Lecture on IBM Security Curam Platform Overview

[Music] greetings everyone my name is PR before we you know uh go into the details of the UI let&#39;s have a look at the back end CLI uh few of the options those are available so this is our lab system uh running on version I&#39;ll let you see the operating system version so it&#39;s redard Enterprise Linux server release 7.9 and if I go to the partition layout these are the partitions uh that has been created root Crypt and then you user share CO3 and fire lock of course boot is there so this is the customized uh partition that has been created for the software installation so this installation has been done using a do run file downloaded from IBM fix central uh if you are using UHA file to directly import that OB file into an ESX server then you don&#39;t have to manually create these informations or partitions it will be created automatically now uh moving ahead uh regarding the SSL certificate so this is the command that you can use S Rec is the Certificate request and then if I just go ahead and then give a enter it complains about not having enough permission to read certain files to complete the command so I&#39;ll have to use the pseudo hence you probably need a pseudo users on the platform to run most of the command so it ask me for you know fully qualified domain name of this host so so I&#39;ll type so. example.com next uh we need to type in the s n subject alternative names so this could be an LS for the original fully qualified domain name like I&#39;ll I&#39;ll I&#39;ll give an IP address here of my lab machine so that during the SSL handshake or if you&#39;re trying to integrate any of the uh third party applications for the S platform then you can either use the host name s. example.com or you can also use the IP address 19216801 for the integration to work and it to not complain about you know host name or the IP address that you are using in the integration or mismatch so that kind of problem you want face company name type in your company name oops I just missed him that&#39;s okay so uh enter your organizational unit Al say security and then I&#39;ll just say any name it has to be relevant to for which you are creating the certificate so let&#39;s say image I in and that&#39;s about it it will take a couple of seconds and then it will give you the Certificate request see this uh this is also known as CSR certificate signing request that we generate right and it gets stored into the following location so in case if you have you can copy paste this information and send it to your ca certificate Authority or you if you happen to lose this screen for some reason then don&#39;t worry this information gets stored at this particular location in s. Pam so if you can login again you can go to that file using this command open SSL request text in followed by the full path of the file name and then I&#39;ll give it know out so that we don&#39;t see most of the tages there um enter again so it complains about the permission so we will use the pseudo and we see all the details right so these are the informations that we provided during the certificate generation or certificate signing right generation and the sa and I was talking about so I took the soot example.com as the DNS and then the IP address is mentioned IP address so during the handshake of any integration handshake right any any you&#39;re trying to do some integration with any of the app uh you can use this uh host name or you can use this IP address both will work fine all right let&#39;s move on to user Creations so most of the commands you&#39;ll be using this util called R util okay the rest U also needs uh you know also requires sudo permission to work so if I go you take help and then pipe grab new user or say let&#39;s see new user because uh okay all right so this one this is the new user command line so if you happen to if if you don&#39;t know what to use because the help output is pretty huge sorry about that so don&#39;t py it so the help output is pretty huge if you can see so this the amount of a huge amount of information in there that you can do using their Su so it&#39;s wise to you know um pipe it through and then if you happen to know a term like if I don&#39;t remember the new user is the user to create then I can just do grab user and then probably I&#39;ll get the information about you know this new user come on on line utility to create a new user in organizations and the informations that you are seeing the star alongside the switches this parameters are are filed right so the star marks uh signifies that these are the required mandatory parameters so without this option so let&#39;s say for example s verify will not be completed Without You specifying the LSR file name right so it&#39;s like that that um so once the username once the initial user is created you&#39;ll be able to log into the UI okay so let&#39;s move on to the UI uh if I can let you see history grab that was uh create org or create or this one if you see this is the this was the you know uh command that was used to create the initial user sudor as new user create orc specifies if if an organization doesn&#39;t exist where you specify organization using the or flag if the org boot camp does not exist just go ahead and create it if you don&#39;t specify create orc then it assumes that the orc already exists all right then the emailer email of the account and the first name and last name so the organizations that you would like to create will be specified with the- org all right that&#39;s about it so I&#39;ll going to go ahead and go to the UI hope you can see the screen once you log into the sore platform so this on top left will be the product name which is IBM security Cur s and it will be linked to the host name of the platform that you have assigned in this case so. example.com you can see the bottom right uh bottom left corner it&#39;s very small maybe you&#39;re not able to see it so that will be linked to the https column SL the host name of the platform right so this you can use this get hyperlink and you can use it to jump quickly to the home home landing page okay now alongside this this activity dashboard is the landing page so if you go to the home directory you will be landing in the activity dashboard and Newsfeed is probably you know Newsfeed is the live uh feeds of the activity that are that is going on on the platform so it covers everything for the platform like what kind of feeds are Ava if are wondering so just click on this okay and then you can see these are the uh activities assignment attachments added nodes a lot more so this is a you know clean slate it&#39;s been created recently for the Boot Camp only so you are seeing a very less number of information here if it is a real environment right you&#39;ll see you&#39;ll see almost the Feats going on live scrolling scrolling right so in that vast amount of you know uh feeds if you want to see any specific type of information let&#39;s say you just want to see attachments what kind of attachments are going on in the platform you can just come in here and then click attachments and then there&#39;s no uh attachment Fe on this platform per say right now but in a real environment you&#39;ll be able to see this so if I can see creation deletion right