The Polarity - IBM Resilient integration searches the Resilient Incident Response Platform for incidents related to indicators on your screen.
The integration can search across artifacts, incidents, tasks and notes. Incident and tasks searches are full text searches against all fields. Artifact searches are exact match searches against the artifact's value. Note searches are full text searches against the content of the note.
If a result is found, the integration will display information about the related incident. Incidents are deduplicated so that an incident is only shown a single time even if it has multiple matches.
To learn more about IBM Resilient, please visit the official website.
Note that the Resilient API and search does not return results for IP addresses if the IP is only found in the description field of an incident. As a result, when searching incidents, the integration is unable to find results for IP addresses contained only within the description field.
|
|---|
| Resilient Search Example |
Your Resilient API URL to include the schema (i.e., https://)
Your Resilient Web App URL to include the schema (i.e., https://). Should be set to the URL you use to login to Resilient. If left blank, the "Resilient API URL" will be used as the App URL.
The search URL Path for your Resilient instance. This URL path is used to construct the URL used when users click on a search result to run the search in Resilient. The path is appended to the "Resilient Web App URL". The string {{entity}} is replaced with the actual entity value.
Defaults to /#search?q={{entity}}
The incident URL Path for your Resilient instance. This URL path is used to construct the URL used when users click to view an incident within in Resilient. The path is appended to the "Resilient Web App URL". The string {{incident}} is replaced with the incident ID value.
Defaults to /#incidents/{{incident}}
Your Resilient API Key ID. You must authenticate with either an "API Key ID" and "API Key Secret", or a "username" and "password", but not both.
If authenticating with an API Key, your API key must have the following permissions:
- Incidents -> Read
- Edit Incidents -> Notes
- Read Tasks
Your Resilient API Key Secret token value. You must authenticate with either an "API Key ID" and "API Key Secret", or a "username" and "password", but not both.
The username of the Resilient user you want the integration to authenticate as.
The password for the provided username you want the integration to authenticate as.
Your Resilient Org ID. You can find your resilient org id by navigating to Administrator settings then clicking on the Organization tab. Please note you must be a Resilient Administrator in order to access your Org Id.
Comma delimited list of workspaces to search. If left blank, all workspaces accessible to the provided API key or user will be searched. Workspace names are case- sensitive. This option should be set to "Only admins can view and edit"
The types of data that should be searched. Options include "Incidents", "Notes", "Artifacts", and "Tasks".
The number of days back to search. For example, if set to 365, the integration will limit results to incidents created in the last 365 days. Defaults to 365 days.
Comma separated list of entities that you never want looked up in Resilient.
Domains that match the given regex will not be looked up.
Polarity is a memory-augmentation platform that improves and accelerates analyst decision making. For more information about the Polarity platform please see: