Product Documentation

The Resilient Incident Response Platform is a purpose built tool for the unique requirements of consistently and efficiently managing computer-related security incidents or the breach of personally identifiable information. This guide provides Resilient users with an introduction to the system’s user interface and process for entering and managing incidents, and the tasks associated with a dynamic playbook.

A dynamic playbook is the set of rules, conditions, business logic and tasks used to respond to an incident, where the Resilient platform updates the response automatically as the incident progresses and is modified. The term, playbook, is not shown in the user interface.

1.1. Supported Browsers

The Resilient user interface is a single-page JavaScript application. As such, it relies on certain functionality of the web browser to provide a rich and clean user experience. In order to enjoy the optimal experience you should use a modern supported web browser. Supported web browsers include the current release and one release back of each of the following browsers: Chrome, Firefox, Safari and Internet Explorer.

2. Dashboards

There are two dashboard views available, Activity and Analytics. Click the Dashboard tab, and then select the desired view.

2.1. Activity Dashboard

The Activity Dashboard is the default page when you log in. It contains the following:

Newsfeed: Provides up-to-the-minute activity updates for all incidents for which you are a member. To view specific actions only in the newsfeed, click the Show Types drop-down menu.
Tasks Due Soon: Displays tasks assigned to you that are due within the next 7 days.

This page also has links to documentation and the Resource Library (click for more information).

2.2. Analytics Dashboard

The Analytics Dashboard displays various charts and graphs for viewing statistical information, dependent upon your access and permission level. The following is an example of an analytics dashboard with only one widget.

When you first open the Analytics Dashboard, the default dashboard displays. There can be various, customized analytic dashboards that you can choose to display by clicking the selector icon ( ). Click Print to access a printable version of the dashboard.

In each table and chart, you can click on the various elements for more information. In addition, you can click on each item in the chart’s legend to display or remove that item from the chart.

2.2.1. Customizing the Analytics Dashboard

The Analytics Dashboard provides a selection of predefined widgets, such as pivot tables and charts, which you can place on the dashboard.

To add a widget, click Add Widget in the upper right hand corner of the dashboard then drag and drop the widget to the desired location on the page.

To configure an existing widget, hover over the widget and select the wrench icon in the top right corner to expose the widget’s configuration dialog. Select the configuration options, such as a date range, that you wish to implement then click Save. Those widgets that you cannot customize do not have the wrench icon.

To remove a widget from the dashboard, hover over the widget and select the X icon in the top right corner.

To save your changes, you can create a new analytics dashboard. Click the Save As button on the dashboard then enter any name you choose, a brief description and whether to share it or not. If you click Public as the Sharing option, other users can select and view your dashboard. To discard your changes, click the arrow next to Save As and click Discard Changes.

2.2.2. Managing Analytics Dashboards

You can edit and delete the various analytic dashboards by clicking the selector icon ( ) and choosing Manage Dashboards. On the management page, you can also view the contact information of each dashboard owner by hovering over the owner’s name.

3. Understanding Incidents

Resilient users can create incidents. Systems integrated with the Resilient platform can also create incidents within the platform.

Click List Incidents in the menu bar to display all incidents. Click an incident name to view its details. Each incident can contain significant information. The Resilient platform organizes this information into various tabs. By default, the tabs include Tasks, Details Breach, Attachments, Artifacts and more. However, your administrator can add or hide tabs and customize each tab. Some tabs may be conditional and appear only under one or more given conditions.

The following lists the actions you can take on incidents:

Create an incident.
Generate reports on one or more incidents.
Check the status of the incident.
As an incident owner, edit incident information and, therefore, the playbook.
Close an incident.
Delete an incident (only available if your administrator enabled the function).
Others custom actions configured by your administrator. These actions are accessible through the Actions button in the incident page (across all tabs), or a [...] button near an object, such as a task.

In the List Incidents page, you can perform specific actions on multiple incidents simultaneously by clicking the checkbox on the desired incidents then clicking the Selected button and choosing the action to take.

4. Viewing Incidents

The Incidents page can contain a very large number of incidents. To better navigate this page, you can use various filters, as well as create your own.