see this one must admin created this incident fishing attack Mal drop with it date and time stamp this is the time stamp date and time right so I&#39;m able to see that information with the filtering and then modification what are the kind of modification that has been going on in the platform if you want to see that you can do using like this so all shows everything you just need some help on the documentation or resources you don&#39;t have to actually if you have access to S platform you don&#39;t have to look for the document mation elsewhere the link has been given on the platform itself so this see this need help the documentation if you click it it opens up in the platform itself okay and then this informations have been hyperlink to the official site of the uh IBM documentation okay so if you click on this it will take you to the official IBM documentation site time being I&#39;m not going to click it but it&#39;s available there for a reference okay it also give you API tools API tools are native to the platform so it&#39;s been available I mean the API reference is available on the platform itself it doesn&#39;t redirect anywhere so rest API reference if I am going to click here it&#39;s going to open up uh so. example.com Doc and then rest API and then index so this is the information uh regarding all of the you know uh apis that are available on the platform for you to use and there is interactive rest API so if you want to try out any of the rest API and then you don&#39;t need any separate client to install or reach out to the S platform it&#39;s been given on the platform it&#39;s available on the platform itself interactive rest API if you click it then it will give you the interactive rest API like this and then this get post put delete you can try it here on the platform itself okay now moving on to let&#39;s move on to you know this particular session we have designed for you to know what informations are available where on the UI and then going forward we&#39;ll deep dipe into those informations later in upcoming sessions so right now I&#39;m going to visit each of the you know area of the UI so that you get familiar what information lies where and what&#39;s the pops dashboard dashboards contains three uh items one is activity dashboard that we are currently seeing which is the live feeds analytics dashboard if you click on it it gives you matrics what is going on in the in uh on the platform so we have a dedication dedicated session for this uh analytics dashboard which is the last session of the boot cam we&#39;ll Deep dive into this and then we have my tasks okay so my tasks is this is where you can see all of the tasks assigned to you and what is tasks so whenever any incident is created right so this incident I have created this is sample incident if you click on this this is an incident type of malware you see this incident type malware okay now the tasks all the tasks are listed here in different phases so an incident this this will Deep dive into uh in the next session upcoming session which is The Incident Management we&#39;ll see bit by bit uh Integrity of this all these details of phases task what it does and how to do it so incident goes to each of the phases like engage detect analyze and then respond and so many that based on the you know can be based on the standard practices best community practices or if you can have any you know uh custom Sops for your organizations that can be done as well so these are the tasks so it generate basically the sore platform Cur sore platform generates a remediation plan for the incident which consist of different tasks and and uh uh within the phases different phases and tasks so these are the tasks so this task open generated or open you know once it comes to an incident like fishing attack Mal drop so you&#39;ll have different different analyst right so let&#39;s say you have you are the manager of a sock and then your job is to you know assign incidents to different different analyst based on the skills so probably you are the best guy you know who knows who which analyst is killed in which area and who can solve what kind of incident right so in that situation this is a Mal incident so probably you will assign this malware to a single individual or if it is too much for the individual then you can assign it to a group of people who can handle Mal type of incidents right and those uh assignment can be done from here all right right so let&#39;s say uh detect phase disconnect or isolate Mal or infected system right so who can do uh do this job I&#39;ll say you know I have the access and then you know I can get the job done or I&#39;ll assign to myself so Master admin for example so what it does is that it gets you uh it gives you an information or not changed on one tasks um if you go to my task now my task listed that disconnector isolate Mal infected has been assigned to me with no due data of course you&#39;re going to set a due date if you want to get the task completed within a certain span of time right so that&#39;s the purpose this just for the test so I&#39;m not filling up that due due date so this informations one uh once assigned this is the master admin which has been currently logged in hence it is showing all the task assigned to owner Master admin right so if you any if you assign task to any of the user so if that user logs into the platform they will be able to see their respective tasks that&#39;s the use of my tasks right how many tasks I have at my hand and what needs to be done from my side going to next inbox inbox is uh add a connection to create cases from emails so this inbox is basically a dedicated inbox which you can configure to create an incident out of an email right so curator s is capable of you know having its own dedicated inbox email inbox to create an incident so any email that comes to the inbox uh curator s can create an incident out of it let&#39;s say um for incident types which cannot be you know uh created against uh automation or something integration let&#39;s say you have same integration you have um ticketing integration right so those informations any any offenses CM any offenses that gets created based on the settings or automations that you have created on the so same platform it can get automatically escalated and can be and Cur s can generate an incident respectively right but what about what about you know let&#39;s take an example of um for in the organizations you just lost your mobile okay you just lost your mobile this is not something any integration can help you out unless you yourself report it to the lost and found department or right or any other uh similar Department in your organizations right so this is not something an integration can uh detect that okay somebody you know prir has lost his mobile and then I need to generate some remediation plan for him right right that&#39;s not possible so in that scenario what you can do is that I I am supposed to aware of the you know organizational policy so if I am a corporate employee if I lost my mobile which has been given to me by the company in case I lost my mobile or laptop what am I supposed to do that&#39;s my responsibility to know right so I know that you know I if I if I if I lost my mobile or laptop then I&#39;m supposed to send an email