This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

Features

  • The workflow takes a JSON file from the web, which is the description of a threat feed, including observables, and automatically parses it and processes it through Threat Response.
  • The source JSON file is formatted according MISP (https://www.misp-project.org/), which is a well known format for sharing threat information.
  • Particular attention is given to the observables which are NOT known as malicious by the Security products which are integrated in Threat Response. In fact, the 3rd party feed might contain a threat indication which is not yet known to Talos, and therefore not blocked. That's why the workflow is named "False Negative Check".
  • In case there are observables which are not yet known as malicious, they are stored in a new Casebook. In this case, a further analysis is done, to find if there are any affected targets: in this case, a new Incident is created.

Here are the workflow steps:

  1. Get Indicators - Make a generic http request to a web hosted IOC JSON file in MISP format, parse it and store the indicators.
  2. Parse IOCs - Parse the observable types, using SecureX Threat Response Inspect API.
  3. Enrich Observables - with SecureX Threat Response Enrich API to find any global sightings (in integrated threat feeds) and more importantly local sightings/targets (in integrated security modules like Umbrella, AMP, etc.). Filter what is considered NOT malicious, and store these observables in a table. (Note: focusing on NON malicious IoCs here, because we are assuming that the malicious ones have already been blocked by the security products, and we want to investigate on unknown threats, instead.)
  4. Create Casebook - Format the observables in the right JSON, and use CTR to create a new casebook.
  5. Create Incident - If there are targets in the network, also create an Incident and link it to the Casebook.

The Casebook creation and the Incident creation will also be notified to Webex Teams, with all the details of the observable and the targets found.

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Required Targets

  • An HTTPS target hosting the JSON file to be fetched. In the sample, a target named "Dropbox" is being used.
  • CTR_For_Access_Token (default)
  • CTR_API (default)
  • Webex Teams

Required Account Keys

  • CTR_Credentials
  • Webex Teams Bot Token

Required Global Variables

  • Webex Teams Room

Required Atomic Workflows

  • CTRGenerateAccessToken
  • CTRInspect
  • CTR Enrich Observable
  • Threat Response V2 - Generate Access Token
  • Threat Response V2 - Create Casebook
  • Threat Response V2 - Create Incident
  • Threat Response V2 - Create Sighting
  • Threat Response V2 - Create Relationship
  • Webex Teams - Post Message to Room

Setup instructions

Configure Global Variables

  1. Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
  1. In the left hand menu, select Variables.

  2. Configure the required global variables, as listed in the section Required Global Variables above:

  • Webex Teams Room. String Containing the Webex Room where alerts should be pushed.
    image

Import atomic actions

  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

image

  1. Choose to import from Git.

  2. Under GIT REPOSITORY, select GitHub_Target_Atomics.

image

  1. Make sure to import all the Atomic action listed above, in the section named Required Atomic Workflows. Please don't use IMPORT AS A NEW WORKFLOW (CLONE), because you need to make sure that the main workflow finds the original atomic actions identifiers.

Import main workflow

  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

image

  1. Click on Browse and copy paste the content of the False Negative Check-MispFeed.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

image

  1. Configure the required targets and accounts, as listed in the sections Required Targets above.

image

  1. Configure the required targets and accounts, as listed in the sections Required Account Keys above.

image

  1. Make sure that the HTTPS server that you're using in the very first action contains a JSON file describing the threat feed, formatted according to MISP standard. A sample file can be found in this repository, as sample-observable-feed.json.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!

Author(s)

  • Pier Paolo Glave, Aritz Arrate Galan, Mickael Pontoizeau, Juan Miguel Aguayo
    (Cisco)
View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Products

    UmbrellaWebex
  • Programming Languages

  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.