Accounts and extra configuration

Before you can use the SOAR Platform, you must configure an initial user account in the platform and an organization to which this user belongs. This initial user is the platform's system administrator.

After you create the system administrator account, you can use the account to create other users in the SOAR Platform.

You can also configure the SOAR Platform to use LDAP, SAML, or two-factor authentication. You can use either SAML authentication or LDAP authentication, but not both. Two-factor authentication is a second layer authentication and you can use it with LDAP or SAML.

SOAR Platform default user accounts and groups

Some user accounts and groups are created and available by default after a successful installation.

The following users are created by default:
  • postgres
  • resadmin
  • elasticsearch
  • co3
  • res-scripting
  • res-email
  • res-messaging
The following groups are created by default:
  • postgres
  • resadmin
  • elasticsearch
  • co3
  • res-attachments
  • res-scripting
  • res-email
  • res-messaging
  • res-keystore

Creating the SOAR Platform initial user account

Create a system administrator account for the SOAR Platform and an organization to which the administrator account belongs.

Enter the following command in your SSH client to determine how to create the platform’s system administrator account and the organization to which the administrator belongs.

sudo resutil newuser -help

The command has the following options and defaults.

  • -createorg creates the organization that contains the system administrator.
  • -createrole creates a role, if it does not exist.
  • -email provides an email address for the user. You must enter an email address.
  • -first provides the first name of the system user.
  • -last provides the last name of the system user.
  • -org provides an organization for the user. You must enter an organization name.
  • -orglocale provides the default language of the organization. The default setting is English. Use the -help option to see the list of supported languages. The language values are case-sensitive. When the organization is created, you cannot change the locale. Some text, such as regulatory and legal-related information, is available only in English.
  • -role assigns an existing role to the user. If unspecified, the default role, Master Administrator, is assigned.
  • -sysadmin assigns the user the permission to access System Settings. For more information about system settings, see https://www.ibm.com/docs/SSBRUQ_latest/doc/admin/system_settings.html.
  • -incseqcodeprefix assigns a prefix to the sequence code incident field. The field is used to sequentially number incidents. It includes a prefix of your choice, for example, ABC, and an index that increments for each new incident that is created within the organization. The sequence code is included in reports and the audit log. The prefix can be a maximum of 10 characters. If the prefix option is used in the command and a prefix is not specified, a default value is derived by using four random characters followed by a dash ( -). The prefix can be edited in the Administrator Settings - Organization tab after the organization is created. For more information, see Organization settings.
  • -incseqcodestartindex assigns a starting number to the sequence code field. If not specified, the index is set to 1. The index cannot be edited after it is created.

The command then prompts you to enter and confirm the password for this user (no keystrokes appear on the screen). The following command is an example.

sudo resutil newuser -createorg -email "jsmith@example.com" -first "John" 
-last "Smith" -org "My Company, Inc."
Enter the password for the user:
Confirm the password for the user:
Creating a new user John Smith <jsmith@example.com
Creating a new organization My Company, Inc.
Adding the user John Smith <jsmith@example.com> to the organization My Company, Inc.
Assigning the following roles to user jsmith@example.com: Master Administrator
Upon successful completion of this command, you will be able to login to the 
application and finish setup.

You can create multiple organizations in your system by running the command multiple times. You need only to provide the -first and -last options the first time the user is created.

To edit an organization, use the editorg command. Enter the following to get information about the options to use with the editorg command.
sudo resutil editorg -help
The editorg command has the following options.
  • -address1 specifies the first line or the address for the organization.
  • -address2 specifies the second line of the address for the organization.
  • -city specifies the city for the organization.
  • -name specifies the organization's new name.
  • -orgname specifies the name of the organization to be updated.
  • -state specifies the organization's new state.
  • -zip specifies the organization's new postal code.

Configuring LDAP authentication

To configure the SOAR Platform to use LDAP authentication, you must have an Active Directory Server.

The SOAR Platform supports Active Directory only.

Note: LDAP is not currently supported for the SOAR for MSSPs add-on. If you are installing and configuring the SOAR Platform for MSSPs, do not configure LDAP.

You need at least one administrator account per organization, where the email address is not managed by the Active Directory. Make sure that the account has at a minimum the permissions to manage roles, users, and the ability to view and modify administrator settings and customization settings. When LDAP authentication is enabled, any email address that is managed by the Active Directory (based on your configuration) has its authentication and authorization to organizations determined by LDAP.

