LogicHub

LogicHub is an advanced security automation solution for threat detection, alert triage, and incident response. The LogicHub platform leverages advanced data correlation, machine learning, and intelligent automation to perform deep threat ranking, accurately identifying real threats and removing false positives. As real incidents are identified, LogicHub can automate steps for remediation and response.

The LogicHub integration with Archer empowers SOC teams with automated creation, listing, and retrieval of incident tickets within Archer. As LogicHub Flows detect threats and incidents that need to be remediated, the platform is able to automatically create appropriate tickets with all pertinent information for incident investigation and response teams. The automation streamlines operations, improving SOC efficiency and effectiveness, and freeing up analyst band- width to focus on critical events.

On this page

Release notes

Last updated: November, 2017

Known issues    

  • Currently the integration (via config file) creates these incidents under the “System Administrator” role (User ID 2), you’ll have to update this with the user you’d like.

  • Working with additional fields will require modification of archer.py, you can find a list of Field Ids for Security Incidents (from a clean instance installation) here:

    https://gist.github.com/alam-lh/efb14add15ef9b899ef50d5cd745db9f

Solution summary    

Partner integration overview

Archer Solution

IT Security Risk Management*

Archer Use Case

Security Incident Management

Archer Applications

Security Incidents*

Uses Custom Application

No

Requires On-Demand License

No

*These are for the example shown here, the integration can be easily extended to work with other applications, you will just need the required fields.

Partner product configuration    

Before you begin 

This section provides instructions for configuring LogicHub with the Archer Platform. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

Requirements

  • All LogicHub components must be installed and working prior to the integration.

  • In order to leverage the Archer REST API, you will need to enable Archer Web Services.

  • Make sure your LogicHub instance is able to communicate with your Archer instance(s) over the network.

  • Create a user account for the sole purpose of being used by LogicHub, it will require the “VRM - Web Service API” and “System Administrator” roles.

  • Perform the necessary tests to confirm that your environments meet these needs before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

LogicHub configuration    

Use Case

This integration links LogicHub together with Archer, Archer’s Security Incident application will be used as a feedback loop for the automated actions being carried out by the LogicHub instance.

One of the most important pieces of automation is being able to explain what’s being automated and why it’s being automated. If an incident isn’t being automated in the correct manner, then you’d want to know about it, so an adjustment can be made to achieve the desired outcome. Using this integration will create an audit trail for LogicHub by using Archer, providing you with the single-pane of glass view of your organization’s security posture.

Configuration

  1. Download the Archer integration script from:

    https://gist.github.com/alam-lh/3f59b7fe6a9cc0d2342c5b529bce31fd

  2. Navigate to the Scripts tab in your LogicHub UI, drag and drop the script into the UI, to upload it.

  3. From the terminal on your LogicHub instance, run: sudo docker exec -it service /bin/bash

  4. Copy the config from:

    https://gist.github.com/alam-lh/2b1b6aff1eaa93cb4c764baee50f82ab

  5. Create a file with those contents, from terminal vi/opt/docker/data/scripts/archer.cfg and paste in the copied content.

  6. Replace the placeholder values for base url, instance name, username, and password with values which reflect your Archer environment, then save and write the file.

  7. From here, you’re setup and ready to create Security Incidents in Archer

Usage

Within a Flow in LogicHub, you’re expected to have three columns

  • incident_name

  • incident_sum- mary

  • incident_body

These columns are going to reflect the contents of the Security Incident which will be created by the archer.py script.

  1. Select a node which contains pieces of data (typically near the end of a flow), which can explain why an action was carried out.

  2. Create a Computation Node below the selected node from Step 1.

  3. Select the newly created node, the query should look like:

    `SELECT * FROM $PARENT_NODE`

  1. You can use a printf() function to generate columns, for example (generate a hello column):

    `SELECT *, printf(“Hello World”) as hello FROM $PARENT_NODE`

  2. You can use string substitution and utilize columns in your existing data set, to generate a well-defined explanation, lets use network traffic for example:

    `SELECT *, printf(“Malicious connection from: %s to: %s, was detected\nVirusTo- tal found %d hit(s) for %s\nAV Scan for machine %s was initiated”, source_ip, dest_ip, positives, url, dest_ip) as incident_body, printf(“[Network] - Traffic to malicious endpoint”) as incident_name, printf(“Network incident reviewed by Logichub”) as incident_summary FROM $PARENT_NODE`

  1. Once done with generating columns, update the table.

  1. Create a task node under the column generator and enter this query:

    callScript($COLUMN_GEN_NODE, “archer.py”, [“incident_name”, “incident_summary”, “incident_body”], “1 s”)


  2. At this point you’ve configured a Task node, which will automatically create Archer Security Incidents on your behalf every time a Flow executes.


  3. Below is a screenshot of a Security Incident in Archer, created by LogicHub with the queries provided in this example:


Certification environment    

Date tested: October 2017

Product name Version information Operating system

Archer

6.2

Windows 2012 R2

LogicHub Platform

m13

Ubuntu 16.04