Incident Response Platform. IBM BIGFIX INTEGRATION GUIDE v1.0

Transcription

1 Incident Response Platform IBM BIGFIX INTEGRATION GUIDE v1.0

2 Licensed Materials Property of IBM Copyright IBM Corp. 2010, All Rights Reserved. US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Resilient Incident Response Platform Version Publication Notes 1.0 June 2017 Initial release. Page 2

3 Table of Contents 1. Overview Check Prerequisites Install the Integration Create and Edit the Configuration File Complete the Configuration Verify the Integration Install a Watcher Service (Optional) Installing Supervisord for Linux Installing a Wrapper Script for Windows Inform Resilient Users...12 Page 3

4

5 1. Overview This document describes how to integrate the Resilient Incident Response Platform with IBM BigFix to simplify and streamline the process of escalating and managing incidents. The integration installs to the Resilient platform a set of rules, a set of message destinations, and a data table that are designed to support the following use cases: Beginning with an Indicator of Compromise (IOC) such as a malicious path/filename, service or process name, registry key, or IP address, search across BigFix for all affected endpoints then display those endpoints in the Resilient platform. Query BigFix for all available information about an endpoint, attaching an XML file with the details to the Resilient incident. Enable a security analyst to execute BigFix remediation procedures, such as killing a process or deleting a registry key, directly from the list of endpoints populated in the Resilient platform. The Resilient BigFix integration is available on the Security App Exchange as a zip file. The specific URL is provided as part of the purchase. The zip file contains the following installers: co tar.gz. Helper module that accesses the Resilient REST API. resilient_circuits tar.gz. Resilient circuits framework package. If your environment has multiple Resilient integrations and you have this already installed, make sure that it is the current version. bigfix-integration tar.gz. Resilient platform and IBM BigFix integration package. Typically, you would install everything on your Resilient appliance; however, you can install the co3 helper module and Resilient circuits framework, and manage your integration from a different machine. Using a different machine is useful if you have multiple Resilient integration packages in your environment. 2. Check Prerequisites Verify that your environment meets the following requirements: BigFix version is 9.5 patch 2, or later. Resilient platform version is 28 or later. You designated a Master Administrator account on the Resilient platform. You designated a BigFix Console Operator account, with the Create Custom Content permission enabled. This account must be configured to access all those endpoints that you wish to have accessible to the Resilient platform. You downloaded the BigFix integration file, bigfix-integration zip, from the IBM Security App Exchange. Page 5

6 3. Install the Integration The following procedure assumes that all the installers in the zip file are to be installed on the Resilient appliance; however, you can install the co3 helper module and Resilient circuits framework on a different Debian Linux or Windows system, as long as that system can access the Resilient appliance. Perform the following to install the Resilient BigFix integration: 1. Use ssh to connect to your Resilient appliance. 2. Go to the folder where the installers are located. 3. Update your pip version using this command: sudo pip install -upgrade pip 4. Update your setup tools using this command: sudo pip install -U setuptools 5. Install co3 using this command: sudo pip install -U co tar.gz 6. Install resilient-circuits using this command: sudo pip install -U resilient_circuits tar.gz 7. Install bigfix-integration using this command: sudo pip install -U bigfix-integration tar.gz You should see a successfully installed message for each component, co3, Resilient-Circuits, and BigFix-Integration. Page 6

7 4. Create and Edit the Configuration File The configuration file defines essential configuration settings for all resilient-circuits components running on the system, including BigFix. If you have multiple Resilient integration packages, they will use the same configuration file. The two relevant sections of the config file for this integration are Resilient and BigFix. Use one of the following commands to create or update the configuration file. To generate a config file using the default path and file name, ~/.resilient/app.config: resilient-circuits config -c To specify a different location, different file name, or both. resilient-circuits config c <path/filename> NOTE: You need to store this path to an environment variable, APP_CONFIG_FILE. To add the BigFix section to an existing configuration file. resilient-circuits config -u Once done, edit the following Resilient properties: Resilient Server hostname: Name of the server hosting the Resilient appliance. Port. Host port number that you wish to use. . address of the Resilient account used for this integration. This user must be a Master Administrator. Password. Password for the Resilient account. Org. Name of your Resilient organization. Stomp port. Only enter a port number if using the STOMP protocol. Logdir. Directory for your log file. Logfile. Name to use for the log file. Loglevel. Determines the granularity of the log messages. Levels are info, warn, error, and debug. Edit the following BigFix properties: bigfix_int_auto_configure. If set to True (default), the integration checks for the BigFix rules, message destinations and data table in the Resilient platform and creates them if they do not exist. If set to False, the integration does not create the rules, message destinations and data table. bigfix_url. URL of your BigFix server; for example: bigfix_port. Port number of your BigFix server. bigfix_user. Username of the BigFix Console Operator account used for this integration. bigfix_pass. Password for the BigFix Console Operator account. Hunt_results_limit. Limits the number of results sent to the Resilient platform. Default is 200. artifact_queue. Name of the BigFix artifact queue. asset_queue. Name of the BigFix asset queue. Page 7