to the lost and found you know department so that they can take respective action so I&#39;m I I I write an email to the lost and found and then you know they probably send it to this dedicated inbox of the S platform Incident Management platform response platform right so once that email reach to this inbox so will generate so will pass that email try intelligently you know try to see what kind of incident this is and based on that it can generate an action plan for you toate remediate okay that we&#39;ll see in detail uh in the upcoming session we have we have we have discovered um the inbound email configuration in upcoming session artifacts so these artifacts are you know uh values or there are different type of artifacts like DNS name email attachment name these are the informations that you get open or during the investigation of an uh incident let&#39;s say you in uh investigating in malware incident you came across you know few of the uh findings like you know this is this is an email B this is a email sender this might be related to this particular malware drop suspected email addresses those kind of informations that can be recorded as an artifact during the you know uh investigation of an incident that you can attach uh email sender so type an email type is email sender then the value you&#39;re going to type in an email address and then summary why you are attaching this artifact to the incident right if you want to create this tag um you can uh create a tag also if you want to look at threat scan I mean if that email is uh relevant to any of the bad thread actors or something that can be you know that can be caught by some some of the threat intelligence feeds so that threats can can also be done and then related in and if across let&#39;s say you have thousands of incidents right thousand of incidents lying in your uh sour platform Cur platform so if that artifact is also listed somewhere else and then bind those incidents in a single view so that I can see okay this artifacts is related to this many incidents so those informations we&#39;ll see that information in upcoming you know details upcoming sessions so this is like that the artifacts so that you can make use of that artifacts will cover in much much more details in upcoming sessions so next I&#39;m going to move on to the incident so this incident page is basically for you to see all the incident it&#39;s like an offenses page in the Cur Rim right so what kind of uh alerts or offenses generated in curar Sim so for that if you want to see you need to go into Cura and then click on offenses similarly what kind of incidents are available on the s platform so you need to go to the incident tab so that you can see all of the incident on platform right these are various Fields available uh the incident ID incident name and a couple of filters there right so you can see this status active So currently I&#39;m seeing all the um incidents which are active but uh if you want to see right now I&#39;m not seeing any closed incident so if you if you would like to see any of the closed incident so you just have to remove the filter so if you see there is a cross button at the top right of the filter just click it and then it will remove the filter and then the dynamically the page will refresh and give you the show you the you know closed incident as well so if you if you want to add the filters again so there is a filter tab here just click on it and then you would be able to see these filters status active or closed I just want to see the closed incidents I don&#39;t have any closed incident as of now so my result set as zero and then you can also remove the incident or filters like this so just keep acting okay so like that so uh you might be wondering this is very few you know filter that is available right now but but that&#39;s not it actually so edit filters you can just click on edit filters and you have a huge number of filters here so by defaults all are not visible but based on your requirement you can make it visible all right so that&#39;s about filters in incident tab uh if you want to clear all of the filters right so there is a clear filters button up here you can use that also uh if you happen to use the Cur s platform right so whenever you want to um do a searches let&#39;s say if you&#39;re doing an investigation and you want to look at certain kind of you know events for Cur Sim then or any of the same platform then you might spend around let&#39;s a couple of minutes to figure out the filters and then applying different filters to get the Desir result set to be displayed on the screen right so so similar fashion to see you know if you want to see a kind of uh incidents that you&#39;re looking for maybe based on patterns maybe based on filters you might spend a couple of minutes or seconds to uh see that view okay once you do that you can what you can do we have presets available which is like a saved search okay so you can just click it save as and then give it a name preset name and then that preset can be created will be created on the platform for you to uh view let&#39;s say active incidents this is the active incidents presets that I have created earlier okay so if you click on active incidents uh it says save before continue of course I&#39;ll discard it no problem so active incidents so this is my active incident this is my custom view that I have saved right so that can be done also if you want to manage the presets right so so this is the presets view all open incidents is a default one that cannot be edited or deleted but any presets that you have created uh is visible there and is editable and you can delete it as well okay next the create incident tab create incident tab is there to create uh incidents like this one uh I&#39;m going to visit this in the upcoming session so I&#39;m not going to go into much details in here okay also create incidents can be done from the incident tab on the create incident now this is there is a magnifying magnifier icon right so this is the search icon so if you want to search across the platform all the types of objects are available there incident tasks artifacts nodes attachments if you want to search all you can create all which is by default uh selected all if you want to click uh search just incidents can just click on incidents and then type the board that you interested in or all is also fine right so I&#39;m just type let&#39;s say I want to search uh malware or incident I&#39;m just looking for an incident where the word is malware so see here uh fishing attack malware drop so this is an open State the tag specifies or signifies that the you know the incident is still in open State and the incident type is malware it also gives you the incident ID and the owner name it&#39;s pretty useful um click on it and you&#39;ll directly uh jump into the incident details okay next the notification icon so if you have used the same platform C same platform so the notification is pretty much similar but uh this uh the notifications can also be customized uh in a much more granular way so if any of the any of the notification any of the activities that that are being performed by any of the specific user uh one can admin can generate an in uh notification so that will also cover so I&#39;m not going to go