This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

MISP SecureX Orchestration Workflows

NOTE: If you are using Cisco XDR, please use MISP Events to Cisco XDR Incident and Ticketing System.

Features

  • Import events from MISP into SecureX.
  • Automatically enrich observables and search for potential targets with Cisco Threat Response.
  • Send observables to Private intel database within SecureX and connect this feed to your security solutions.
  • Auto create an incident within the SecureX Incident manager.
  • Post sightings to a webex space (this can be any destination of choice, Email, MS teams, Ticketing system etc.).

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Required Targets

Required Account Keys

  • CTR_Credentials (default)
  • MISP API Keys
  • Webex Teams Token (optional)

Required Atomic Workflows

  • Threat Response - Generate Access Token (System Atomic - No Import Needed)
  • Threat Response - Deliberate Observable (System Atomic - No Import Needed)
  • Threat Response - Enrich Observable (System Atomic - No Import Needed)
  • Threat Response - Create Sighting (System Atomic - No Import Needed)
  • Threat Response - Create Incident (System Atomic - No Import Needed)
  • Threat Response - Create Relationship (System Atomic - No Import Needed)
  • Webex Teams - Post Message to Room (System Atomic - No Import Needed)

Setup instructions

Configure Global Variables

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the misp-event-to-incident-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

  1. Make sure you have filled in the MISP HTTP Target and API Credentials in the MISP-GET-EVENTS activity.

  2. Make sure the Webex Teams - Post Message to Room has the correct Access Token and Room ID. It is recommended to use a Webex Bot to create an Access Token. Please find more information regarding Webex Bots in the Webex developer documentation.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!
  • In a future version more reporting actions will be added upon a target sighting.

Author(s)

  • Pieter van Schaik (Cisco)
  • Maarten Lutterman (Cisco)
  • Christopher van der Made (Cisco)
View code on GitHub
  • Owner

  • Contributors

    +2Github contributors
  • Categories

  • Products

    Webex
  • Programming Languages

  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.