Filters are persistent. Therefore, when you click List Incidents in the menu bar to display the Incidents page, you see the results matching the last filter used. The name at the upper left corner of the page is the name of the filter. For example, the following screenshot shows the All Open Incidents filter. This filter lists all the open incidents by searching for these properties:

Disposition = Confirmed or Unconfirmed
Name = All (equivalent to no filtering by name)
Status = Active

You can choose a different filter by clicking the down arrow next to the filter icon ( ).

You can further filter the incident list by searching for fields with a specific value. Click the More button. Select the fields you wish to use in your filter. As you click the checkbox next to a field, it appears with the other fields. The following example shows the Data Compromised field selected.

You can then click on the field and choose or enter a value, depending on the field.

To remove a field from the filter, click the x next to the field.

If you wish to reuse your filter settings, click the Save As button. Enter a name and description for your filter. Choose Private (default) or Shared, which allows other users to select and use your filter.

If making changes to a filter, you can discard your changes by clicking the arrow next to the Save As button then selecting Discard Changes from the menu.

5. Creating an Incident

To report a new incident, click New Incident in the menu bar. This starts the wizard that guides you through entering the incident details and reviewing the recommended actions based on those specifics, as well as forming an incident response team.

If you select Yes to indicate that Personally Identifiable Information (PII) has been compromised, additional data fields become enabled and additional detail will be required in order for the system to properly assess the incident and generate an appropriate playbook.

If you enable HIPAA as a Regulator and you indicate that personal information is involved in the incident, there is an additional step in the wizard. This step is a Risk Assessment based on the HIPAA requirements where covered entities (and business associates, where applicable) assess the probability that a breach has occurred and maintain documentation of that assessment.

6. Generating an Incident Report

You can generate a report on a single incident or multiple incidents, using a standard temple or customizing the report to meet your needs.

To generate a report, perform the following:

Click List Incidents in the menu bar.
In the List Incidents page, select one or more incidents that you wish to have in the report by checking the checkbox next to each incident.
Click the Selected button in the upper right corner. This gives you a drop-down list.
Choose one of the following options:

Export to Excel (All Data). This option generates an Excel spreadsheet with all data available for the incident, regardless of the columns shown in the List Incidents page. The system generates the report then prompts you to download the file.
Export to Excel (Visible columns). This option generates an Excel spreadsheet with only data shown in the columns in the List Incidents page. The system generates the report then prompts you to download the file.
Generate Printable. You have the option to select a predefined report template or select Customize to build your own report.

If you selected Generate Printable then clicked the Customize link to generate a custom report, perform the following in the Build a Report page:
1. Select the sections that you wish to appear in the report by checking the appropriate boxes.
2. Review the sections checked by default to determine if you wish to have them in the report.
3. In the preview on the right side of the screen, you can choose to reorder the sections by dragging and dropping each section.
4. Optionally, you can create a new report template based on your selections. Simply, enter a name for your template in Create Template section and click Create. Alternatively, you can overwrite one of your custom templates by selecting it from the drop-down in the Edit Template section, and click the Save
5. When done, click Print. The system generates the report then presents a Print window.

To modify an existing template, select Generate Printable then click the Customize link as described previously. In the Edit Template section of the Build a Report page (lower left side), select the appropriate template from the drop-down menu and click Load. Modify the sections and ordering as desired then click Save.

NOTE: You can also generate a report when viewing an existing incident. Click the Generate Incident Report button on the lower left side of the incident page. This provides the same functions as the Generate Printable option.

7. Managing Incidents

You can manage incidents by assigning and completing tasks, creating custom tasks, adding or updating incident information, adding attachments and artifacts, and selecting a predefined action.

The Actions button in the incident page (accessible regardless of the selected tab) applies to the incident. You can also take actions on individual tasks. You can also select Action Status from the Actions button to view the status of the various actions.

To change the details of an incident, visit either the Details or Breach tab of the incident, depending on what information needs to be modified.