Important: For users who had a previously configured system account, logging in to the platform with LDAP authentication clears the password for that account. If a user does not log in using LDAP, the account is still valid.

Basic configuration

When you configure LDAP, you obtain the LDAP configuration values, use the ldapedit command to enter the values, enter the user password, and enable LDAP on a SOAR organization.

  1. Make sure that you have the following values available. You might need to consult with your LDAP administrator to get the appropriate values for your setup.
    Value Example
    LDAP server name. myldap.example.com
    Distinguished Name (DN) of the user account that the SOAR Platform can use to run LDAP queries, such as determining whether the user who is accessing the system is managed by LDAP. The account must have at least Read-Only permission to view all the necessary users.

    You also need the user password.

    		 "cn=John Smith,cn=Users,dc=Example,dc=com"
    LDAP search root for all directory searches. If not specified, the SOAR Platform attempts to locate and use the Root DSE. If you want to constrain all queries to a sub-tree in the LDAP, you can specify it here. For performance reasons, select the lowest search root in the directory that contains all users and groups that you want included in the queries. cn=Users,dc=Example,dc=com
    LDAP server port number. Determine whether it is an SSL port, such as port 636. 389 (No SSL)
    LDAP config name. resilientLDAP
    LDAP domain name. Only used when you have an LDAP configuration with multiple trees and you want to extend LDAP searches to different trees. The LDAP domain name is the name that the platform matches when it receives an LDAP search reference. You must provide the actual hostname for each domain. sales.division.company.com marketing.division.company.comexecutive.division.company.com
  2. Use the ldapedit command to enter the LDAP values. For example, if you use the values in the previous table, the command would be: 
    
sudo resutil ldapedit -name myLDAP -bindname "cn=John Smith,
cn=Users,dc=Example,dc=com" -host myldap.example.com -port 389

    If you are enabling LDAP over SSL/TLS (with port 636), see the LDAP Over SSL/TLS section.

  3. When prompted, enter the password of the user to complete the setup.
  4. Test the LDAP configuration.
    sudo resutil ldaptest -name myLDAP
  5. After you complete the configuration, you must enable it in your SOAR organization as follows.
    1. Log in to your organization as an administrator with the permissions to view and modify administrator settings and customization settings.
    2. Click Administrator settings (from the menu by your username).
    3. Click the Organization tab.
    4. Locate the LDAP Authentication section, under Settings.
    5. Switch the indicator to On.
    6. Select the LDAP group that you want to have access to the SOAR organization.
Note: The information in the last step is also in the System Administrator Guide.

LDAP trees

The SOAR Platform primary LDAP configuration points to a single LDAP tree. By default, all LDAP queries are sent to this tree. If you have an LDAP configuration with multiple trees, you can configure the platform to have a search in this LDAP tree point to a different tree. It is called an LDAP search reference, and it is usually in the form of an LDAP URL, ldap://<domainname>:<port>/<optional parameters>. You need to provide one or more domain names with the host and port. When you have an LDAP reference to ldap://<domainname>, the platform searches for a sub-configuration that has that domain name. When the platform finds a match, it sends the LDAP query to that sub-configuration’s host and port.

The LDAP domain name is the name that the platform matches when it receives an LDAP search reference. The LDAP domain name does not have to be the same as the hostname of that LDAP server.

If you want to search more LDAP trees, create another LDAP configuration, called a sub-configuration, for each tree. The following example shows how to create three sub-configurations. The bind name can be different for each sub-configuration. 
sudo resutil ldapedit -name salesSub -bindname "cn=John 
Smith,cn=Users,dc=Example,dc=com" -domainname sales.division.company.com -
subdomainof myLDAP -host host1.sales.division.company.com -port 389 
sudo resutil ldapedit -name marketingSub -bindname "cn=John 
Smith,cn=Users,dc=Example,dc=com" -domainname sales.division.company.com -
subdomainof myLDAP -host host2.marketing.division.company.com –port 389 
sudo resutil ldapedit -name execSub -bindname "cn=John 
Smith,cn=Users,dc=Example,dc=com" -domainname sales.division.company.com 
-subdomainof myLDAP -host host3.executive.division.company.com –port 389

If prompted, enter the password of the user to complete the setup.