much details into the notification right now we that is covered in upcoming sessions so next is Playbook this is where you do all the automations right so right now if you see there is no playbooks but um uh if you do the customizations and then there is a inent types so there is by default there is a resolution plan given for you for this this many type of incident types as there already but uh you know based on the integration the playbooks will help you to integrate most of your uh the Security Solutions that is lying around on the organizations that you can make use of it to respond to threats or incidents right so that you&#39;ll do right now it&#39;s a clean slate no playbooks enabled is how many enabled disabled is zero drafts is zero so we&#39;ll go into much details about there is a dedicated session for playbooks right now we need to know which option is there and what we can do with it right so administrator settings we have uh dedicated two session to session to administrator to get familiar ourselves with the administrator settings in great details so users groups rules workspaces all these informations will&#39;ll visit in detail in the administrator settings right organizations I&#39;ll let you see this General thing uh in organization tab there is a details and then this boot camp right so if you remember this uh org that you have created org boot camp so this organizations that you give with orc thing it comes in here organization name okay and it gies an ID 2011 is the organization name and address address to you can also fill in all these details and if you want to edit the orc this is the command that you need to use rest util edit orc okay um settings uh this settings session timeout this the one I&#39;ll visit rest will visit in upcoming sessions in the dedicated Adat settings session timeout is the timeout in minutes before a session times out and requires a new login right so this is the timeout the window timeout so if you if you leave it for sometimes let&#39;s say 80 minutes onwards then uh this is customized one by default is 20 that&#39;s what it says default is 20 minutes I have customized it to 80 so if you change it then uh I can change it and let&#39;s make it 60 save this time out value saved successfully right so if I don&#39;t do anything on the platform of the UI for 1 hour um uh it will ask me to relog in again okay then uh if I go to customization settings this informations this uh new incident wizard custom settings also we cover in great details in the upcoming sessions but I&#39;ll let you see few of the informations new incident wizard is what we&#39;re talking about the incidents that you create create an incident right so if you create an incident uh disc draft and then this information you see step one step two step three all this one so these steps six steps that can be customized into this uh using this layouts new incident wizard describe the incident date and time all the informations are customizable okay so you can edit it delete it and based on the requirements that your organization needs whether you want to go through a six-step process to create an incidence or whether you want to go a one step process to create an incidence that&#39;s up to you it&#39;s can greatly be customized again uh if we go to incident tabs right if you go to incident tabs you see the steps task detail breach artifacts email and then what if you need a tab with something some data tables let&#39;s say if you want to you know uh you got an incident and then that incident uh contains an email but with that email you need to know what which is this person which organization it belong he he or she belongs to right who is the manager so those informations that you want to see in a different tab so you can create a different Tab and do some you know um automations or Integrations with your active directory organizations active directory or any user repository that you have uh to pull in those informations once the email comes into the platform your your automation or Playbook triggers goes into the uh user repository get all those informations and give you the information in nice data table so once you click on that data table okay you know okay this is the employee this department this manager and everything is there in a single tab uh then that can be done using the incident Tab and then add tab we&#39;ll see that in upcoming session how to do that okay rules and workflows are basically um earlier we used to create rules and workflows to create a Playbook which which was known as Dynamic playbooks right now if you click on the rules and workflows you see this uh uh kind of banner so it says create playbooks with Playbook designer okay okay so Playbook designer which is this one uh um it gives you a single canvas so you don&#39;t have to do some two and fr here and there to rule space workflow space to create the automation or Playbook so Playbook gives you a single canvas where you can do everything okay start right from creating from tasks or anything that is required to uh create a Playbook will be on a single canvas available okay but again if you ask me why rules and workflows are still there of course it is there I mean if if you if you meant to do some very complex uh automation that that cannot be cated by playbooks as of now if you are seeing that if you have reached to that point then you might want to look at the rules and workflows which are very very very Advanced customized that can be done so using rules and C workflows that will we&#39;ll see I mean uh we can cover those in we&#39;ll cover those in details in the playbooks uh session why what situation you can use that scripts also these are customizations functions we&#39;ll cover this in you know uh app host and applications what are the functions destination also phases and task that was talking about was basically the engage in different task that comes into under the phases that can also be customize I was saying based on your organization sop that can be modified incident types also is there you can add incident type how we can uh make a hierarchy of incident let&#39;s say you have malware you want two different type of remediation for two different type of malware how you can do that that will&#39;ll also see bridge and then artifact types so if you want to create a customized artifa type that can also be done in here okay um um apart from that there is uh my settings uh couple of my settings is there I mean you can do some changes towards your profile notification you can choose change password as well okay so this is where you change your password for the platform and you can see about so about will let you see the version of the platform So currently you&#39;re using version 50 Okay so this is uh mostly about the UI platform and then if you are wondering I have left few of the options that I have done it deliberately because that will be covered mostly in the upcoming session so that&#39;s about it thank you that would be all for this session

