IOC Parser

• Release Notes

• App Host Setup

• Integration Server Setup

• Troubleshooting

• Support

---

Release Notes

History

Version	Comment
1.0.2	Updated Rules and Workflows
1.0.1	Support for App Host, proxy support added
1.0.0	Initial release

---

Overview

This function extracts Indicators of Compromise (IOCs) from Resilient attachments and files

Uses the IOCParser Python Library to extract IOCs from Resilient Attachments and Artifacts. All unique IOCs that are found are added to the Resilient Incident as an Artifact

---

App Host Setup

All the components for running IOC_Parser_v2 in a container already exist when using the App Host app. To install,

• navigate to Administrative Settings and then the Apps tab.

• Click the Install button and select the downloaded file: app-fn_ioc_parser_v2-x.x.x.zip.

• No additional changes are needed to the app.config file in the Configuration section of the App.

Integration Server Setup

Requirements

• Resilient platform >= v35.2.32

• An Integration Server running resilient_circuits>=30.0.0

  • To set up an Integration Server see: ibm.biz/res-int-server-guide

---

Installation

• Download the app-fn_ioc_parser_v2-x.x.x.zip.

• Copy the .zip to your Integration Server and SSH into it.

• Unzip the package:

  $ unzip app-fn_ioc_parser_v2-x.x.x.zip
  

• Install the package:

  $ pip install fn_ioc_parser_v2-x.x.x.tar.gz
  

• Import the fn_ioc_parser_v2 customizations into the Resilient platform:

  $ resilient-circuits customize -y -l fn-ioc-parser-v2
  

• [Optional]: Run selftest to test the Integration you configured:

  $ resilient-circuits selftest -l fn-ioc-parser-v2
  

• Run resilient-circuits or restart the Service on Windows/Linux:

  $ resilient-circuits run
  

---

Uninstall

• SSH into your Integration Server.

• Uninstall the package:

  $ pip uninstall fn-ioc-parser-v2
  

---

Troubleshooting

There are several ways to verify the successful operation of a function.

Resilient Action Status

• When viewing an incident, use the Actions menu to view Action Status.

• By default, pending and errors are displayed.

• Modify the filter for actions to also show Completed actions.

• Clicking on an action displays additional information on the progress made or what error occurred.

Resilient Scripting Log

• A separate log file is available to review scripting errors.

• This is useful when issues occur in the pre-processing or post-processing scripts.

• The default location for this log file is: /var/log/resilient-scripting/resilient-scripting.log.

Resilient Logs

• By default, Resilient logs are retained at /usr/share/co3/logs.

• The client.log may contain additional information regarding the execution of functions.

Resilient-Circuits

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.

• The default file name is app.log.

• Each function will create progress information.

• Failures will show up as errors and may contain python trace statements.

---

Support

Name	Author	Support URL
fn_ioc_parser_v2	Resilient Labs	http://ibm.biz/resilientcommunity