Lab guide
Configuring automatic processing of
inbound email in Resilient
Course code LRL0010X
February 2020 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world-wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster®
are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2020.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Creating an email connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 2 Configuring the sample email script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 3 Creating a rule to process the script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 4 Test the Rule and analyze the results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 5 Test the Rule for the additional artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
© Copyright IBM Corp. 2020
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
iii
1
4
5
6
8
Exercises
You can configure the Resilient platform to create new incidents or update existing incidents from
incoming email.
In this course, you learn how to configure the Resilient platform to connect to an email inbox and
create a rule that processes email by using a template with a Python script. As a result of the script,
an incident is created with extracted artifacts from email (such as IPs and URLs) and an email
notification is sent to the incident owner.
The test use case uses three accounts:
• admin@ibmemm.edu.This account collects indicators of compromises (IoC) and sends them in
an email to the resilient@ibmemm.edu account.
• resilient@ibmemm.edu.This is a generic account that is used by the Resilient platform to
connect to an email inbox and process email messages.
• mcoy@ibmemm.edu account.This account is a master administrator of the Resilient
organization and also the account that owns the incidents that are processed by Resilient by
using the email messages.
Exercise 1 Creating an email connection
Inbound email connections enable email to be received by the Resilient platform, for example,
email messages from a phishing threat service. Playbook designers can configure the Resilient
platform to process these email messages to automatically generate new incidents or if the
subjects matches, to add email messages to existing incidents.
You can configure one or more email connections from the Organization tab. The Resilient platform
supports the basic authentication to IMAP and Exchange EWS email protocols.
An email connection applies to only the organization for which you configure the Email Connections
on the Organization tab.
Complete the following steps to create an inbound connection for the organization, myIBM.
1. In the upper right, under the Mary Coy account, select Administrator Settings.
2. Click Organization.
3. Click Email Connections > Inbound.
4. Click + Add Connection.
© Copyright IBM Corp. 2020
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
1
V7.0
Exercises
Exercise 1 Creating an email connection
Uempty
5. On the right side of the screen, in the Mailbox section, enter the following details:
a. The name for the connection: emailIR and press Enter.
Note: The API name populates automatically.
b. The description for the email connection: New incident driven by email.
6. In the Connection Details section, enter the following details:
a. Protocols: IMAP
b. Hostname: centos7.ibmemm.edu and press Enter.
c. Port number: 993 and press Enter.
It is the default port number for the MAP over SSL.
d. For the email address, type resilient and press Enter.
The resilient account is the IMAP user name for the monitored inbox on the email server
that was created for this lab. Your email server might use a different email format such as:
primary_email\shared_email or myemailserver.com\info\sharedemail@myemailserver.com.
7. To save the connection details that you entered, click Save.
8. To validate that the connection works, click Test Connection.
If the connection is not successful, a message is displayed to indicate this. In this case, our
email server is using the self-signed certificate that must be imported into Resilient.
9. To import the certificate, click Browse.
2
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Creating an email connection
Uempty
10. In the File upload window, locate the certificate imaps.pem file, that is stored on your local hard
drive at the following path:
/home/resilient/Downloads.
Hint: To get the certificate from the email server, you can use the following one-line command
from any Linux-like system that has openssl installed:
openssl s_client -servername centos7.ibmemm.edu -connect centos7.ibmemm.edu:993
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > imaps.pem
11. In the Upload Complete conformation window, click Close.
12. To save the changes, click Save.
13. Click Test Connection again, and confirm that connection is successful.
Note: If you need to troubleshoot the connection problems, connect to the Resilient server and
check the client.log file, located in the following directory:
/usr/share/co3/logs/.
14. To compare your settings with the email settings on the Mozilla Thunderbird email client, click
the Thunderbird app on the task bar.
15. You see three accounts that are used in this lab: admin, mcoy and resilient. The resilient
account is selected. In the middle of the screen click View settings for this account.
16. In the new Account settings window, under the resilient account, click Server settings.
3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Configuring the sample email script
Uempty
17. Confirm that Server name, Port, and User name fields match the settings in the Resilient email
connection details configuration screen.
18. Close the Account settings window and minimize the Thunderbird client.
The email connection is now configured and the Resilient platform can now receive any email sent
to the inbox of the Resilient email user.
Exercise 2 Configuring the sample email script
A sample script is available to help you to get started with incoming email from systems such as
SIEMs, network devices, and so on. You need to modify the default script. It is a good practice to
create a new script based on the original copy. However, for this demo, you edit the original script.
1. In the upper right, under the Mary Coy account, select Customization Settings.
2. On the Customization Settings page, click Scripts.
3. Open Sample script: process inbound email.
Important: It is good administrative practice to create a copy of the original script. However, to
simplify the demonstration in this lab, you edit the original script.
