cisco-xdr-misp-threat-hunting-automation
MISP Events to Cisco XDR Incident and Ticketing System
Features
- Import events from MISP into Cisco XDR.
- Automatically enrich observables and search for potential compromised assets with an automated Cisco XDR Investigation.
- Send observables judgements to Private intel database within Cisco XDR and connect this feed to your security solutions (e.g. Cisco Sure Firewall).
- Auto create a prioritized and correlated incident within Cisco XDR Incident Manager, combing all sightings per MISP event in 1 single Incident.
- Post Incident to a ticketing system or notification of choice (this can Webex, Email, MS teams, ServiceNow etc.).
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
Required Targets
- MISP API (Automation Remote Connector may be needed)
Required Account Keys
Setup instructions
Configure Global Variables
- Browse to your Cisco XDR orchestration instance. This wille be a different URL depending on the region your account is in:
- US: https://xdr.us.security.cisco.com/automate/workflows
- EU: https://xdr.eu.security.cisco.com/automate/workflows
- APJC: https://xdr.apjc.security.cisco.com/automate/workflows
-
Click on IMPORT to import the workflow:
-
Click on Browse and copy paste the content of the misp-event-to-incident-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (DUPLICATE) and click on IMPORT.
-
When importing the workflow, you will be prompted for missing information, click UPDATE, then click CONTINUE for the Target selection as they are prefilled.
-
After this you will be prompted for the MISP Token, please fill in your "Automation Key" here that you have retrieved from MISP. This key will be stored encrypted as Secure String. After filling this in your can click IMPORT.
-
As final step, please click on the first block in the workflow, named GET Events From MISP. Make sure you have filled in the MISP HTTP Target in the Target selection. There is a pre-built Target which you can edit by clicking on the pencil icon, named "MISP HTTP Target". Again, please note that if the MISP Server is in your internal network, you will need a Automation Remote Connector.
-
At the bottom of the Workflow you can optionally add any ticketing system or notification of choice.
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
Author(s)
- Pieter van Schaik (Cisco)
- Maarten Lutterman (Cisco)
- Christopher van der Made (Cisco)
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View CommunityCisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.