[Music] greetings everyone my name is PR before we you know uh go into the details of the UI let&amp;#39;s have a look at the back end CLI uh few of the options those are available so this is our lab system uh running on version I&amp;#39;ll let you see the operating system version so it&amp;#39;s redard Enterprise Linux server release 7.9 and if I go to the partition layout these are the partitions uh that has been created root Crypt and then you user share CO3 and fire lock of course boot is there so this is the customized uh partition that has been created for the software installation so this installation has been done using a do run file downloaded from IBM fix central uh if you are using UHA file to directly import that OB file into an ESX server then you don&amp;#39;t have to manually create these informations or partitions it will be created automatically now uh moving ahead uh regarding the SSL certificate so this is the command that you can use S Rec is the Certificate request and then if I just go ahead and then give a enter it complains about not having enough permission to read certain files to complete the command so I&amp;#39;ll have to use the pseudo hence you probably need a pseudo users on the platform to run most of the command so it ask me for you know fully qualified domain name of this host so so I&amp;#39;ll type so. example.com next uh we need to type in the s n subject alternative names so this could be an LS for the original fully qualified domain name like I&amp;#39;ll I&amp;#39;ll I&amp;#39;ll give an IP address here of my lab machine so that during the SSL handshake or if you&amp;#39;re trying to integrate any of the uh third party applications for the S platform then you can either use the host name s. example.com or you can also use the IP address 19216801 for the integration to work and it to not complain about you know host name or the IP address that you are using in the integration or mismatch so that kind of problem you want face company name type in your company name oops I just missed him that&amp;#39;s okay so uh enter your organizational unit Al say security and then I&amp;#39;ll just say any name it has to be relevant to for which you are creating the certificate so let&amp;#39;s say image I in and that&amp;#39;s about it it will take a couple of seconds and then it will give you the Certificate request see this uh this is also known as CSR certificate signing request that we generate right and it gets stored into the following location so in case if you have you can copy paste this information and send it to your ca certificate Authority or you if you happen to lose this screen for some reason then don&amp;#39;t worry this information gets stored at this particular location in s. Pam so if you can login again you can go to that file using this command open SSL request text in followed by the full path of the file name and then I&amp;#39;ll give it know out so that we don&amp;#39;t see most of the tages there um enter again so it complains about the permission so we will use the pseudo and we see all the details right so these are the informations that we provided during the certificate generation or certificate signing right generation and the sa and I was talking about so I took the soot example.com as the DNS and then the IP address is mentioned IP address so during the handshake of any integration handshake right any any you&amp;#39;re trying to do some integration with any of the app uh you can use this uh host name or you can use this IP address both will work fine all right let&amp;#39;s move on to user Creations so most of the commands you&amp;#39;ll be using this util called R util okay the rest U also needs uh you know also requires sudo permission to work so if I go you take help and then pipe grab new user or say let&amp;#39;s see new user because uh okay all right so this one this is the new user command line so if you happen to if if you don&amp;#39;t know what to use because the help output is pretty huge sorry about that so don&amp;#39;t py it so the help output is pretty huge if you can see so this the amount of a huge amount of information in there that you can do using their Su so it&amp;#39;s wise to you know um pipe it through and then if you happen to know a term like if I don&amp;#39;t remember the new user is the user to create then I can just do grab user and then probably I&amp;#39;ll get the information about you know this new user come on on line utility to create a new user in organizations and the informations that you are seeing the star alongside the switches this parameters are are filed right so the star marks uh signifies that these are the required mandatory parameters so without this option so let&amp;#39;s say for example s verify will not be completed Without You specifying the LSR file name right so it&amp;#39;s like that that um so once the username once the initial user is created you&amp;#39;ll be able to log into the UI okay so let&amp;#39;s move on to the UI uh if I can let you see history grab that was uh create org or create or this one if you see this is the this was the you know uh command that was used to create the initial user sudor as new user create orc specifies if if an organization doesn&amp;#39;t exist where you specify organization using the or flag if the org boot camp does not exist just go ahead and create it if you don&amp;#39;t specify create orc then it assumes that the orc already exists all right then the emailer email of the account and the first name and last name so the organizations that you would like to create will be specified with the- org all right that&amp;#39;s about it so I&amp;#39;ll going to go ahead and go to the UI hope you can see the screen once you log into the sore platform so this on top left will be the product name which is IBM security Cur s and it will be linked to the host name of the platform that you have assigned in this case so. example.com you can see the bottom right uh bottom left corner it&amp;#39;s very small maybe you&amp;#39;re not able to see it so that will be linked to the https column SL the host name of the platform right so this you can use this get hyperlink and you can use it to jump quickly to the home home landing page okay now alongside this this activity dashboard is the landing page so if you go to the home directory you will be landing in the activity dashboard and Newsfeed is probably you know Newsfeed is the live uh feeds of the activity that are that is going on on the platform so it covers everything for the platform like what kind of feeds are Ava if are wondering so just click on this okay and then you can see these are the uh activities assignment attachments added nodes a lot more so this is a you know clean slate it&amp;#39;s been created recently for the Boot Camp only so you are seeing a very less number of information here if it is a real environment right you&amp;#39;ll see you&amp;#39;ll see almost the Feats going on live scrolling scrolling right so in that vast amount of you know uh feeds if you want to see any specific type of information let&amp;#39;s say you just want to see attachments what kind of attachments are going on in the platform you can just come in here and then click attachments and then there&amp;#39;s no uh attachment Fe on this platform per say right now but in a real environment you&amp;#39;ll be able to see this so if I can see creation deletion right see this one must admin created this incident fishing attack Mal drop with it date and time stamp this is the time stamp date and time right so I&amp;#39;m able to see