For Personally Identifiable Information, if you change a “No” answer to “Yes” regarding the exposure of, additional tasks are added to the playbook. You should visit the Breach tab to enter additional required information. If you change an “Unknown” to “Yes”, you can update the details from within the task that instructs you to investigate if data has been compromised.

Once users complete all the tasks for an incident, you can close it by clicking the Close Incident button. If there are any empty fields that are required to close the incident, you are prompted to enter the data. If closing multiple incidents, you are also prompted to fill in any empty, required fields. In this case, the value you enter goes to the same field in every incident, except those fields that already have data.

Depending on the conditions configured by the Master Administrator, there may be a number of tabs for the incident. The following sections describe the standard tabs, which may or may not be visible for the incident.

7.1. Tasks

The Tasks tab allows you to view and manage all the tasks for the incident you selected. The tab organizes the tasks by phase, which you can expand or collapse. The following is a partial screenshot of the tasks table.

TIP: To see all tasks assigned to you regardless of incident, click My Tasks on the menu bar.

For each task, you can access the following information, from left to right:

Hover over the clipboard icon to see if the task is system generated or user added.
If the circle and checkmark icon is green, the task is completed; otherwise, it is incomplete. You can click the icon to mark a task as completed.
Hover over the task name to see its instructions.
Owner column. Click the down arrow to select an owner, if unassigned, or reassign the task. The drop-down lists only those users or groups who are members of the incident. When you save your changes, the assignees receive an email notification.
Due Date column. Click the date to change or assign a due date.
Flags column, notes icon. Shows the number of notes added to the task. Click the icon to open the task and view or add notes.
Flags column, attachments icon. Shows the number of attachments added to the task. Click the icon to open the task and view or add attachments.
Actions column. Click the [,,,] button to see the available actions for the task. Click the action to perform it.

Also in the Tasks tab, you can perform the following:

Perform an action on multiple tasks. Select the tasks then click the Selected button and choose the action. To select multiple tasks, click on the clipboard icon of one task then hold the Shift or Ctrl key (Windows), or Command key (Mac) and click the clipboard icon of the other tasks.
Create custom tasks, which are additional tasks beyond the ones generated by the application. Click the Add Task button, enter the appropriate information in the dialog and click Create. This adds the custom task to the existing playbook, where you can assign it to a user for completion. NOTE: The Master Administrator can also create tasks, as described in the Resilient Incident Response Platform Master Administrator Guide.

Click on a task name to view its details. When viewing an individual task, there are also tabs to view the source of the task, record notes, and upload attachments (if this feature is enabled for your organization). In the Members tab, you can mark a task as Private if you consider the task as sensitive and do not wish it to be viewed by the incident team in general. Only master administrators, administrators, observers, owner of the incident, owner of the task, and any members who were explicitly added to that task can view a private task.

You can also mark the task as completed by clicking the Mark Task Completed button.

7.2. Breach

If the incident involves PII data, additional information is required under the Breach tab of the incident. Additional details such as types of data involved, number of records, and applicable jurisdictions are required. For EMEA, AsiaPac, and Latin America jurisdictions, it is important to read each tooltip in order to determine applicability to the incident.

Entering these details allows the system to generate an assessment, which provides a summary of the reporting and notification requirements. The summary also provides a liability estimate of what could be imposed by authorities in the form of fines for not completing the required notifications.

7.3. Notes

To add a note or a comment to be shared with other members of the incident team, go to the Notes tab (at incident or task level) and click Add a Note. Type your comment in the text box and click Post. This posts the note on incident team members’ Activity Dashboard. Notes can be edited or deleted by administrators, incident owners, or incident creators by selecting the appropriate option on the Notes tab.

To direct a note to a specific incident member, place your cursor in the text box and type the “@” symbol, and a list of all the organization’s users appears. Select the appropriate user(s) and continue entering the note. When complete, click Post; the users you selected receive a notification directing them to log in and view it.

7.4. Members

To add or remove members of an incident team, open the appropriate incident and click the Members tab then select Edit. Click the drop-down menu and select the user name or group that you wish to add then click Add. The user or group appears on the right under Current Members once they have been successfully added. To remove a team member or group, click Remove next to their name.