Using the examples in the basic procedure, you now have four LDAP configurations. The configuration that is defined in step 2 of the basic procedure is the primary configuration.

If you need to determine the number of external references a single LDAP search can find, use the following command. For example, a search on ldap1 might reference ldap2, which in turn might reference ldap1. The default is 3. 
sudo resutil configset -key ldap.ref_limit -ivalue <VALUE>

LDAP over SSL/TLS

If you configure LDAP to use port 636, SSL/TLS, review the following items.
  • Verify that the service is using a certificate that is signed by a trusted CA. If not, follow the instructions in the Importing Untrusted Certificates section.
  • Use the following ldapedit command to enter the LDAP values. For example, if you use the values in the basic procedure the command would be: 
    sudo resutil ldapedit -name myLDAP -bindname "cn=John 
Smith,cn=Users,dc=Example,dc=com" -host myldap.example.com -port 636 
-usessl -wlhost myldap.example.com
The -wlhost option is not needed if the common name on the certificate matches the name in -host in the previous command.

Additional information

The following lists other helpful ldapedit commands.
  • View the command help: 
    sudo resutil ldapedit -help
  • Enter the following command to change the configuration value that syncs data between LDAP and the SOAR Platform.
    sudo resutil configset -key elastic_server.principal_indexer_sync_interval -ivalue <interval in minutes>

    The default value is 4 hours. If you make updates in LDAP, such as adding, deleting, or disabling users, the updates are not propagated to the SOAR Platform until 4 hours later.

  • View your configuration.
    sudo resutil ldapshow
  • Delete your configuration.
    sudo resutil ldapdel -name myLDAP
If you cannot log in after you enable LDAP, check the following items.
  • If you are unable to log in as an LDAP user, verify that you can use the same account to log in with an LDAP browser, such as JXPLORER.
  • The system account that you use has an email address that is managed by Active Directory. Accounts tied to email addresses with Active Directory must be authorized by authorizing the LDAP group. Until the group is authorized, no email address that is tied to an Active Directory can access the organization. Add an administrator account to the organization by using the following command. Make sure that the email address is not tied to LDAP; in fact, you can use a fake address. (Consider keeping this user for one-off circumstances.) 
    sudo resutil newuser -email "jsmith@example.com" -first "John" 
-last "Smith" -org "My orgname"

    When you confirm that this user can log in and access the Administrator settings, then enable LDAP again as before, to authorize your LDAP group.

Configuring SAML authentication

SAML authentication allows users to use their organization's login credentials to authenticate to the SOAR Platform.

The SAML specification identifies two different types of endpoints that are relevant to the SOAR Platform:

  • Identity Providers
  • Service Providers

The SOAR Platform serves as a SAML Service Provider. An authentication and identification system that you provide (such as Microsoft Active Directory Federation Services) serves as the Identity Provider (IdP).

To configure the SOAR Platform to function as a SAML Service Provider, follow these steps, which are outlined in more detail in the following sections:

  1. Create a SAML federation.
  2. Import the SAML metadata into your Identity Provider.
  3. Test the configuration.
Important: For users who had a previously configured system account, logging in to the platform that uses SAML authentication clears the password for that account. If a user does not log in using SAML, the account is still valid.

Create a SAML federation

SAML federations are created in the SOAR Platform with the resutil tool. To create the SAML federation, you need the following information from your identity provider.

  • Identity Provider Authentication URL
  • Identity Provider public certificate
Additionally, you need the organization name on the SOAR Platform to which this federation applies. You also need to assign an "alias" for this federation. The alias appears in the URL to users when initially connecting to the SOAR Platform through SAML.
Important: Only alphanumeric characters and the underscore character are supported for the SAML federation name.

The commands that follow use the following values.

  • The authentication URL for your identity provider is https://adfs.example.com/adfs/ls/.
  • You copied the Identity Provider's certificate file to the system by using a tool such as scp and the file name of the certificate file is idp.cer in the current working directory.
  • The "alias" for the SAML federation is soar.
  • The organization name on the SOAR Platform is My Test Org. 
    sudo resutil samledit -alias soar -certfile idp.cer -org "My Test Org" 
-createusers -loginurl https://adfs.example.com/adfs/ls/
  • If your identity provider configured a single logout function, you can have the SOAR Platform specify that as well in the samledit command.
    sudo resutil samledit -alias soar -org "Production" -org "Development" 
-certfile idp.cer -loginurl https://adfs.example.com/adfs/ls/ -logouturl 
https://adfs.example.com/adfs/ls/

This command prints the SAML federation to the console. It also writes out the following files.