that information with the filtering and then modification what are the kind of modification that has been going on in the platform if you want to see that you can do using like this so all shows everything you just need some help on the documentation or resources you don&amp;#39;t have to actually if you have access to S platform you don&amp;#39;t have to look for the document mation elsewhere the link has been given on the platform itself so this see this need help the documentation if you click it it opens up in the platform itself okay and then this informations have been hyperlink to the official site of the uh IBM documentation okay so if you click on this it will take you to the official IBM documentation site time being I&amp;#39;m not going to click it but it&amp;#39;s available there for a reference okay it also give you API tools API tools are native to the platform so it&amp;#39;s been available I mean the API reference is available on the platform itself it doesn&amp;#39;t redirect anywhere so rest API reference if I am going to click here it&amp;#39;s going to open up uh so. example.com Doc and then rest API and then index so this is the information uh regarding all of the you know uh apis that are available on the platform for you to use and there is interactive rest API so if you want to try out any of the rest API and then you don&amp;#39;t need any separate client to install or reach out to the S platform it&amp;#39;s been given on the platform it&amp;#39;s available on the platform itself interactive rest API if you click it then it will give you the interactive rest API like this and then this get post put delete you can try it here on the platform itself okay now moving on to let&amp;#39;s move on to you know this particular session we have designed for you to know what informations are available where on the UI and then going forward we&amp;#39;ll deep dipe into those informations later in upcoming sessions so right now I&amp;#39;m going to visit each of the you know area of the UI so that you get familiar what information lies where and what&amp;#39;s the pops dashboard dashboards contains three uh items one is activity dashboard that we are currently seeing which is the live feeds analytics dashboard if you click on it it gives you matrics what is going on in the in uh on the platform so we have a dedication dedicated session for this uh analytics dashboard which is the last session of the boot cam we&amp;#39;ll Deep dive into this and then we have my tasks okay so my tasks is this is where you can see all of the tasks assigned to you and what is tasks so whenever any incident is created right so this incident I have created this is sample incident if you click on this this is an incident type of malware you see this incident type malware okay now the tasks all the tasks are listed here in different phases so an incident this this will Deep dive into uh in the next session upcoming session which is The Incident Management we&amp;#39;ll see bit by bit uh Integrity of this all these details of phases task what it does and how to do it so incident goes to each of the phases like engage detect analyze and then respond and so many that based on the you know can be based on the standard practices best community practices or if you can have any you know uh custom Sops for your organizations that can be done as well so these are the tasks so it generate basically the sore platform Cur sore platform generates a remediation plan for the incident which consist of different tasks and and uh uh within the phases different phases and tasks so these are the tasks so this task open generated or open you know once it comes to an incident like fishing attack Mal drop so you&amp;#39;ll have different different analyst right so let&amp;#39;s say you have you are the manager of a sock and then your job is to you know assign incidents to different different analyst based on the skills so probably you are the best guy you know who knows who which analyst is killed in which area and who can solve what kind of incident right so in that situation this is a Mal incident so probably you will assign this malware to a single individual or if it is too much for the individual then you can assign it to a group of people who can handle Mal type of incidents right and those uh assignment can be done from here all right right so let&amp;#39;s say uh detect phase disconnect or isolate Mal or infected system right so who can do uh do this job I&amp;#39;ll say you know I have the access and then you know I can get the job done or I&amp;#39;ll assign to myself so Master admin for example so what it does is that it gets you uh it gives you an information or not changed on one tasks um if you go to my task now my task listed that disconnector isolate Mal infected has been assigned to me with no due data of course you&amp;#39;re going to set a due date if you want to get the task completed within a certain span of time right so that&amp;#39;s the purpose this just for the test so I&amp;#39;m not filling up that due due date so this informations one uh once assigned this is the master admin which has been currently logged in hence it is showing all the task assigned to owner Master admin right so if you any if you assign task to any of the user so if that user logs into the platform they will be able to see their respective tasks that&amp;#39;s the use of my tasks right how many tasks I have at my hand and what needs to be done from my side going to next inbox inbox is uh add a connection to create cases from emails so this inbox is basically a dedicated inbox which you can configure to create an incident out of an email right so curator s is capable of you know having its own dedicated inbox email inbox to create an incident so any email that comes to the inbox uh curator s can create an incident out of it let&amp;#39;s say um for incident types which cannot be you know uh created against uh automation or something integration let&amp;#39;s say you have same integration you have um ticketing integration right so those informations any any offenses CM any offenses that gets created based on the settings or automations that you have created on the so same platform it can get automatically escalated and can be and Cur s can generate an incident respectively right but what about what about you know let&amp;#39;s take an example of um for in the organizations you just lost your mobile okay you just lost your mobile this is not something any integration can help you out unless you yourself report it to the lost and found department or right or any other uh similar Department in your organizations right so this is not something an integration can uh detect that okay somebody you know prir has lost his mobile and then I need to generate some remediation plan for him right right that&amp;#39;s not possible so in that scenario what you can do is that I I am supposed to aware of the you know organizational policy so if I am a corporate employee if I lost my mobile which has been given to me by the company in case I lost my mobile or laptop what am I supposed to do that&amp;#39;s my responsibility to know right so I know that you know I if I if I if I lost my mobile or laptop then I&amp;#39;m supposed to send an email to the lost and found you know department