8 remediation_queue. Name of the BigFix remediation queue. polling_period. Time in seconds that the integration waits between polling BigFix to get the final status of the remediation actions. Default is Complete the Configuration Once the configuration file is updated, run the following command on the Resilient appliance using your ssh client. This command installs the rules, message destinations and data table to your Resilient platform. resilient-circuits run 6. Verify the Integration Log in to the Resilient platform as a master administrator, click on the drop-down arrow near your user name in the upper right corner of the screen, and click Customization Settings. Perform the following checks: In the Layouts tab, click Incident Tabs in the left navigation pane then select Artifacts Tab. In the list of Data Tables on the right, verify that there is a "BF Hunt Results" data table. Page 8

9 Click the Rules tab. Verify that the following rules are added to the list of rules: o BigFix Delete File o BigFix Delete Registry Key o BigFix Kill Process o BigFix Stop Service o Query BigFix for Artifact o Retrieve BigFix Resource Details Click the Message Destinations tab and verify that the following message destinations are added to the list of destinations: o o o bigfix_artifact bigfix_asset bigfix_remediation Page 9

10 7. Install a Watcher Service (Optional) Resilient integrations use the Resilient circuits framework to run the integrations. Optionally, you can install a watcher service to keep the circuits framework running by restarting the circuits service upon failure, making sure the service starts on relaunch, and logging various events as an aid in troubleshooting problems. If you are running Resilient circuits on a Debian Linux platform, use supervisord as the watcher service. If you are running Resilient circuits on a Windows platform, use a wrapper script. Both are described in the following sections. If you previously installed a watcher service with a Resilient integration package, you do not need to install it again Installing Supervisord for Linux If you do not have supervisord on your Debian Linux platform, you can download it using the following command. sudo apt-get install supervisor If you had supervisord on your platform, make sure you have the latest version: sudo apt-get update Install supervisord: sudo apt-get install supervisor Locate the supervisord configuration file then review and edit as necessary. The configuration file defines the following properties: A name to identify the program for supervisord. OS user account to use. Directory from where it should run. Any required environment variables. Command to run the integrations, such as: resilient-circuits run Location for the logfile. Here is an example of a configuration file: [program:resilient_circuits] user=integration directory=/usr/share/integration/ environment=lang=en_us.utf-8,lc_all=en_us.utf-8 command=resilient-circuits run stdout_logfile=/var/log/resilient_circuits.log redirect_stderr=true autorestart=true The program to run is defined in the configuration file. Copy this to the configuration directory and restart the service: sudo cp actions_supervisor.conf /etc/supervisor/conf.d/ sudo service supervisor restart Page 10

11 The supervisor service logs its activity to /var/log/supervisor/supervisord.log. To restart the supervisor service, use: sudo service supervisor restart 7.2. Installing a Wrapper Script for Windows Resilient Circuits can be configured to run as a service. It requires the pywin32 library, which should be downloaded from sourceforge, at At the bottom of the sourceforge web page are the instructions for downloading and installing the correct package. Follow this instructions carefully. Do not use the pypi/pip version of pywin32. Installation of the wrong version of the pywin32 library can result in a Resilient service that installs successfully but is unable to start. Once downloaded and installed, run this commmand: resilient-circuits.exe service install Once installed, it is recommended that you log in as whichever user account the service is to use then update the service to start up automatically and run as a user account. For example: The service generates the config file. The following commands start, stop, and restart the service. resilient-circuits.exe service start resilient-circuits.exe service stop resilient-circuits.exe service restart Page 11

12 8. Inform Resilient Users Once everything is installed, inform the Resilient master administrators of the new rules, message destinations and data table. It is recommended that the rules and message destinations are not edited; however, a master administrator can add the BigFix data table to other layouts. Resilient users should be informed of the BigFix data table and the actions they can take from the table. The available actions are dependent on the artifacts involved. The actions are based on the rules that were created during the integration. The following describes each action. BigFix Delete File. Causes BigFix to delete the file listed in the Artifact Value column from the resources listed in the BigFix Computer ID column. BigFix Delete Registry Key. Causes BigFix to delete the registry key listed in the Artifact Value column from the resources listed in the BigFix Computer ID column. BigFix Kill Process. Causes BigFix to kill the process listed in the Artifact Value column from the resource listed in the BigFix Computer ID column. BigFix Stop Service. Causes BigFix to stop the service listed in the Artifact Value column from the resource listed in the BigFix Computer ID column. Query BigFix for Artifact. Obtains a list from BigFix of the resources that were affected by the artifact type and value listed in the table. Retrieve BigFix Resource Details. Obtains the information that BigFix has about the resource listed in the BigFix Computer ID column. This information is in the form of an XML file. The BigFix data table does not automatically refresh, so make sure to refresh the web page to see the results of the action. In addition, there may be a delay between the user executing the action and the results being available. NOTE: If there are a large number of results (specified by hunt_results_limit in the app.config file) from an action, the results are posted as an attachment instead of populating the data table. Page 12

13 The following example shows two actions available for the top row, BigFix Delete File and Retrieve BigFix Resource Details. Page 13