7.5. Attachments

The Resilient platform supports the uploading of attachments related to the incident. This feature must be enabled by the master administrator for your organization. Attachments may be added at the incident or the individual task level. To attach a file, open the appropriate incident or task then select the Attachments tab. Click Upload File and select the file you wish to attach. Note the maximum file size is 25 MB. You can delete attachments from the incident or task by clicking the Delete button next to the appropriate file.

7.6. Timeline

The Timeline tab features a robust timeline display that can be set to display days, weeks, and months. Additionally, milestones can be added to call out important events within the timeline. To add a milestone, click the New Milestone button. Here you can add a date, title, and description of your milestone.

7.7. Artifacts

An artifact is data that supports or relates to the incident. The tab organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, and malware sample.

NOTE: Any IPv4 addresses encoded in an IPv6 format are displayed in the IPv4 format. True IPv6 addresses are displayed in IPv6 format.

7.7.1. Artifacts Tab

The Artifacts tab lists all the artifacts added to this incident and allows you to add, edit, and perform actions on artifacts. If the list is long, you can filter by artifact type.

You add artifacts by clicking the Add Artifact button, selecting the type of artifact then entering information such as the type, an attachment if prompted, and a description of the artifact including how it relates to the incident. For some artifact types, you can enter multiple values; for example, email addresses. Make sure to separate multiple values by a comma, space or new line.

You can perform actions on each artifact. The available actions depend on the type of artifact; for example, you can select an IP address artifact then use the Search LDAP action for more information about the address.

NOTE: The Details tab displays geolocation data for the ip address artifact type if your organization has enabled this feature. The Details tab displays Whois information for the DNS name artifact type when you click the Load

7.7.2. Tabular Display

The Artifacts tab allows you to display the artifacts in a tabular format or visually as a graph.

In the table, you can click on the artifact value for additional information. You access actions by clicking the [...] button. If the Resilient Security module is enabled for your organization, the Resilient platform examines supported file types for matches with threat intelligence feeds. If a match is found, a red exclamation point is displayed next to the artifact. You can click on these artifact matches to display further information, if available.

7.7.3. Graph Display

The graph displays the incident as a circular node with each artifact as a block attached to the node. Here are the actions you can take in the graph:

Drag the artifacts to rearrange them so you can better show the relationship to each other.
Hover over the incident node or the artifact to display its details and the Action button.
If the Security module is enabled, the Resilient platform examines supported file types for matches with threat intelligence feeds. If a match is found, the artifact is highlighted in red.
Click within the graph area then use the mouse wheel to resize the graph.
If any artifact is also associated with another incident, the graph shows that incident as a separate circular node. You can click on each node to focus on that incident and its artifacts.
Use the timeline at the bottom of the graph to limit the view to a specific length of time. If you have multiple incidents in the graph, a red horizontal line at the top of the timeline represents each incident. Hover over each line to display the incident name.

The following is an example of a graph with multiple incidents. One artifact is associated with eight incidents. All eight are shown in the graph as circles and as red lines in the timeline.

7.8. Deleting an Incident

As an administrator, you can delete incidents if your master administrator has enabled the function. When you delete an incident, it is permanently deleted from the Resilient platform. Typically, you should close an incident instead of deleting it.

When you delete an incident, the incident’s attachments, such as tasks and artifacts, are deleted, and all mention of the incident is removed from the news feed and system notification. Deleting an incident does not generate a system notification, but users can receive email notifications.

To delete an incident, go to the incident and select Delete from the Actions drop-down list. To delete multiple incidents, select the incidents from the List Incidents page, click the Selected button then click Delete Incidents. If the menus do not contain Delete, your administrator has not enabled this function.

The Resilient platform logs all instances of deleted incidents.

8. Simulations

Administrators have the ability to run simulations, which are hypothetical circumstances that can help your team to understand the impact of data loss situations and to rehearse the response process. Click Simulations in the menu to view the two types of activities:

Scenarios – Full functionality incident creation, marked in the tool as a simulated situation rather than an actual occurrence.
Risk Assessments - Unrecorded, unlogged assessments based on limited situation parameters for data breaches involving PII.

