The FMC Remediation Module for XDR module in this repository integrates automated incident response
capabilities of two Cisco products:
This repository shows a simple example of a remediation module that can be installed in Cisco
Firepower Management Center (FMC). When adverse conditions in a customer's network violate an FMC
correlation policy, this module can trigger an automation workflow hosted in the Cisco
XDR platform.
Here are some examples of automated incident response workflows available in XDR:
This repository contains a small example workflow. The workflow
parses the input data sent by the remediation module, then triggers the Secure Firewall - Block
Observable workflow. This blocks the offending source IP in Cisco Secure Firewall
automatically, therefore also blocking any newer attack attempts by that source IP.
Clone the repo
git clone https://github.com/chetanph/fmc-remediation-module-xdr.git
Go to your project folder
cd fmc-remediation-module-xdr
Create the remediation module package
tar -C module -czf workflow_module.tar.gz module.template trigger_workflow.py
workflow_module.tar.gz
file generated from the previous command.A webhook URL from XDR. It should look like this:
https://automate.us.security.cisco.com/webhooks/{WEBHOOK_ID}?api_key={WEBHOOK_API_KEY}
Navigate to Policies -> Correlation.
Navigate to the Policy Management tab and click on Create Policy. Provide necessary details
for the policy.
Click on Add Rules. Select the newly added rule. Click on the Add button.
Click on next to the rule. Select the newly created
remediation action. Move it to Assigned Responses and save the changes.
Generate events that trigger the correlation policy.
[cisco@LAB-LINUX-JUMPBOX ~]$ ssh admin@LAB-FMC.example.org
Password:
Copyright 2004-2023, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Firepower Extensible Operating System (FX-OS) v2.14.1 (build 131)
Cisco Secure Firewall Management Center for VMware v7.4.1 (build 172)
>
>
> expert
admin@LAB-FMC74:~$
admin@LAB-FMC74:~$ cd /var/sf/remediations/
admin@LAB-FMC74:/var/sf/remediations$
admin@LAB-FMC74:/var/sf/remediations$ ls -l
total 24
drwxr-s--- 2 www sfremediation 4096 Jul 2 18:35 NMap_perl_2.0
drwxr-s--- 2 www sfremediation 4096 Jul 2 18:35 SetAttrib_1.0
drwxr-s--- 2 www sfremediation 4096 Jul 8 15:11 TriggerXDRWorkflow_1.0
drwxr-s--- 2 www sfremediation 4096 Jul 2 18:35 cisco_ios_router_1.0
drwxr-s--- 2 www sfremediation 4096 Jul 2 18:35 cisco_pxgrid_1.0
drwxr-s--- 2 www sfremediation 4096 Jul 2 18:35 cisco_pxgrid_anc_1.0
admin@LAB-FMC74:/var/sf/remediations$
admin@LAB-FMC74:/var/sf/remediations$ sudo -i
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
root@LAB-FMC74:~#
root@LAB-FMC74:~#
root@LAB-FMC74:~# cd /var/sf/remediations/
root@LAB-FMC74:/var/sf/remediations#
root@LAB-FMC74:/var/sf/remediations# ls -l TriggerXDRWorkflow_1.0/
total 8
-r-xr-x--- 1 www sfremediation 1140 Jul 1 19:09 module.template
-r-xr-x--- 1 www sfremediation 827 Jul 1 19:32 trigger_workflow.py
root@LAB-FMC74:/var/sf/remediations#
root@LAB-FMC74:/var/sf/remediations# cd TriggerXDRWorkflow_1.0/
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# ls -l
total 12
drwxrwsr-x 2 root sfremediation 4096 Jul 8 15:33 XDR_Workflow_Block_Source_IP
-r-xr-x--- 1 www sfremediation 1140 Jul 1 19:09 module.template
-r-xr-x--- 1 www sfremediation 827 Jul 1 19:32 trigger_workflow.py
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# ls -l XDR_Workflow_Block_Source_IP/
total 4
-rw-r--r-- 1 www sfremediation 503 Jul 8 15:35 instance.conf
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# cd XDR_Workflow_Block_Source_IP
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP# cat instance.conf
<instance name="XDR_Workflow_Block_Source_IP">
<config>
<string name="webhook_url">https://automate.us.security.cisco.com/webhooks/{WEBHOOK_ID}?api_key={WEBHOOK_API_KEY}</string>
</config>
<remediation name="XDR_Block_Source_IP" type="block_source">
<config>
</config>
</remediation>
</instance>
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP# ../trigger_workflow.py XDR_Block_Source_IP 10.110.100.11
XDR Automation Webhook accepted data: {'remediation_name': 'XDR_Block_Source_IP', 'src_ip_addr': '10.110.100.11'}
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#
This repository contains a small example workflow. The workflow
parses the input data sent by the remediation module, then triggers the Secure Firewall - Block
Observable workflow. This blocks the offending source IP in Cisco Secure Firewall
automatically, therefore also blocking any newer attack attempts by that source IP.
Review the workflow run that was triggered by the remediation module. Below screenshot shows the JSON
data received in the workflow.
Below screenshot shows the parsed observable data that is sent to the Secure Firewall - Block
Observable workflow.
https://devnetsandbox.cisco.com/DevNet/catalog/firepower-mgmt-center
Please note that the module provided in this repository is a sample module.
Although it provides a minimum viable module that provides the functionality as described above,
it is not ready for use in a production network.
Additional development would be required to meet necessary functional and non-functional
requirements for any customer environment before the module can be used in a production network.
If you have questions, concerns, bug reports, etc., please create an issue against this repository.
This project was written and is maintained by the following individuals:
Owner
Contributors
Categories
Products
Cisco XDRSecure FirewallProgramming Languages
PythonLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community