MISP Events to Cisco XDR Incident and Ticketing System
Features
- Import events from MISP into Cisco XDR.
- Automatically enrich observables and search for potential compromised assets with an automated Cisco XDR Investigation.
- Send observables judgements to Private intel database within Cisco XDR and connect this feed to your security solutions (e.g. Cisco Sure Firewall).
- Auto create a prioritized and correlated incident within Cisco XDR Incident Manager, combing all sightings per MISP event in 1 single Incident.
- Post Incident to a ticketing system or notification of choice (this can Webex, Email, MS teams, ServiceNow etc.).
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
Required Targets
Required Account Keys
Setup instructions
Configure Global Variables
- Browse to your Cisco XDR orchestration instance. This wille be a different URL depending on the region your account is in:
-
Click on IMPORT to import the workflow:
-
Click on Browse and copy paste the content of the misp-event-to-incident-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (DUPLICATE) and click on IMPORT.
-
When importing the workflow, you will be prompted for missing information, click UPDATE, then click CONTINUE for the Target selection as they are prefilled.
-
After this you will be prompted for the MISP Token, please fill in your "Automation Key" here that you have retrieved from MISP. This key will be stored encrypted as Secure String. After filling this in your can click IMPORT.
-
As final step, please click on the first block in the workflow, named GET Events From MISP. Make sure you have filled in the MISP HTTP Target in the Target selection. There is a pre-built Target which you can edit by clicking on the pencil icon, named "MISP HTTP Target". Again, please note that if the MISP Server is in your internal network, you will need a Automation Remote Connector.
-
At the bottom of the Workflow you can optionally add any ticketing system or notification of choice.
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
Author(s)
- Pieter van Schaik (Cisco)
- Maarten Lutterman (Cisco)
- Christopher van der Made (Cisco)