Threat Intelligence Services

The Resilient Threat Service integration provides automatic enrichment for artifacts.

Did you know that the Resilient platform has built-in support for threat services and incoming email? Take a look at the Resilient Incident Response Platform System Administrator Guide available in the platform’s Help/Contact menu, also available from the IBM Knowledge Center.

The Resilient system administrator can enable any of the built-in sources, or register custom threat services. When any artifact is added to an incident, its details are sent for lookup to all the enabled threat services. Results are shown as “hits” on the incident, and available for further automation with rules and workflows and other integrations.

Built-in threat sources are configured on the Administrator Settings page. They include abuse.ch, AlienVault, iSight, VirusTotal, IBM X-Force Exchange and others. Additional threat services are available for a wide range of partner sources and technologies.

Developing Custom Threat Services

Resilient Threat Services implement a simple REST API with two required endpoints and one optional endpoint. The Resilient administrator registers a custom service URL with the platform using the resutil command-line. The custom threat service can be hosted locally on the Resilient host, on a private service within the enterprise, or in the cloud.

The REST endpoints are:

  • Scan Artifact. This is the primary method for the Resilient platform to send artifacts to the threat service. When an artifact is added, the Resilient platform connects to this endpoint with a multi-part POST, which has an artifact entity and an optional file entity. The artifact entity is a JSON object including the artifact type and value. This endpoint returns hits, or a retry code (HTTP status 303) if results are not available immediately.
  • Retrieve Artifact Result. If results were not immediately available when an artifact was scanned, the Resilient platform connects to this endpoint later, to retrieve the pending result. This endpoint returns hits, or a retry code (HTTP status 303) if results are not available yet. In this way, long-running threat lookups can be handled asynchronously.
  • Query Capabilities. The Resilient platform queries this optional endpoint to obtain the threat service’s capabilities.

Developing Threat Services with Resilient Circuits

Simple threat services can be implemented very quickly with the Resilient Circuits framework. Below is an example of the code needed to provide lookup hits for URLs (net.uri artifacts).

In this framework, the rc-cts component contains all the basic functionality for a threat service, and asynchronously fires searcher events to all available searcher components. A searcher component, such as the example below, only has to implement the lookup function for each relevant artifact-type. The full source code is only a few dozen lines.


from circuits import BaseComponent, handler
from rc_cts import searcher_channel, Hit, NumberProp, StringProp, UriProp, IpProp, LatLngProp


class SearcherExample(BaseComponent):
    """
    Example of a custom threat searcher component
    """

    # Register this as an async searcher for the URL //example
    channel = searcher_channel("example")

    # Handle lookups for artifacts of type 'net.uri' (see doc for full list)
    @handler("net.uri")
    def _lookup_net_uri(self, event, *args, **kwargs):
        """Return hits for URL artifacts"""
        hits = []

        # event.artifact is a ThreatServiceArtifactDTO
        artifact_type = event.artifact['type']
        artifact_value = event.artifact['value']

        # Return zero or more hits.  Here's one example.
        hits.append(
            Hit(
                NumberProp(name="id", value=123),
                StringProp(name="Type", value=artifact_type),
                UriProp(name="Link", value=artifact_value),
                IpProp(name="IP Address", value="127.0.0.1"),
                LatLngProp(name="Location", lat=42.366, lng=-71.081)
            )
        )
        hits.append(
            Hit(
                NumberProp(name="id", value=456),
                StringProp(name="Type", value=artifact_type),
                UriProp(name="Link", value=artifact_value),
                IpProp(name="IP Address", value="0.0.0.0"),
            )
        )
        yield hits

Developing Threat Services with Django

A comprehensive example is also available using the Django web framework. This has several features that are important for many threat services, particularly large-scale cloud services:

  • Support for authentication, if credentials provided when registering the threat service in the Resilient platform,
  • Support for synchronous as well as asynchronous searchers, for threat sources where lookup time is always fast,
  • Options to handle binary content such as malware samples and other artifact files,
  • A persistent database to reliably handle long-running lookups, even in the event of a service failure