  • alias-metadata.xml - SAML XML metadata that can be imported into the Identity Provider to complete the configuration.
  • alias-sp-cert.pem - Service Provider certificate that was automatically generated.

By default, the SOAR Platform verifies the signature on all incoming identity provider messages. If an incoming message is not signed, the SOAR Platform rejects the message. To have the SOAR Platform not verify identity provider message signatures, use the command option, -requiresignedidprequests false.

A federation can be associated with multiple organizations. Consider the situation where your SOAR Platform is configured to have two organizations: Production and Development. You can create a single federation that allows access to both organizations. For example:

sudo resutil samledit -alias soar -org "Production" -org "Development" 
-certfile idp.cer -loginurl https://adfs.example.com/adfs/ls/

By default, users are only granted access to the organization through the federation if they exist in that organization. Therefore, in the previous example, users would need to exist in both "Production" and "Development" organizations for the users to access them. However, if you want users to automatically be added to the Production organization then you would specify –createusers for just that organization, as shown in the following example.

sudo resutil samledit -alias soar -org "Production" -createusers

If the –createusers argument is specified for both organizations, then users who authenticate through the federation are automatically created in both organizations.

You can unlink the federation from an organization by using the -clearorgs flag.

Import the SAML metadata into your identity provider

The SAML metadata that was written in the previous step can now be imported into your SAML Identity Provider. The specific instructions vary by product. Consult the documentation for your Identity Provider for instructions on how to create a federation (also called a "relying party").

The SOAR Platform requires that the Identity Provider provide the following attributes.

  • Email address
  • First name (given name)
  • Last name (surname)

The SOAR Platform does not function if the attributes are missing.

The SOAR Platform uses the following attributes if they are present (they are not needed for proper operation):

  • Phone number
  • Mobile phone
  • Title
  • Groups

Consult your Identity Provider documentation for details on configuring which attributes are sent during authentication.

Authenticated users are added to the groups listed by the Identity Provider in the SAML response. For example, if the user is a member of the "IT" group and it is sent then the user is added to the "IT" group in the SOAR Platform, if it exists. Groups that are in the SAML response that do not exist in the SOAR Platform are not automatically created.

After you configure SAML in Identity Provider, you can test the authentication by using the Authentication URL for your organization. You can check this value by running the following command.

sudo resutil samlshow

For example:

https://resilient.example/saml2/resilient

The URL redirects you to the Identity Provider for authentication. After you authenticate, you are redirected to the SOAR Platform and logged in to the SOAR Platform. Authentication might be done without prompting (single sign-on).

You can send the URL to users who you want to grant access to the SOAR Platform. All users who are authorized to use the Identity Provider are granted access to the SOAR Platform. If you want to restrict access, you must do so through the Identity Provider configuration.

Update certificate

If you need to update the certificate later, import the certificate and restart as follows.
sudo resutil samledit -alias <alias_name> -org "<org_name>"  
-certfile idp.cer -loginurl <path_to_file>
sudo systemctl restart resilient
If you are updating multiple organizations or aliases, import the certificate for each organization and alias. The following example updates two organizations:
sudo resutil samledit -alias soar -org "Production" -org "Development" 
-certfile idp.cer -loginurl https://adfs.example.com/adfs/ls/
sudo systemctl restart resilient

Alternatively, to avoid replacing the IdP's SSL certificates when they expire, you can use -idpmetadataurl only if the IdP's metadata is available to the SOAR Platform from the https://<protocol>. This way, the SOAR Platform imports any changes to the IdP's SSL certificate embedded in its metadata, dynamically avoiding this process.

Changed in 51.0.1.0 Configuring two-factor authentication

Two-factor authentication provides unambiguous identification of users by using a combination of two different components. These components can be something that the user knows, something that the user possesses or something that is inseparable from the user.

Combining two components as a means of identification adds a second layer of security to your accounts. Verifying your identity by using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

The SOAR Platform uses Duo Security, a third-party vendor, as its two-factor authentication provider. When you enable two-factor authentication, users can still log in with their email address and password. However, they are also presented with a challenge - an extra second layer of security that is provided by Duo Security - to verify their identity. This challenge appears any time a user, who was not previously authenticated by using two-factor, tries to access an organization.