so that they can take respective action so I&amp;#39;m I I I write an email to the lost and found and then you know they probably send it to this dedicated inbox of the S platform Incident Management platform response platform right so once that email reach to this inbox so will generate so will pass that email try intelligently you know try to see what kind of incident this is and based on that it can generate an action plan for you toate remediate okay that we&amp;#39;ll see in detail uh in the upcoming session we have we have we have discovered um the inbound email configuration in upcoming session artifacts so these artifacts are you know uh values or there are different type of artifacts like DNS name email attachment name these are the informations that you get open or during the investigation of an uh incident let&amp;#39;s say you in uh investigating in malware incident you came across you know few of the uh findings like you know this is this is an email B this is a email sender this might be related to this particular malware drop suspected email addresses those kind of informations that can be recorded as an artifact during the you know uh investigation of an incident that you can attach uh email sender so type an email type is email sender then the value you&amp;#39;re going to type in an email address and then summary why you are attaching this artifact to the incident right if you want to create this tag um you can uh create a tag also if you want to look at threat scan I mean if that email is uh relevant to any of the bad thread actors or something that can be you know that can be caught by some some of the threat intelligence feeds so that threats can can also be done and then related in and if across let&amp;#39;s say you have thousands of incidents right thousand of incidents lying in your uh sour platform Cur platform so if that artifact is also listed somewhere else and then bind those incidents in a single view so that I can see okay this artifacts is related to this many incidents so those informations we&amp;#39;ll see that information in upcoming you know details upcoming sessions so this is like that the artifacts so that you can make use of that artifacts will cover in much much more details in upcoming sessions so next I&amp;#39;m going to move on to the incident so this incident page is basically for you to see all the incident it&amp;#39;s like an offenses page in the Cur Rim right so what kind of uh alerts or offenses generated in curar Sim so for that if you want to see you need to go into Cura and then click on offenses similarly what kind of incidents are available on the s platform so you need to go to the incident tab so that you can see all of the incident on platform right these are various Fields available uh the incident ID incident name and a couple of filters there right so you can see this status active So currently I&amp;#39;m seeing all the um incidents which are active but uh if you want to see right now I&amp;#39;m not seeing any closed incident so if you if you would like to see any of the closed incident so you just have to remove the filter so if you see there is a cross button at the top right of the filter just click it and then it will remove the filter and then the dynamically the page will refresh and give you the show you the you know closed incident as well so if you if you want to add the filters again so there is a filter tab here just click on it and then you would be able to see these filters status active or closed I just want to see the closed incidents I don&amp;#39;t have any closed incident as of now so my result set as zero and then you can also remove the incident or filters like this so just keep acting okay so like that so uh you might be wondering this is very few you know filter that is available right now but but that&amp;#39;s not it actually so edit filters you can just click on edit filters and you have a huge number of filters here so by defaults all are not visible but based on your requirement you can make it visible all right so that&amp;#39;s about filters in incident tab uh if you want to clear all of the filters right so there is a clear filters button up here you can use that also uh if you happen to use the Cur s platform right so whenever you want to um do a searches let&amp;#39;s say if you&amp;#39;re doing an investigation and you want to look at certain kind of you know events for Cur Sim then or any of the same platform then you might spend around let&amp;#39;s a couple of minutes to figure out the filters and then applying different filters to get the Desir result set to be displayed on the screen right so so similar fashion to see you know if you want to see a kind of uh incidents that you&amp;#39;re looking for maybe based on patterns maybe based on filters you might spend a couple of minutes or seconds to uh see that view okay once you do that you can what you can do we have presets available which is like a saved search okay so you can just click it save as and then give it a name preset name and then that preset can be created will be created on the platform for you to uh view let&amp;#39;s say active incidents this is the active incidents presets that I have created earlier okay so if you click on active incidents uh it says save before continue of course I&amp;#39;ll discard it no problem so active incidents so this is my active incident this is my custom view that I have saved right so that can be done also if you want to manage the presets right so so this is the presets view all open incidents is a default one that cannot be edited or deleted but any presets that you have created uh is visible there and is editable and you can delete it as well okay next the create incident tab create incident tab is there to create uh incidents like this one uh I&amp;#39;m going to visit this in the upcoming session so I&amp;#39;m not going to go into much details in here okay also create incidents can be done from the incident tab on the create incident now this is there is a magnifying magnifier icon right so this is the search icon so if you want to search across the platform all the types of objects are available there incident tasks artifacts nodes attachments if you want to search all you can create all which is by default uh selected all if you want to click uh search just incidents can just click on incidents and then type the board that you interested in or all is also fine right so I&amp;#39;m just type let&amp;#39;s say I want to search uh malware or incident I&amp;#39;m just looking for an incident where the word is malware so see here uh fishing attack malware drop so this is an open State the tag specifies or signifies that the you know the incident is still in open State and the incident type is malware it also gives you the incident ID and the owner name it&amp;#39;s pretty useful um click on it and you&amp;#39;ll directly uh jump into the incident details okay next the notification icon so if you have used the same platform C same platform so the notification is pretty much similar but uh this uh the notifications can also be customized uh in a much more granular way so if any of the any of the notification any of the activities that that are being performed by any of the specific user uh one can admin can generate an in uh