4. Change the name of the script to IR demo: process inbound email.
4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Creating a rule to process the script
Uempty
5. Look for the line 8 of the script and update the line to contain the mcoy@ibmemm.edu email
address. She is the incident owner. The new edited line 8 must be the following:
newIncidentOwner = "mcoy@ibmemm.edu"
6. Scroll down in the script and look for the line 52.
7. To enable a domain whitelist for ibm.com, delete the # as the comment character.
Thus, any URLs that contain ibm.com are not processed or added as incident artifacts.
Your new line 52 must be following:
"*.ibm.com"
8. To save the modified script, click Save & Close.
The script is now ready to process inbound emails.
Hint: In your system, you can add additional scripts to process particular email types. Also, you
can customize the default script with more operations. To review the list of available operations,
see Email message operations: https://ibm.biz/BdqHWm.
However, further customization is beyond the scope of this lab.
Exercise 3 Creating a rule to process the script
To run the email processing script to create or update incidents from email messages, you create
an automatic rule. You can also specify a condition based on email properties, such as subject,
5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Test the Rule and analyze the results
Uempty
from address, and sent or received date, similar to the way you would configure a mail rule in your
inbox.
To create rule for this demo, complete the following steps.
1. From the Customization Settings screen, click Rules.
2. Click New Rule > Automatic.
3. In the Display name, type: Create incident from email.
4. From the Object Type list, select Email Message.
5. To the right of Conditions, click Add New.
6. Create the conditions to create a new incident: 
From Address is equal to admin@ibmemm.edu
7. In the Activities section, next to the Ordered, click Add New, and leave default activity
Run Script: IR demo: process inbound email
8. Click Save & Close.
The rule is now created and available to trigger the email script on incoming unread emails.
Exercise 4 Test the Rule and analyze the
results
The testing scenario follows these steps:
1. The administrator who uses the email admin@ibmemm.edu sends an email to the
resilinet@ibmemm.edu account with indicators of compromises (IoCs), an IP address, a bad
URL and also with non-malicious URL http://www.ibm.com.
2. The Resilient platform monitors and automatically processes the resilinet@ibmemm.edu inbox.
6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Test the Rule and analyze the results
Uempty
3. When Resilient reads email, a rule automatically detects that email is coming from the
admin@ibmemm.edu account, and it triggers the script, IR demo: process inbound email.
4. A new incident is created and the script populates the artifacts with the IoCs and sends the
email to the mcoy@ibmemm.edu account.
Let’s proceed with the test.
1. In the Resilient console, click the Incidents tab and note that there is one incident ID 2095.
2. In the task bar, click the Thunderbird app.
3. Open the inbox for the admin@ibmemm.edu account.
4. To create new email, click Write.
5. In the To field, type the resilient email, resilient@ibmemm.edu and press Enter.
6. In the Subject field, type New artifacts and press Enter.
7. In the message add the following three lines:
http://www.example.com
http://www.ibm.com
192.168.10.1
8. Click Send.
9. Note that the resilient@ibmemm.edu account has received email.
10. To review the email, expand the resilient account inbox.
Note: When you open the resilient inbox, notice that the email is already marked read (it is not
bolded), because the resilient platform monitors and automatically processes the email messages
from the resilient inbox.
7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 5 Test the Rule for the additional artifacts
Uempty
11. Soon, note that mcoy@ibmemm.edu account receives a new message.
12. Open the mcoy@ibmemm.edu account and read the Resilient Notification message.
13. Minimize the Thunderbird app from the task bar.
The Resilient console is displayed.
14. Note that the new incident ID 2096 is created. The owner is Mary Coy.
15. Open the incident.
16. Click Artifacts.
17. Confirm that URL http://www.example.com and IP address 192.168.10.1 are the
artifacts that were processed, while http://www.ibm.com was not.
18. To review the Incident details, click the Details tab.
19. Note that the Owner is Mary Coy.
20. Scroll down, and note that the Reporting Individual is admin@ibmemm.edu.
21. Click Back to top.
Exercise 5 Test the Rule for the additional
artifacts
In this scenario, you send an email with the same subject, but with a new artifact. You notice that
the Resilient platform does not open the new incident. Instead, it adds the artifact into the existing
incident.
1. In the task bar, click the Thunderbird app.
2. Click the admin inbox.
3. To create new email, click Write.
4. In the To field, type the resilient email, resilient@ibmemm.edu and press Enter.
8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 5 Test the Rule for the additional artifacts
Uempty
5. In the Subject field, type New artifacts and press Enter.
6. In the message add the following line:
http://newbaddomain.com
7. Click Send.
8. Go to the resilient inbox and confirm that the resilient@ibmemm.edu account received the
email.
9. From the task bar, click the Resilient console.
10. Go to the Incidents tab.
11. Note that there is no new incident.
12. Open incident ID 2096.
13. Click the Artifacts tab.
14. Confirm that the new URL, http://newbaddomain.com is added to the artifact list.
This concludes the lab.
9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corporation 2020. All Rights Reserved.