.3. Configure Resilient Circuits for Restart
For normal operation, Resilient Circuits must run continuously. The recommend way to do this is
to configure it to automatically run at startup. On a Red Hat appliance, this is done using a
systemd unit file such as the one below. You may need to change the paths to your working
directory and app.config.
1. The unit file must be named resilient_circuits.service. To create the file, enter the
following command:
sudo vi /etc/systemd/system/resilient_circuits.service

2. Add the following contents to the file and change as necessary:
[Unit]
Description=Resilient-Circuits Service
After=resilient.service
Requires=resilient.service
[Service]
Type=simple
User=integration
WorkingDirectory=/home/integration
ExecStart=/usr/local/bin/resilient-circuits run
Restart=always
TimeoutSec=10
Environment=APP_CONFIG_FILE=/home/integration/.resilient/app.config
Environment=APP_LOCK_FILE=/home/integration/.resilient/resilient_circuits.lock
[Install]
WantedBy=multi-user.target

3. Ensure that the service unit file is correctly permissioned, as follows:
sudo chmod 664 /etc/systemd/system/resilient_circuits.service

4. Use the systemctl command to manually start, stop, restart and return status on the service:
sudo systemctl resilient_circuits [start|stop|restart|status]

You can view log files for systemd and the resilient-circuits service using the journalctl command,
as follows:
sudo journalctl -u resilient_circuits --since "2 hours ago"

4.4. Offline Installation
If your integration server is not connected to the internet, you need to download the Resilient
Circuits package from IBM Resilient Github.
The following is an example transfer procedure for a Linux system.
mkdir ~/package_name_offline
pip download package_name -d "~/some_package_offline"
tar -cvfz package_name_offline.tar package_name_offline

Transfer the package to the integration server then perform the following:
tar -xzvf package_name.tar
cd some_directory
pip install package_name-x.x.x-py2.py3-x-x.whl -f ./ --no-index

Page 10

Resilient Incident Response Platform

Integration Server Guide

5. Updating the Configuration File
The configuration file defines essential configuration settings for all Resilient Circuits components
running on the system.
By default, every Resilient integration package you install uses the same configuration file. If you
need multiple ‘resilient-circuits’ applications running with different configuration files, you can set
the APP_CONFIG_FILE environment variable to a different path for each process. For Linux, use
the following command:
resilient-circuits config -c /path/to/.config

If APP_CONFIG_FILE is not set, the application looks for a file called “app.config” in the local
directory where the run command is launched.
The [resilient] section of the configuration file controls how the core Resilient Circuits and
Resilient packages access the Resilient platform. The following table describes all the required
and optional values that can be included in this section.
NOTE: If on a Windows system and you edit the file with Notepad, please ensure that you save it
as type All Files to avoid a new extension being added to the filename, and use UTF-8 encoding.
Parameter

Required?

Description

logfile

N

Name of rotating logfile that is written to logdir. Default is app.log.

logdir

N

Path to directory to write log files. If not specified, program checks
environment variable DEFAULT_LOG_DIR for path. If that is not set, then
defaults to a directory called “log” located wherever Resilient Circuits is
launched.

log_level

N

Level of log messages written to stdout and the logfile. Levels are: CRITICAL,
ERROR, WARN, INFO (default), and DEBUG.

host

Y

IP or hostname for the Resilient platform.

org

Y, if
multiple
orgs

Name of the Resilient organization. This is required only if the user account is
used with more than one Resilient organization.

email

Y

User account for authenticating to the Resilient platform. It is recommended
that this account is dedicated to integrations.

password

Y

Password for the Resilient user account.

no_prompt_password

N

If set to False (default) and the “password” value is missing from this config
file, the user is prompted for a password.
If set to True, the user is not prompted.

stomp_port

N

Port number for STOMP. Default is 65001.

componentsdir

N

Path to directory containing additional Python modules. Resilient Circuits can
load custom components from this directory. Typically this option is only used
by integration developers.

noload

N

Comma-separated list of:
a.
b.

Installed components that should not be loaded.
Module names in the componentsdir that should not be loaded.

Example: my_module, my_other_module, InstalledComponentX

Page 11

Resilient Incident Response Platform

Integration Server Guide

Parameter

Required?

Description

proxy_host

N

IP or Host for Proxy to use for STOMP connection. By default, no proxy is used.

proxy_port

N

Port number for Proxy to use for STOMP connection. By default, no proxy is
used.

proxy_user

N

Username for authentication to Proxy to use for STOMP connection. If a
proxy_host is specified and no proxy_user specified, then assumed no
authentication is required.

proxy_password

N

Password for authentication to Proxy to use for STOMP connection. Used in
conjunction with proxy_user.

cafile

Y

Path and file name of the PEM file to use as the list of trusted Certificate
Authorities for SSL verification when the Resilient platform is using untrusted
self-signed certificates.
If not using a trusted certificate, cafile must be set to False.
If there is a PEM file, use a second instance of cafile to set to True or False. If
set to False, certificate verification is not performed and the PEM file is used. If
set to True (default), allow only trusted certs.

Page 12

Resilient Incident Response Platform

Integration Server Guide

6. Installing Integration Packages
Once Resilient Circuits is installed and running, you can install integration packages on your
server. Whenever you install a new package, you need to update your app.config file to include
any required sections for the new components.
You can download functions and other integration packages from the IBM Resilient Community or
IBM X-Force App Exchange. Once downloaded, perform the following to install and configure the
package on your integration server.
Note to Windows Users: To run integration commands on a Windows system, use resilientcircuits.exe. For example, “resilient-circuits.exe run” rather than “resilient-circuits run”.
Use the following procedure to install integration packages in a tar.gz format.
1. Install your chosen package by first unzipping the file then using the following command:
pip install -x.x.x.tar.gz

2. Verify that the component is installed using the following command.
resilient-circuits list

3. After installing the package, run the following command. This command adds a new section
with default values in the app.config file for each package that was installed since the last
update.
resilient-circuits config –u

You can choose to update specific packages:
resilient-circuits config –u –l  

If using an alternate file location for your app.config file, you need to specify it when you
update.
resilient-circuits config –u /path/to/app.config

4. Follow the instructions in the component’s documentation file to edit the app.config file.
Depending on the requirements of the integration, you may need to modify the default values
to fit your environment, such as credentials to a 3rd party system.
Files in a .res format contain components, such as scripts, workflows, and custom fields, which
can be imported into your Resilient platform using the import procedure, as described in the
Resilient Incident Response Platform System Administrator Guide.

Page 13



---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 13
Language                        : en-US
Tagged PDF                      : Yes
Producer                        : Microsoft® Word 2013
Creator                         : Microsoft® Word 2013
Create Date                     : 2019:01:03 09:41:03-05:00
Modify Date                     : 2019:01:03 09:41:03-05:00

EXIF Metadata provided by EXIF.tools