WIXLIB

Incident Response PlatformIBM BIGFIX INTEGRATION GUIDE v1.0

Resilient Incident Response PlatformIBM BigFix Integration GuideLicensed Materials – Property of IBM Copyright IBM Corp. 2010, 2017. All Rights Reserved.US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.Resilient Incident Response Platform IBM BigFix Integration GuideVersion1.0PublicationJune 2017NotesInitial release.Page 2

Resilient Incident Response PlatformIBM BigFix Integration GuideTable of Contents1.Overview . 52.Check Prerequisites . 53.Install the Integration . 64.Create and Edit the Configuration File . 75.Complete the Configuration . 86.Verify the Integration. 87.Install a Watcher Service (Optional) .108.7.1.Installing Supervisord for Linux .107.2.Installing a Wrapper Script for Windows .11Inform Resilient Users .12Page 3

Resilient Incident Response PlatformIBM BigFix Integration Guide1. OverviewThis document describes how to integrate the Resilient Incident Response Platform with IBMBigFix to simplify and streamline the process of escalating and managing incidents.The integration installs to the Resilient platform a set of rules, a set of message destinations, anda data table that are designed to support the following use cases: Beginning with an Indicator of Compromise (IOC) such as a malicious path/filename,service or process name, registry key, or IP address, search across BigFix for all affectedendpoints then display those endpoints in the Resilient platform. Query BigFix for all available information about an endpoint, attaching an XML file withthe details to the Resilient incident. Enable a security analyst to execute BigFix remediation procedures, such as killing aprocess or deleting a registry key, directly from the list of endpoints populated in theResilient platform.The Resilient BigFix integration is available on the Security App Exchange as a zip file. Thespecific URL is provided as part of the purchase. The zip file contains the following installers: co3-28.0.33.tar.gz. Helper module that accesses the Resilient REST API. resilient circuits-28.0.33.tar.gz. Resilient circuits framework package. If your environmenthas multiple Resilient integrations and you have this already installed, make sure that it isthe current version. bigfix-integration-1.0.0.tar.gz. Resilient platform and IBM BigFix integration package.Typically, you would install everything on your Resilient appliance; however, you can install theco3 helper module and Resilient circuits framework, and manage your integration from a differentmachine. Using a different machine is useful if you have multiple Resilient integration packages inyour environment.2. Check PrerequisitesVerify that your environment meets the following requirements: BigFix version is 9.5 patch 2, or later. Resilient platform version is 28 or later. You designated a Master Administrator account on the Resilient platform. You designated a BigFix Console Operator account, with the Create Custom Contentpermission enabled. This account must be configured to access all those endpoints thatyou wish to have accessible to the Resilient platform. You downloaded the BigFix integration file, bigfix-integration-1.0.0.zip, from the IBMSecurity App Exchange.Page 5

Resilient Incident Response PlatformIBM BigFix Integration Guide3. Install the IntegrationThe following procedure assumes that all the installers in the zip file are to be installed on theResilient appliance; however, you can install the co3 helper module and Resilient circuitsframework on a different Debian Linux or Windows system, as long as that system can accessthe Resilient appliance.Perform the following to install the Resilient BigFix integration:1. Use ssh to connect to your Resilient appliance.2. Go to the folder where the installers are located.3. Update your pip version using this command:sudo pip install -upgrade pip4. Update your setup tools using this command:sudo pip install -U setuptools5. Install co3 using this command:sudo pip install -U co3-27.1.22.tar.gz6. Install resilient-circuits using this command:sudo pip install -U resilient circuits-27.1.22.tar.gz7. Install bigfix-integration using this command:sudo pip install -U bigfix-integration-1.0.0.tar.gzYou should see a “successfully installed” message for each component, co3, Resilient-Circuits,and BigFix-Integration.Page 6

Resilient Incident Response PlatformIBM BigFix Integration Guide4. Create and Edit the Configuration FileThe configuration file defines essential configuration settings for all resilient-circuits componentsrunning on the system, including BigFix. If you have multiple Resilient integration packages, theywill use the same configuration file.The two relevant sections of the config file for this integration are Resilient and BigFix. Use one ofthe following commands to create or update the configuration file. To generate a config file using the default path and file name, /.resilient/app.config:resilient-circuits config -c To specify a different location, different file name, or both.resilient-circuits config –c path/filename NOTE: You need to store this path to an environment variable, APP CONFIG FILE. To add the BigFix section to an existing configuration file.resilient-circuits config -uOnce done, edit the following Resilient properties: Resilient Server hostname: Name of the server hosting the Resilient appliance. Port. Host port number that you wish to use. Email. Email address of the Resilient account used for this integration. This user must bea Master Administrator. Password. Password for the Resilient account. Org. Name of your Resilient organization. Stomp port. Only enter a port number if using the STOMP protocol. Logdir. Directory for your log file. Logfile. Name to use for the log file. Loglevel. Determines the granularity of the log messages. Levels are info, warn, error,and debug.Edit the following BigFix properties: bigfix int auto configure. If set to True (default), the integration checks for the BigFixrules, message destinations and data table in the Resilient platform and creates them ifthey do not exist. If set to False, the integration does not create the rules, messagedestinations and data table. bigfix url. URL of your BigFix server; for example: https://bigfix-url.com bigfix port. Port number of your BigFix server. bigfix user. Username of the BigFix Console Operator account used for this integration. bigfix pass. Password for the BigFix Console Operator account. Hunt results limit. Limits the number of results sent to the Resilient platform. Default is200. artifact queue. Name of the BigFix artifact queue. asset queue. Name of the BigFix asset queue.Page 7

