swc_amp_securex_orchestration
swc_amp_securex_orchestration
Workflow of SecureX Action Orchestrator module.
Authors:
- Hanna Jabbour
- Alicia Garcia Sastre
- Remi Vacher
Motivation
The goal of this workflow is to trigger an automated response when we receive an email with an alarm triggered in Stealthwatch Cloud. Leveraging AMP for endpoints API, we will isolate the host and hence, protect our network.
Having a SOC analyst reviewing the event and then taking a decision about the required mitigation is not fast enough.
We need to isolate the host from the network to reduce the threat ability to spread.
Scenario
- Remote or local worker connected to the network.
- The end device has AnyConnect and AMP for endpoint installed for endpoint security and connectivity
- AnyConnect is integrated with SWE to share process information and flow information
- Stealthwatch is monitoring the network end to end
- Stealthwatch is integrated with CTR, SecureX and AO
Workflow steps
- Device initiate a suspicious behavior
- SWC triggers an alert on this communication and sends a notification to the admin
- Action Orchestrator (AO) parsing constantly email events.
- When the alarm email is received, it will trigger the response workflow
- Parsing of endpoint IP from email
- Find AMP GUID that is the source of the malicious behavior
- Isolate host with AMP GUID
- Send a message to a webex teams room notifying about the endpoint isolation
How to use it
Stealthwatch cloud configuration
Configure Stealthwatch Cloud to send you an email every time an alert is triggered:
Action Orchestration configuration
- Log into SecureX
- Click on Orchestration tab
- Click on import
- Import from: "browse"
- Paste JSON file content into text box or browse for the JSON file locally in your PC
- Check "import as a new workflow (clone)
- Click on import
- You will see a message to update the credentials for email address, AMP and webex teams.
-
"Stealthwatch Cloud email" will need to get the target id modified to match your email credentials
-
You will need to add the target and account keys of your AMP4E endpoints.
-
Lastly, "Webex Teams Post a Message about isolation" will need to get the Webex Teams bot and Webex Teams Room modified:
- The access token of your Webex Teams bot (You can create one and obtain the acces token here: https://developer.webex.com/)
- Also add the room id of your webex room, where you want to post the message (You can obtain your room id going to https://developer.webex.com/docs/api/v1/rooms/get-room-details and pasting the name of your room)
- Now the workflow is imported. You can click on it and will be able to modify it:
Owner
Contributors
Github contributorCategories
CloudCollaborationSecurityNetwork SecurityUser and Endpoint ProtectionProducts
SecureXWebexProgramming Languages
SecureX orchestrationLicense
Other
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View CommunityCisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.