Create artifacts and search for matches#

Note

This feature is available in EclecticIQ Platform Integration for IBM Resilient starting from release 1.1.2.

Manually create sightings from incident artifacts in IBM Resilient, and push them to EclecticIQ Platform.

EclecticIQ Platform Integration for IBM Resilient supports the following artifact types:

IBM Resilient artifact	Artifact type JSON field
DNS Name	net.name
Email Body	email
Email Recipient	email.header.to
Email Sender	email.header.sender_address
Email Subject	email.header
IP Address	net.ip
Malware MD5 Hash	hash.md5
Malware SHA-1 Hash	hash.sha1
Malware SHA-256 Hash	hash.sha256
Malware SHA-512 Hash	hash.sha512
URL	net.uri
URI Path	net.uri.path

Create an artifact in the GUI#

To manually create an artifact in the IBM Resilient GUI:

Open a web browser tab, and log in to IBM Resilient through the GUI.
In the top navigation bar click List Incidents.
In the All Open Incidents view, click an existing incident to open it.

Alternatively:

Create a new incident, and then open it.
In the open incident view, click the Artifacts tab.
In the Artifacts tab, click Add Artifact.
In the Add Artifact view, fill out the input fields as appropriate to create the new artifact.
Click Create to save the artifact.

Auto lookup#

When a new artifact is added to an incident, IBM Resilient automatically queries the connected Intelligence Center instance to search for qualifying matches.

If the search returns matches – that is, existing observables in the IC – the following events occur:

In the Artifacts view, the color of the artifact type value in the Type column changes to red.
A warning icon ⚠️ flags the artifact as a detected hit.

In the Artifacts tab, click the detected hit value to open it.

In the open artifact detail view, the information IBM Resilient retrieves from the connected Intelligence Center instance is listed under EclecticIQ Platform:

Entity N: ${entity_type}: if the matching observable in the IC has relationships with other entities in EclecticIQ Intelligence Center, the relevant entity types, titles or entity aliases, and tags and taxonomy values as retrieved from EclecticIQ Intelligence Center are reported here.
- N in the row header represents the integer index value of the entity, when an artifact is connected to more than one matching entities in EclecticIQ Intelligence Center.
  
  It starts from 1.
- ${entity_type} represents the entity type value as retrieved from EclecticIQ Intelligence Center.
  
  Example:
  
  Entity 1: Indicator

The value of this field holds the following information:

The entity name or the entity alias.
If the entity is tagged in the platform, any tags and taxonomy entries are included in round brackets.

Example:

ET CNC Shadowserver Reported CnC Server Port 6667 (Admiralty Code - Doubtful, Admiralty Code - Improbable)
Last Updated: the timestamp value corresponding to the most recent update of the information in the matching observable.
Maliciousness: if the matching observable in the platform is flagged for maliciousness, the corresponding value is reported here.

Allowed values:
- good
- bad
- unknown
EclecticIQ Platform Link: click the link reported here to open the detail pane of the matching source observable in the platform.

Create an artifact from the command line#

Note

In a production environment working as expected, you do not need to manually create artifacts from the command line.

This procedure is relevant only in testing and debugging scenarios.

To manually create an artifact through the command line in IBM Resilient:

Open a terminal session and log in to IBM Resilient with SSH.
Use cURL to create an artifact, and to send it to IBM Resilient as a JSON payload:
```
# All values in the example are dummy
curl -X POST \
    -v \
    --insecure \
    --header "Content-Type: application/json" \
    --data-binary '{"type":"net.ip","value":"1.1.1.1"}' \
    --url 'http://${resilient_circuits_url}:9000/cts/eiq'
```
- The type field in the JSON payload accepts one of the supported artifact types for the integration.
- In the command parameters, replace the ${resilient_circuits_url} placeholder with the IP address previously assigned to host in the [resilient] stanza of the app.config file.