Changed in 51.0.7.0 SOAR system settings configuration

The System Settings feature contains the license and metric information, and the permissions to access it.

The System Settings feature consists of the following tabs.
  • License Information
  • System Permissions
  • System Diagnostics
  • Blocked IPs

The initial user who has System Settings permission is granted that permission from the command line. The user can then grant access to other users in the System Permissions tab

If you are a SaaS customer, contact IBM Security® Support.

If you are an on premises customer, use the create user command with the -sysadmin option. For more information, see the Installation Guide. If you have an existing organization and no user is assigned the System Settings permission, you can add the permission to an existing user by using the following command.
resutil newuser -email "<user_account>" -org "<org_name>" -sysadmin

SOAR license information and metrics

The License Information tab displays user and action metrics across the SOAR Platform, regardless of organizations.

The License Information tab has the following charts.
  • Actions. Displays the number of actions per the selected time period. An action is a message sent to a message destination. Therefore, the chart displays the number of times the SOAR Platform communicates with an external system. The actions in the chart do not include when an external system replies to the message, if an external system retrieves the message, or threat service lookups.
  • Concurrent Users. Displays the peak number of concurrent users who logged in during the selected time period. App log-ins through API user account authentication (email and password) are also counted. API key accounts are not counted as concurrent users.
  • Authorized Users. Displays the peak number of registered users during the selected time period.

You can select the time period and the date range.

Click the download icon () to generate a Microsoft Excel file for download. The file name includes the MD5 hash of the file. The file contains a tab for each chart, plus an Action Details tab, which includes the message destination ID and whether the message destination is part of function.

You can export each chart separately by clicking the icon and selecting an export option. You can also select Toggle Data Table to view the chart as text table.

Manage system permissions

The System Permissions tab determines who can access the information in System Settings.

Use the System Permissions tab to add and remove users and determine their permissions.

The table lists all the user accounts. Click Search: Users to show a list of all users. You can type in the Search: Users line for a specific user.

The following permissions are available.
  • Manage System Settings. Users can add and delete users, and grant any or all of the permissions to other users.
  • Manage System Permissions. Users can add but not delete users, and grant the View License Information and System Health permissions to other users.
  • Manage System Diagnostics. Users can view the System Diagnostics tab only.
  • View License Information. Users can view the License Information tab only.
  • Manage Blocked and Trusted IPs. Users can view and manage blocked and trusted IP addresses on the Blocked IPs and Trusted IPs tabs.

Changed in 51.0.7.1 System health and diagnostics

Use the System Health tab to run system diagnostics.

Important: Use the diagnostic tool in this tab with the supervision of IBM Security Support, as these tools can cause significant performance degradation.

You can use the Functional logging diagnostic tool to troubleshoot issues. You can enable logging on specific functional areas not normally logged. The log messages from each area are tagged with that area's name. When enabled, the log messages are added to the client.log regardless of their log level.

You can enable functional logging and select one or more areas. However, the client log contains messages that are tagged with the selected area in addition to all other messages whose log level is greater than the system log level setting.

Changed in 51.0.9.0 Configuring blocked IP addresses in SOAR

The Blocked IPs tab shows all IP addresses currently blocked, both temporarily or permanently. It also shows IPs addresses that have met the criteria to be blocked but are configured as trusted using resutil and therefore are not blocked.

The Blocked IPs tab contains a table that shows all currently blocked IP addresses. Any previously blocked addresses are not shown.

The Blocked IPs tab also shows IP addresses that met the criteria to be blocked, but are configured as trusted using resutil and therefore are not blocked. IP addresses that are configured as trusted using resutil have a status of Trusted on the Blocked IPs tab. To configure trusted IP addresses so that they are not blocked if they meet the blocked criteria, see Changed in 51.0.9.0 Configuring trusted IP addresses using resutil.

When an IP address is blocked, all requests for a connection from that address are denied. By default, an IP address is blocked temporarily after 100 failed login attempts, and remains blocked for 60 minutes. An IP address can be blocked temporarily five times, as shown in the Blocked Count column. After this number, it is being blocked permanently.

The start and end time is shown for each temporarily blocked IP address. The time when the IP address was blocked is shown for each permanently blocked IP address.

You can unblock an IP address by clicking the unlock icon in Action column. You can also add blocked IP addresses the trusted IP addresses list by selecting the IP addresses and clicking Action > Add to trusted.

You can click an IP address for details on the blocked times.

New in 51.0.9.0 Configuring trusted IP addresses

To avoid the troubleshooting effort of detecting and unblocking trusted IP addresses, you can configure a list of trusted IP addresses that are always allowed to access the system.

About this task

  • Supports IPv4 and IPv6.
  • Supports a range of IP addresses in CIDR form, for example, 9.54.34.0/24. This also includes IPv6 addresses such as 2001:db8::/24.
  • You can add a single IP address to the trusted list, like 9.54.34.43 or 9.54.34.43/32.
  • IPv6 addresses are allowed in both compressed and fully qualified form, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 versus 2001:db8::8a2e:370:7334.
CIDR IP addresses with a host part of 0 are treated as subnets, while CIDR IP addresses with non-zero hosts are treated as a single IP address. In the following examples, /16 determines that the network portion of the address consists of the first 16 bits. The bits beyond this form the host:
  • 1.2.0.0/16 is a subnet of 65536 addresses, as the 0.0 host makes it a network.
  • 1.2.3.4/16 is a single address, as the host part is 3.4.
To trust a range of IP addresses, ensure that the host part of the CIDR range that you input is zero.

If an IP address or IP address range is removed from the trusted values, it is immediately banned again if it had been banned previously.

Procedure

  1. Go to System Settings > Trusted IPs.
    From the Trusted IPs tab, you can add new IP addresses, search for IP addresses that are previously configured as trusted, and remove one or multiple IP addresses from the trusted list.
  2. To search for an IP address, click the search icon and enter the IP address or addresses.
  3. To remove IP addresses:
    1. To remove one IP address, select the IP address, click the Action button and then Remove.
    2. To remove multiple IP addresses, multi-select the IP addresses, then click Action > Remove.
  4. To add an IP address to the trusted IPs list:
    1. Click Add IP address.
    2. Enter an IP address or a range or IP addresses.
    3. Click Create.
    Note: You can add a blocked IP address to the trusted IPs list from the Blocked IPs tab, see Changed in 51.0.9.0 Configuring blocked IP addresses in SOAR.