How to set up two-factor authentication

  1. Sign-up for a Duo Account at https://www.duosecurity.com/pricing.
  2. Create and configure a Duo application to use with the SOAR Platform.

    During this stage, you receive a Client ID, Client Secret, and API host name. You need these items to configure two-factor authentication on the SOAR Platform.

    When prompted for the application type, select Web SDK.

  3. Locate the Client ID, Client Secret, and API host name from your Duo application.
  4. Determine the names of one or more SOAR organizations that can enable the two-factor domain. (When this procedure completes, a system administrator can then choose to enable the two-factor domain for each of those organizations. The administrator needs the permissions to view and modify administrator settings and customization settings.)
  5. Use resutil to create a two-factor domain:
    sudo resutil twofactoredit -name <domain_name> -org <org_name> 
-clientid <duo_client_id> -host <duo_api_hostname> 
-clientsecret <duo_client_secret>

    <domain_name> is the name of the two-factor authentication domain. The name is presented to your Organization Administrator in a menu.

    <duo_clientid_key>, <duo_api_hostname>, and <duo_client_secret> are values that are obtained from Duo Security to complete the configuration.

    <org_name> is the name of an organization in the SOAR Platform that can use the two-factor domain. Multiple -org <org_name> arguments can be provided.

  6. Ensure that your firewall was not modified by the Duo certificate using the following curl command:
    curl https://[api-to-duo-app].duosecurity.com/auth/v2/ping --verbose

    If your firewall is not configured correctly or you notice any problems, implement the steps described in the Duo documentation.

You can also use the resutil twofactoredit command to change the name of an existing domain and clear any organizations that are associated with it. Use the command to check all the options.
sudo resutil twofactoredit -help

You can display the details of an existing two-factor domain.

sudo resutil twofactorshow -name <domain_name>
Note: If the -name is not specified, all the organizations with two-factor authentication are displayed.

You can delete a two-factor domain.

sudo resutil twofactordel -name <domain_name>

In some cases, you might want to exclude a specific user who belongs to an organization configured for two-factor authentication. For example, you want to programmatically access the SOAR REST API with a system account. You can use the following command.

sudo resutil twofactorexcluser -email user@example.com

It enables user@example.com to access the two-factor org without providing the Duo authentication.

You can re-enable two-factor authentication by using the -clearemail flag. For example,

sudo resutil twofactorexcluser -clearemail user@example.com

Enabling your authentication domain

As a system administrator with the permission to view and modify administrator settings and customization settings, you can enable a two-factor authentication domain under organizational settings on the administrator's settings page. If you configured multiple two-factor authentication domains, you can select which domain you would like to authenticate your users against here. You can also set the cookie lifetime, which sets an expiration in days for when a user needs to reauthenticate with two-factor authentication.

Note: Authentication domains are set at the organizational level. You can use the same authentication domain for multiple organizations or set a different domain for each organization. It means that a user who authenticates against an organization under one domain, who then tries to access an organization under another domain, needs to separately authenticate for the other organization.

Registering users

When two-factor authentication is configured, users need an account on the SOAR Platform and a corresponding account in your Duo Security account.

Management of user registration with Duo security is handled in the Policy settings of your Duo Security application. The "New user policy" allows you to select the following settings.

  • Require Enrollment. Users who are not already registered with Duo security are provided a self-enrollment process where they can register their devices and install the Duo mobile app (if necessary). When a user logs in to the SOAR Platform for the first time after two-factor authentication is enabled, Duo Security begins this self-enrollment process.
  • Allow Access. Not recommended. Users who are not already registered with Duo security are not challenged.
  • Deny Access. Only users who are already configured with the Duo account are allowed access. It means that you need to configure your users who use your Duo account in the "Users" tab.

The email address of the SOAR Platform must match the Duo account username. In the Duo application settings, you can use "Username normalization" to specify whether "DOMAIN\username", "username@example.com" and "username" are all treated as the same user.

Two-factor authentication and user experience

When two-factor authentication is enabled, if a user was not "previously authenticated" through two-factor authentication, they are presented with a two-factor challenge whenever they try to access an organization.

A user is considered as being "previously authenticated" under the following circumstances.

