Configure manual sighting creation

This feature is available in EclecticIQ Platform Integration for IBM Resilient starting from release 1.1.2.

Configure IBM Resilient to enable ad-hoc, manual sighting creation in EclecticIQ Platform.

EclecticIQ Platform Integration for IBM Resilient can automatically create sightings, and it can push them to the integrated platform instance whenever selected artifacts in IBM Resilient have corresponding matching observables in the platform.
To enable automatic sighting creation, set sightings_auto_creation to True in the app.config file.

Alternatively, you can configure the integration to manually create sightings from the artifacts of an IBM Resilient incident.
To enable manual sighting creation through the GUI:

  1. Create a menu item to make the feature available in the GUI.

  2. Optionally, Disable automatic sighting.

  3. reinstall-app-restart-integration the app.

  4. reinstall-app-restart-integration the resilient-circuits integration module.

Create a menu item

Create a menu item to make the manual sighting creation action available in the IBM Resilient GUI.

  1. Open a web browser, and log in to IBM Resilient through the GUI.

  2. Click the user menu.

  3. From the drop-down menu select Customization Settings.

  4. Under Customization Settings, click the Rules tab.

  5. From the New Rule drop-down menu, select Menu Item.

  6. In the Display Name field, enter a short and descriptive name for the action you are making available through the new menu item.
    Example: Create EclecticIQ Sighting

  7. From the Object Type drop-down menu, select Incident.

  8. In the Destinations field, enter eclecticiq_sighting.
    This links the menu item to the correct message destination rule.

  9. Click Save or Save & Close to add the new menu item, or Cancel to discard your changes.

  10. The new menu item rule is available as a new entry in the Rules tab.
    To edit or to remove a rule, click the corresponding entry in the Rules tab.

Disable automatic sighting creation

Optionally, you may want to disable automatic sighting creation after enabling manual sighting creation.
Keeping both features enabled can produce duplicate sightings in the platform.

To disable automatic sighting creation, set sightings_auto_creation to False in the app.config file.
By default, app.config is stored in /home/resadmin/.resilient .

  1. Open app.config in a text editor such as Vim or Nano:

    vi /home/resadmin/.resilient/app.config

  2. Edit the [eclecticiq] stanza to set sightings_auto_creation to False:

    [eclecticiq]
     
    # API credentials
    ...
     
    # Sightings parameters
    sightings_auto_creation=False
    sightings_group_name=Testing Group

  3. Save your changes.

Reinstall the app and restart the integration

Every time you edit app.config and you save your changes, you must:

  1. Reinstall the app.

  2. Stop, and then start the resilient-circuits integration module.

# Go to the '/home/resadmin' directory.
cd /home/resadmin
 
# Reinstall the app.
# 'x.x.x' is a placeholder representing the app release.
# Example: 1.1.2
sudo pip install -e rc-cts-eclecticiq-x.x.x
 
# After manually stopping the integration module, start it again.
resilient-circuits run
# Successful response.
resilient-circuits has started successfully and is now running...
Subscribe to message destination 'eclecticiq_sighting'
Subscribe to message destination actions.201.eclecticiq_sighting