To run a simulated scenario, click Start New Scenario and complete the incident entry wizard. To close an active simulated incident, click the Close Incident button within the appropriate incident. Simulated scenarios are distinguished within the system by a special icon; however, the process of working with simulated items is identical to working with a real situation that your organization tracks using the Resilient platform.

You can perform the same actions on simulations as you can on incidents, as described earlier in this guide.

Simulated risk assessments allow you to test the implications of a data breach situation without keeping it in your organization’s record. The wizard collects basic information about a hypothetical data breach event, and ends with an assessment that includes a summary of the recommended steps to be taken as well as the estimated fine liability.

9. Other Tools

The Resilient platform provides various resources and tools, as described in the following sections.

9.1. Documentation and Support

You can access the documentation and Support information by clicking your user name in the right corner and selecting Help/Contact in the drop-down menu. There is also a link on the Activity Dashboard.

9.2. Resource Library

The Resilient platform maintains a database of breach notification statutes (laws passed by a legislature and signed into law), regulations (laws made by agencies), trade organization bulletins, and guidance documents, including penalties where applicable.

To access the Library, click on your user name in the upper right hand corner of the page, and select Library from the drop-down menu. There is also a link to the Resource Library on the Activity Dashboard. Select the desired jurisdiction or regulator to view the relevant text of the document. Hyperlinks to the full source documents are also included.

The Library is organized into sections. Access to each section is dependent on your organization’s subscription.

9.3. My Settings

You can edit your settings by clicking the arrow in the upper right corner of the page near your name and then selecting My Settings.

My Profile

Allows you to update basic profile information such as name, title, and phone numbers. Click Edit then make the desired changes and select Save.

Notifications

This feature allows you to update your personal preferences for receiving notifications about various actions that occur in the system. For each action listed, select the radio button next to the method of preferred notification, either through email or through the small globe icon in the Resilient UI, or both. Hover over the small “I” icon for a brief explanation of each action.

Change Password

You can change your Resilient password by entering your current password, your new password, and then clicking Change Password.

9.4. Notifications

Notifications show activity that specifically involves you, such as when a task or incident is assigned to you. There is an alert icon for notifications on the toolbar at the top of the Resilient page, to the left of your username, which displays the number of your notifications. Click on the icon to review the notifications. Some notifications may send an email to your address.

You can customize your notification options by clicking your username, selecting My Settings then clicking Notifications. Each notification on the Notifications page has an information icon, which you can click for details. For each notification, you can choose to be notified by email, alert icon in the Resilient toolbar, both or neither.

You do not receive notifications for actions that you instigate; for example, you do not receive Task Closed notifications for tasks that you close.

9.5. Search

The Search function in the Resilient toolbar, which appears on every page, allows you to search for a keyword or phrase in any or all object types. The Search function supports the following:

Wildcards (*), which you can use in any location in your entry.
Tilde (~) at the end of your entry performs an approximate search, also called a fuzzy search, which returns strings matching your entry exactly, with one character extra, and with one character different from your entry.
Phrases when enclosed in quotes.

The Search function is not case sensitive.

By default, your entry is searched in all object types. You can use the arrow next to Search to specify searching in a specific object type.

Alternately, on the Search results page, you can use the tabs to filter by object type.

On the Search results page, each result starts with an icon that represents the object type. Hover over the icon to see a definition of the object type.

The Search results page allows you to add filters that can further narrow your results. The previous screenshot shows the default filters, Owner (set to All) and Status (set to Active). To add filters, click Add Filter then select the filters you wish to use. As you click the checkbox next to a filter, it appears with the other filters. The following example shows Malware family name selected.

You can then click on the filter and choose or enter a value, depending on the filter.

To remove a filter, click the x. To remove all filters, click Clear Filters.

You can use the Search field within the results page to perform a new search while preserving your previous search results. Simply use the browser’s back button to return to your previous search.

Resilient_Systems_User_Guide.pdf

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

User Guide v28