Configure manual sighting creation#

Note

This feature is available in Intelligence Center Integration for IBM Resilient starting from release 1.1.2.

Configure IBM QRadar SOAR to enable ad-hoc, manual sighting creation in Intelligence Center.

EclecticIQ Intelligence Center Integration for IBM QRadar SOAR can automatically create sightings, and it can push them to the integrated platform instance whenever selected artifacts in IBM QRadar SOAR have corresponding matching observables in the platform.

To enable automatic sighting creation, set sightings_auto_creation to True in the app.config file.

Alternatively, you can configure the integration to manually create sightings from the artifacts of an IBM QRadar SOAR incident.

To enable manual sighting creation through the GUI:

  1. Create a menu item to make the feature available in the GUI.

  2. Optionally, Disable automatic sighting creation.

  3. Reinstall the app and restart the integration.

Create a menu item#

Create a menu item to make the manual sighting creation action available in the IBM QRadar SOAR GUI.

  1. Open a web browser, and log in to IBM QRadar SOAR through the GUI.

  2. Click the user menu.

  3. From the drop-down menu select Customization Settings.

  4. Under Customization Settings, click the Rules tab.

  5. From the New Rule drop-down menu, select Menu Item.

  6. In the Display Name field, enter a short and descriptive name for the action you are making available through the new menu item.

    Example: Create EclecticIQ Sighting

  7. From the Object Type drop-down menu, select Incident.

  8. In the Destinations field, enter eclecticiq_sighting.

    This links the menu item to the correct message destination rule.

  9. Click Save or Save & Close to add the new menu item, or Cancel to discard your changes.

  10. The new menu item rule is available as a new entry in the Rules tab.

    To edit or to remove a rule, click the corresponding entry in the Rules tab.

Disable automatic sighting creation#

Optionally, you may want to disable automatic sighting creation after enabling manual sighting creation.

Keeping both features enabled can produce duplicate sightings in the platform.

To disable automatic sighting creation, set sightings_auto_creation to False in the app.config file.

By default, app.config is stored in /home/resadmin/.resilient.

  1. Open app.config in a text editor such as Vim or Nano:

    vi /home/resadmin/.resilient/app.config

  2. Edit the [eclecticiq] stanza to set sightings_auto_creation to False:

    [eclecticiq]

# API credentials
...

# Sightings parameters
sightings_auto_creation=False
sightings_group_name=Testing Group

  3. Save your changes.

Reinstall the app and restart the integration#

Every time you edit app.config and you save your changes, you must:

  1. Reinstall the app.

  2. Stop, and then start the resilient-circuits integration module.

# Go to the '/home/resadmin' directory.
cd /home/resadmin

# Reinstall the app.
# 'x.x.x' is a placeholder representing the app release.
# Example: 1.1.2
sudo pip install -e rc-cts-eclecticiq-x.x.x

# After manually stopping the integration module, start it again.
resilient-circuits run
 
# Successful response.
resilient-circuits has started successfully and is now running...
Subscribe to message destination 'eclecticiq_sighting'
Subscribe to message destination actions.201.eclecticiq_sighting