Changed in 51.0.7.0 SOAR system settings configuration

The System Settings feature contains the license and metric information, and the permissions to access it.

The System Settings feature consists of the following tabs.
  • License Information
  • System Permissions
  • System Diagnostics
  • Blocked IPs

The initial user who has System Settings permission is granted that permission from the command line. The user can then grant access to other users in the System Permissions tab

If you are a SaaS customer, contact IBM Security® Support.

If you are an on premises customer, use the create user command with the -sysadmin option. For more information, see the Installation Guide. If you have an existing organization and no user is assigned the System Settings permission, you can add the permission to an existing user by using the following command.
resutil newuser -email "<user_account>" -org "<org_name>" -sysadmin

SOAR license information and metrics

The License Information tab displays user and action metrics across the SOAR Platform, regardless of organizations.

The License Information tab has the following charts.
  • Actions. Displays the number of actions per the selected time period. An action is a message sent to a message destination. Therefore, the chart displays the number of times the SOAR Platform communicates with an external system. The actions in the chart do not include when an external system replies to the message, if an external system retrieves the message, or threat service lookups.
  • Concurrent Users. Displays the peak number of concurrent users who logged in during the selected time period. App log-ins through API user account authentication (email and password) are also counted. API key accounts are not counted as concurrent users.
  • Authorized Users. Displays the peak number of registered users during the selected time period.

You can select the time period and the date range.

Click the download icon () to generate a Microsoft Excel file for download. The file name includes the MD5 hash of the file. The file contains a tab for each chart, plus an Action Details tab, which includes the message destination ID and whether the message destination is part of function.

You can export each chart separately by clicking the icon and selecting an export option. You can also select Toggle Data Table to view the chart as text table.

Manage system permissions

The System Permissions tab determines who can access the information in System Settings.

Use the tab to add and remove users and determine their permissions.

The table lists all the user accounts. Click Search: Users to show a list of all users. You can type in the Search: Users line for a specific user.

The following permissions are available.
  • Manage System Settings. User can add and delete users, and grant any or all of the permissions to other users.
  • Manage System Permissions. User can add but not delete users, and grant the View License Information and System Health permissions to other users.
  • Manage System Diagnostics. User can view the System Diagnostics tab only.
  • View License Information. User can view the License Information tab only.
  • Manage Blocked IPs. User can view the Blocked IPs tab only.

Changed in 51.0.7.1 System health and diagnostics

Use the System Health tab to run system diagnostics.

Important: Use the diagnostic tool in this tab with the supervision of IBM Security Support, as these tools can cause significant performance degradation.

You can use the Functional logging diagnostic tool to troubleshoot issues. You can enable logging on specific functional areas not normally logged. The log messages from each area are tagged with that area's name. When enabled, the log messages are added to the client.log regardless of their log level.

You can enable functional logging and select one or more areas. However, the client log contains messages that are tagged with the selected area in addition to all other messages whose log level is greater than the system log level setting.

Changed in 51.0.7.0 Blocked IP addresses in SOAR

The Blocked IPs tab shows all IP addresses currently blocked, both temporarily or permanently. It also shows IPs addresses that have met the criteria to be blocked but are configured as trusted and therefore not blocked.

The Blocked IPs tab contains a table that shows all currently blocked IP addresses. Any previously blocked addresses are not shown.

The Blocked IPs tab also shows IP addresses that met the criteria to be blocked, but are configured as trusted and are therefore not blocked. IP addresses that are configured as trusted have a status of Trusted. To configure trusted IP addresses so that they are not blocked if they meet the blocked criteria, see New in 51.0.7.0 Configuring trusted IP addresses.

When an IP address is blocked, all requests for a connection from that address are denied. By default, an IP address is blocked temporarily after 100 failed login attempts, and remains blocked for 60 minutes. An IP address can be blocked temporarily five times, as shown in the Blocked Count column. After this number, it is being blocked permanently.

The start and end time is shown for each temporarily blocked IP address. The time when the IP address was blocked is shown for each permanently blocked IP address.

You can unblock an IP address by clicking the unlock icon in Action column.

You can click an IP address for details on the blocked times.