  • They successfully pass the challenge presented by two-factor authentication in their current session.
  • They successfully pass the challenge that is presented by two-factor authentication in a session then started a new session within the number of days set by the cookie lifetime value. In this situation, the user authenticates as normal (email and password) when they start the new session, but is not presented with the challenge. The system administrator sets the cookie lifetime value in the Organization page.

Adding SOAR Platform user accounts

After you successfully install and configure the SOAR Platform, you can open it and begin adding user accounts for the users you want to have access to the platform.

For more information about adding user accounts, see the administration guide.

SOAR Platform password and API key expiration

You can configure user password and API key account expiration durations.

By default, user passwords expire in 90 days and API key accounts expire in one year. You can change the expiration duration by using configvars. It is a system-wide setting and cannot be changed per organization:
sudo resutil configset -key password.apikey_lifetime_in_years -ivalue <value>
resutil configset -key password.user_lifetime_in_days -ivalue <value>
Use the following command to configure the password expiration duration. To have the password not expire, set the <value> to 0. 
sudo resutil configset -key password.user_lifetime_in_days -ivalue <value>
Use the following command to configure the API key account expiration duration. To have the API key not expire, set the <value> to 0. 
sudo resutil configset -key password.apikey_lifetime_in_years -ivalue <value>

A restart is not needed for any of these commands.

Importing untrusted certificates

The SOAR Platform might interact with services such as proxies, SMTP servers, and custom threat services, that do not use trusted SSL certificates. Instead, they might use self-signed certificates or certificates that are issued by an internal certificate authority. You must trust these certificates explicitly to use these services.

About this task

You can trust the certificates as follows.
  • Obtain the certificate from the service that you need to trust (for example, Active Directory Server, SMTP Server, or Custom Threat Service).
  • Add this certificate to a custom Java™ KeyStore called custcerts in /crypt/certs/ folder on the SOAR system. It contains customer-specific certificates for communication with external systems, for example, SMTP servers, and custom threat feeds. The SOAR Platform explicitly trusts all certificates within this keystore. This file is not changed during upgrades.

These steps are described in more detail as follows.

Procedure

  1. Obtain the certificate from the service. You can request it from the administrator of that service or use the openssl utility that is installed on the SOAR system as follows. 
    openssl s_client -connect active-directory.example.com:636 -tls1 
-showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > active-directory.pem

    The example shows that the Active Directory’s certificate is stored in a file called active-directory.pem. The host and port depend on the service that you are trying to use. Other parameters, such as -starttls might be needed for SMTP servers.

  2. Check that the /crypt/certs/custcerts directory exists. 
    sudo ls -al /crypt/certs/custcerts
  3. If it exists, verify that you can list the contents. 
    sudo keytool -list -v -keystore /crypt/certs/custcerts -storepass "$(sudo resutil keyvaultget -name custcerts)"
  4. If the directory does not exist, add the certificate to the /crypt/certs/custcerts keystore. 
    sudo keytool -importcert -trustcacerts -file <certificate name> -alias 
<name identifying the service e.g. MyCompanyActiveDirectory> -keystore 
/crypt/certs/custcerts

    You must enter the keystore password. If a new keystore does not exist, it is created.

    Enter “yes” to trust the certificate.

    Repeat the command in the previous step to verify that you can list the keystore entries.

  5. Add the custcerts password into the KeyVault. 
    sudo resutil keyvaultset -name custcerts -stdin
<Password for custcerts>
Ctrl+D (to send an EOF signal to standard input)

Changing the temporary directory

You can change the location of the temporary directory that is used during upgrade, backup, and restore.

By default, scripts, such as resSystemBackupcreate and resSystemRestore create temporary sub-directories and files in the /tmp directory. These sub-directories and files are deleted after the script finishes. You can change the default location of the temporary directory as follows.
export RES_TMPDIR=<path_to_directory>
For example,
export RES_TMPDIR=/home/resadmin/my_tmpdir
When you run any of these scripts, you must specify the -E option to use your temporary directory instead of the default /tmp directory. For example,
sudo -E resSystemBackup

Configuring the base URL in virtual installations

IBM Security® QRadar® SOAR uses the base URL to include links to incidents in email notifications. It can also be used to protect against Cross Site WebSocket Hijacking (CSWSH) attacks.

By default, the base URL is not configured. You can use the resutil command to set it.

