Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

Cyber resiliency solution, IBM DS8000 Safeguarded Copy with IBM Copy Services Manager

License

Notifications You must be signed in to change notification settings

IBM/ibm-qradar-ds8k-sgc-csm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Safeguarding Data with IBM QRadar and IBM Copy Services Manager on IBM DS8000

This repository contains the sample script used as part of Cyber Resiliency (CR) workflow. The CR workflow is a response to a threat detected by IBM QRadar. Upon invocation, the script makes several API calls to IBM Copy Services Manager (CSM) to execute SafeguardedCopy function on DS8000 storage.

Documentation

Refer to Resources section for various links to IBM Documentation about IBM DS8000, Copy Services Manager and also the solution blueprint.

Support

The sample Python code available in the repository is created as part of solution. There is no official support on the code.

Disclaimer

The script is purely created as a PoC and it is developed and tested in controlled lab environment. There is no official support on the script. You may use the script as a template to create your own workflow.

Workflow

For both control and data path use cases, we heavily depend on the audit logs, network flows in order to track the actions. IBM QRadar is used for threat detection. The audit logs from storage and network flows / logs are used to determine whether the storage is under attack. This is done using IBM QRadar's rules engine, and when the threat is detected a pre-defined custom action is triggered ( in this case .py ) that will execute series API calls using CSM server on DS8K storage system to an immutable backup of the data.

Pre-requisites

Following section lists the pre-requisites.

  • Copy Services Manager installation
  • Identification of volumes that needs safeguarding
  • Metro/Global mirror copy relationship of the volumes ( if required )
  • Safeguarded Copy volumes allocation

run-cr-wflow-ds8k.py

The script is a python implementation of a wrapper to invoke CSM API commands to interact with DS8K storage to invoke DS8K - Safeguarded Copy functionality. It is deployed in IBM QRadar environment with a set of parameters shown below by the Usage section.

Note: The value for CSM_USER and CSM_PASS must be base64 encoded. Use following guidelines to obtain the base64 value.

 echo "CSM_USERNAME" | base64 
 echo "CSM_PASSWORD" | base64

Usage

Usage: run-cr-wflow-ds8k.py [-h] -s CSM_SERVER [-P CSM_PORT] -u CSM_USER -p CSM_USER_PASSWD -t CSM_TASK

Following arguments are required:
      -s/--csm_server 
      -u/--csm_user   
      -p/--csm_user_passwd
      -t/--csm_task

Resources

About

Cyber resiliency solution, IBM DS8000 Safeguarded Copy with IBM Copy Services Manager

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages