

MISP SecureX Orchestration Workflows
NOTE: If you are using Cisco XDR, please use MISP Events to Cisco XDR Incident and Ticketing System.
Features
- Import events from MISP into SecureX.
- Automatically enrich observables and search for potential targets with Cisco Threat Response.
- Send observables to Private intel database within SecureX and connect this feed to your security solutions.
- Auto create an incident within the SecureX Incident manager.
- Post sightings to a webex space (this can be any destination of choice, Email, MS teams, Ticketing system etc.).
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
Required Targets
Required Account Keys
- CTR_Credentials (default)
- MISP API Keys
- Webex Teams Token (optional)
Required Atomic Workflows
- Threat Response - Generate Access Token (System Atomic - No Import Needed)
- Threat Response - Deliberate Observable (System Atomic - No Import Needed)
- Threat Response - Enrich Observable (System Atomic - No Import Needed)
- Threat Response - Create Sighting (System Atomic - No Import Needed)
- Threat Response - Create Incident (System Atomic - No Import Needed)
- Threat Response - Create Relationship (System Atomic - No Import Needed)
- Webex Teams - Post Message to Room (System Atomic - No Import Needed)
Setup instructions
Configure Global Variables
- Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
- In the left pane menu, select Workflows. Click on IMPORT to import the workflow:

- Click on Browse and copy paste the content of the misp-event-to-incident-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

-
Make sure you have filled in the MISP HTTP Target and API Credentials in the MISP-GET-EVENTS
activity.
-
Make sure the Webex Teams - Post Message to Room
has the correct Access Token and Room ID. It is recommended to use a Webex Bot to create an Access Token. Please find more information regarding Webex Bots in the Webex developer documentation.
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
- In a future version more reporting actions will be added upon a target sighting.
Author(s)
- Pieter van Schaik (Cisco)
- Maarten Lutterman (Cisco)
- Christopher van der Made (Cisco)