notification so that will also cover so I&amp;#39;m not going to go much details into the notification right now we that is covered in upcoming sessions so next is Playbook this is where you do all the automations right so right now if you see there is no playbooks but um uh if you do the customizations and then there is a inent types so there is by default there is a resolution plan given for you for this this many type of incident types as there already but uh you know based on the integration the playbooks will help you to integrate most of your uh the Security Solutions that is lying around on the organizations that you can make use of it to respond to threats or incidents right so that you&amp;#39;ll do right now it&amp;#39;s a clean slate no playbooks enabled is how many enabled disabled is zero drafts is zero so we&amp;#39;ll go into much details about there is a dedicated session for playbooks right now we need to know which option is there and what we can do with it right so administrator settings we have uh dedicated two session to session to administrator to get familiar ourselves with the administrator settings in great details so users groups rules workspaces all these informations will&amp;#39;ll visit in detail in the administrator settings right organizations I&amp;#39;ll let you see this General thing uh in organization tab there is a details and then this boot camp right so if you remember this uh org that you have created org boot camp so this organizations that you give with orc thing it comes in here organization name okay and it gies an ID 2011 is the organization name and address address to you can also fill in all these details and if you want to edit the orc this is the command that you need to use rest util edit orc okay um settings uh this settings session timeout this the one I&amp;#39;ll visit rest will visit in upcoming sessions in the dedicated Adat settings session timeout is the timeout in minutes before a session times out and requires a new login right so this is the timeout the window timeout so if you if you leave it for sometimes let&amp;#39;s say 80 minutes onwards then uh this is customized one by default is 20 that&amp;#39;s what it says default is 20 minutes I have customized it to 80 so if you change it then uh I can change it and let&amp;#39;s make it 60 save this time out value saved successfully right so if I don&amp;#39;t do anything on the platform of the UI for 1 hour um uh it will ask me to relog in again okay then uh if I go to customization settings this informations this uh new incident wizard custom settings also we cover in great details in the upcoming sessions but I&amp;#39;ll let you see few of the informations new incident wizard is what we&amp;#39;re talking about the incidents that you create create an incident right so if you create an incident uh disc draft and then this information you see step one step two step three all this one so these steps six steps that can be customized into this uh using this layouts new incident wizard describe the incident date and time all the informations are customizable okay so you can edit it delete it and based on the requirements that your organization needs whether you want to go through a six-step process to create an incidence or whether you want to go a one step process to create an incidence that&amp;#39;s up to you it&amp;#39;s can greatly be customized again uh if we go to incident tabs right if you go to incident tabs you see the steps task detail breach artifacts email and then what if you need a tab with something some data tables let&amp;#39;s say if you want to you know uh you got an incident and then that incident uh contains an email but with that email you need to know what which is this person which organization it belong he he or she belongs to right who is the manager so those informations that you want to see in a different tab so you can create a different Tab and do some you know um automations or Integrations with your active directory organizations active directory or any user repository that you have uh to pull in those informations once the email comes into the platform your your automation or Playbook triggers goes into the uh user repository get all those informations and give you the information in nice data table so once you click on that data table okay you know okay this is the employee this department this manager and everything is there in a single tab uh then that can be done using the incident Tab and then add tab we&amp;#39;ll see that in upcoming session how to do that okay rules and workflows are basically um earlier we used to create rules and workflows to create a Playbook which which was known as Dynamic playbooks right now if you click on the rules and workflows you see this uh uh kind of banner so it says create playbooks with Playbook designer okay okay so Playbook designer which is this one uh um it gives you a single canvas so you don&amp;#39;t have to do some two and fr here and there to rule space workflow space to create the automation or Playbook so Playbook gives you a single canvas where you can do everything okay start right from creating from tasks or anything that is required to uh create a Playbook will be on a single canvas available okay but again if you ask me why rules and workflows are still there of course it is there I mean if if you if you meant to do some very complex uh automation that that cannot be cated by playbooks as of now if you are seeing that if you have reached to that point then you might want to look at the rules and workflows which are very very very Advanced customized that can be done so using rules and C workflows that will we&amp;#39;ll see I mean uh we can cover those in we&amp;#39;ll cover those in details in the playbooks uh session why what situation you can use that scripts also these are customizations functions we&amp;#39;ll cover this in you know uh app host and applications what are the functions destination also phases and task that was talking about was basically the engage in different task that comes into under the phases that can also be customize I was saying based on your organization sop that can be modified incident types also is there you can add incident type how we can uh make a hierarchy of incident let&amp;#39;s say you have malware you want two different type of remediation for two different type of malware how you can do that that will&amp;#39;ll also see bridge and then artifact types so if you want to create a customized artifa type that can also be done in here okay um um apart from that there is uh my settings uh couple of my settings is there I mean you can do some changes towards your profile notification you can choose change password as well okay so this is where you change your password for the platform and you can see about so about will let you see the version of the platform So currently you&amp;#39;re using version 50 Okay so this is uh mostly about the UI platform and then if you are wondering I have left few of the options that I have done it deliberately because that will be covered mostly in the upcoming session so that&amp;#39;s about it thank you that would be all for this session

Transcript for:Lecture on IBM Security Curam Platform Overview

Transcript for:
Lecture on IBM Security Curam Platform Overview