Resilient Incident Response PlatformIBM BigFix Integration Guide remediation queue. Name of the BigFix remediation queue. polling period. Time in seconds that the integration waits between polling BigFix to getthe final status of the remediation actions. Default is 120.5. Complete the ConfigurationOnce the configuration file is updated, run the following command on the Resilient applianceusing your ssh client. This command installs the rules, message destinations and data table toyour Resilient platform.resilient-circuits run6. Verify the IntegrationLog in to the Resilient platform as a master administrator, click on the drop-down arrow near youruser name in the upper right corner of the screen, and click Customization Settings. Performthe following checks: In the Layouts tab, click Incident Tabs in the left navigation pane then select ArtifactsTab. In the list of Data Tables on the right, verify that there is a "BF Hunt Results" datatable.Page 8

Resilient Incident Response Platform IBM BigFix Integration GuideClick the Rules tab. Verify that the following rules are added to the list of rules:oBigFix Delete FileoBigFix Delete Registry KeyoBigFix Kill ProcessoBigFix Stop ServiceoQuery BigFix for ArtifactoRetrieve BigFix Resource DetailsClick the Message Destinations tab and verify that the following message destinationsare added to the list of destinations:obigfix artifactobigfix assetobigfix remediationPage 9

Resilient Incident Response PlatformIBM BigFix Integration Guide7. Install a Watcher Service (Optional)Resilient integrations use the Resilient circuits framework to run the integrations. Optionally, youcan install a watcher service to keep the circuits framework running by restarting the circuitsservice upon failure, making sure the service starts on relaunch, and logging various events as anaid in troubleshooting problems.If you are running Resilient circuits on a Debian Linux platform, use supervisord as the watcherservice. If you are running Resilient circuits on a Windows platform, use a wrapper script. Bothare described in the following sections.If you previously installed a watcher service with a Resilient integration package, you do not needto install it again.7.1. Installing Supervisord for LinuxIf you do not have supervisord on your Debian Linux platform, you can download it using thefollowing command.sudo apt-get install supervisorIf you had supervisord on your platform, make sure you have the latest version:sudo apt-get updateInstall supervisord:sudo apt-get install supervisorLocate the supervisord configuration file then review and edit as necessary. The configuration filedefines the following properties: A name to identify the program for supervisord. OS user account to use. Directory from where it should run. Any required environment variables. Command to run the integrations, such as: resilient-circuits run Location for the logfile.Here is an example of a configuration file:[program:resilient circuits]user integrationdirectory /usr/share/integration/environment LANG en US.UTF-8,LC ALL en US.UTF-8command resilient-circuits runstdout logfile /var/log/resilient circuits.logredirect stderr trueautorestart trueThe program to run is defined in the configuration file. Copy this to the configuration directory andrestart the service:sudo cp actions supervisor.conf /etc/supervisor/conf.d/sudo service supervisor restartPage 10

Resilient Incident Response PlatformIBM BigFix Integration GuideThe supervisor service logs its activity to /var/log/supervisor/supervisord.log.To restart the supervisor service, use:sudo service supervisor restart7.2. Installing a Wrapper Script for WindowsResilient Circuits can be configured to run as a service. It requires the pywin32 library, whichshould be downloaded from sourceforge, ywin32/.At the bottom of the sourceforge web page are the instructions for downloading and installing thecorrect package. Follow this instructions carefully. Do not use the pypi/pip version of pywin32.Installation of the wrong version of the pywin32 library can result in a Resilient service that installssuccessfully but is unable to start.Once downloaded and installed, run this commmand:resilient-circuits.exe service installOnce installed, it is recommended that you log in as whichever user account the service is to usethen update the service to start up automatically and run as a user account. For example:The service generates the config file.The following commands start, stop, and restart the service.resilient-circuits.exe service startresilient-circuits.exe service stopresilient-circuits.exe service restartPage 11