If you import an SSL certificate, the base URL is configured automatically.

About this task

The baseurl parameter is used to validate the Origin Header before the SOAR Platform creates a WebSocket endpoint. This validation can help protect against CSWSH attacks. If you do not configure the base URL, the Origin Header is not validated.

You must configure a base URL in order for email notifications to include a link to an incident.

Procedure

  1. To verify whether you have a base URL set, type this command. 
    sudo resutil configget -baseurl
  2. Set the baseurl parameter to match your fully qualified domain name (FQDN).

    The following examples show the command syntax for setting the baseurl parameter.

    sudo resutil configset -baseurl 'https://soar.myhost.security.ibm.com'
    sudo resutil configset -baseurl 'http://localhost:8080'

Network configuration settings

For some SOAR features to operate properly, the system requires access to services on the Internet.

Work with your network administrators to ensure that the system has access to the following URLs to support the corresponding services.

URL Purpose
https://websvc.resilientsystems.com (TCP/443) IBM Security cyberthreat service
ntp:ntp.org (UDP port 123) Network time synchronization

New in 51.0.4.0 Sanitizing values in incident reports

You can configure the SOAR Platform to sanitize field values that start with particular characters in an incident report exported to Excel.

About this task

For new SOAR Platform 51.0.4.0 installations, the reports.character_blocklist_enabled variable is set to true and enabled by default.

If you upgraded to SOAR Platform 51.0.4.0, you can configure the reports.character_blocklist_enabled variable to control if values in incident reports are sanitized. When you set the reports.character_blocklist_enabled variable to true, if there are any of the following values at the start of a field in an incident, these fields are sanitized in line with industry-standard recommendations to mitigate against vulnerabilities when they are exported in an incident report:
  • The @ symbol: @
  • The + symbol: +
  • The - symbol: -
  • The = symbol: =
  • A keyboard TAB
  • A carriage return
If the reports.bcharacter_blocklist_enabled value is set to false, there are no changes to the field values when an incident report is exported to Excel.

Procedure

  1. To configure the system to sanitize values in incident reports, set the reports.character_blocklist_enabled variable using the following command: 
    sudo resutil configset -key reports.character_blocklist_enabled -bvalue true
  2. To disable, enter the following command: 
    sudo resutil configset -key reports.character_blocklist_enabled -bvalue false

New in 51.0.7.0 Configuring trusted IP addresses

You can configure a list of trusted IP addresses that are not banned if they meet the banned criteria. For example, if an IP address crosses the banned threshold for number of failed logins, this IP address is not banned if it is configured as a trusted IP address.

About this task

  • Supports IPv4 and IPv6.
  • Supports a range of IP addresses in CIDR form, for example, 9.54.34.0/24. This also includes IPv6 addresses such as 2001:db8::/24.
  • You can add a single IP address to the trusted list, like 9.54.34.43 or 9.54.34.43/32.
  • IPv6 addresses are allowed in both compressed and fully qualified form, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 versus 2001:db8::8a2e:370:7334.
CIDR IP addresses with a host part of 0 are treated as subnets, while CIDR IP addresses with non-zero hosts are treated as a single IP address. In the following examples, /16 determines that the network portion of the address consists of the first 16 bits. The bits beyond this form the host:
  • 1.2.0.0/16 is a subnet of 65536 addresses, as the 0.0 host makes it a network.
  • 1.2.3.4/16 is a single address, as the host part is 3.4.
To trust a range of IP addresses, ensure that the host part of the CIDR range that you input is zero.

If an IP address or IP address range is removed from the trusted values, it is immediately banned again if it had been banned previously.

Procedure

  1. Use resutil to configure the trusted IP addresses, as follows: 
    resutil configset -key trusted_ips -svalue <"ip_address>, <ip_address_range">
    where <ip_address> is a comma separated list of IP addresses in one of the formats listed above.
  2. To edit the trusted IP addresses to add or remove values, for example, to add another trusted IP address, you must first do a configget to see the current entries, and then add the additional IP address.

    For example, if you want to add IP address 200.200.200.200 to the trusted list that already has an entry 123.123.123.123, use the following commands:

    resutil configget -key trusted_ips
    This shows the current entries and you must include the current entries when editing the list to add or remove, as follows:
    sudo resutil configset -key trusted_ips -svalue "123.123.123.123, 200.200.200.200"