published

Cisco FMC Remediation Module for XDR

The FMC Remediation Module for XDR module in this repository integrates automated incident response
capabilities of two Cisco products:

  • Cisco Secure Firewall
  • Cisco eXtended Detection and Response (XDR)

This repository shows a simple example of a remediation module that can be installed in Cisco
Firepower Management Center (FMC). When adverse conditions in a customer's network violate an FMC
correlation policy, this module can trigger an automation workflow hosted in the Cisco
XDR platform.

Data Flow Overview

Here are some examples of automated incident response workflows available in XDR:

  • Quarantine Endpoints in Cisco Identity Services Engine
  • Block observables in Cisco Secure Firewall
  • Generate Casebook and Investigate in Cisco Threat Response
  • Move Computer to Triage group in Cisco Secure Endpoint
  • Host Isolation with Tier2 Approval in Cisco Secure Endpoint
  • Create Incident in ServiceNow
  • Add to Destination List in Cisco Umbrella

This repository contains a small example workflow. The workflow
parses the input data sent by the remediation module, then triggers the Secure Firewall - Block
Observable
workflow. This blocks the offending source IP in Cisco Secure Firewall
automatically, therefore also blocking any newer attack attempts by that source IP.

Installation

Clone the repo

git clone https://github.com/chetanph/fmc-remediation-module-xdr.git

Go to your project folder

cd fmc-remediation-module-xdr

Create the remediation module package

tar -C module -czf workflow_module.tar.gz module.template trigger_workflow.py

Install the package as a remediation module in FMC.

  1. Navigate to Polices -> Actions -> Modules. Click on Choose File and select the
    workflow_module.tar.gz file generated from the previous command.

FMC Remediation Module Install

  1. Once installed, click on the FMC View Eye Icon icon next to
    the module to view the details.

FMC Installed XDR Remediation Module

FMC XDR Remediation Module Details

Configuration

Pre-requisites

A webhook URL from XDR. It should look like this:

https://automate.us.security.cisco.com/webhooks/{WEBHOOK_ID}?api_key={WEBHOOK_API_KEY}

Create a new remediation instance in FMC.

  1. On the remediation module details screen, click on the Add button under
    Configured Instances. Provide a name, description and XDR Webhook URL for the
    instance and click on Create.

FMC XDR_Remediation Create Instance Block Source IP

  1. Click on the Add button to add a remediation action of one of the types available from the
    dropdown.

FMC XDR Remediation Edit Instance Block Source IP

  1. Provide a name and description for the remediation action and click on Create and then
    Save.

FMC XDR Remedation Create Remediation Action

FMC XDR Remediation Instance with Action

Usage

Navigate to Policies -> Correlation.

Create a correlation rule

  1. Navigate to the Rule Management tab and click on Create Rule button. Provide necessary
    details for the rule and click Save.

FMC Correlation Rule

Create a correlation policy

  1. Navigate to the Policy Management tab and click on Create Policy. Provide necessary details
    for the policy.

  2. Click on Add Rules. Select the newly added rule. Click on the Add button.

  3. Click on chat next to the rule. Select the newly created
    remediation action. Move it to Assigned Responses and save the changes.

FMC_Correlation_Policy_Assigned_Response_to_Rule

FMC Correlation Policy

  1. Activate the poilcy.

How to test the remediation module

Generate events that trigger the correlation policy.

Testing the module from the FMC CLI.

[cisco@LAB-LINUX-JUMPBOX ~]$ ssh admin@LAB-FMC.example.org
Password:

Copyright 2004-2023, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Firepower Extensible Operating System (FX-OS) v2.14.1 (build 131)
Cisco Secure Firewall Management Center for VMware v7.4.1 (build 172)

>
>
> expert
admin@LAB-FMC74:~$
admin@LAB-FMC74:~$ cd /var/sf/remediations/
admin@LAB-FMC74:/var/sf/remediations$
admin@LAB-FMC74:/var/sf/remediations$ ls -l
total 24
drwxr-s--- 2 www sfremediation 4096 Jul  2 18:35 NMap_perl_2.0
drwxr-s--- 2 www sfremediation 4096 Jul  2 18:35 SetAttrib_1.0
drwxr-s--- 2 www sfremediation 4096 Jul  8 15:11 TriggerXDRWorkflow_1.0
drwxr-s--- 2 www sfremediation 4096 Jul  2 18:35 cisco_ios_router_1.0
drwxr-s--- 2 www sfremediation 4096 Jul  2 18:35 cisco_pxgrid_1.0
drwxr-s--- 2 www sfremediation 4096 Jul  2 18:35 cisco_pxgrid_anc_1.0
admin@LAB-FMC74:/var/sf/remediations$
admin@LAB-FMC74:/var/sf/remediations$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
root@LAB-FMC74:~#
root@LAB-FMC74:~#
root@LAB-FMC74:~# cd /var/sf/remediations/
root@LAB-FMC74:/var/sf/remediations#
root@LAB-FMC74:/var/sf/remediations# ls -l TriggerXDRWorkflow_1.0/
total 8
-r-xr-x--- 1 www sfremediation 1140 Jul  1 19:09 module.template
-r-xr-x--- 1 www sfremediation  827 Jul  1 19:32 trigger_workflow.py
root@LAB-FMC74:/var/sf/remediations#
root@LAB-FMC74:/var/sf/remediations# cd TriggerXDRWorkflow_1.0/
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# ls -l
total 12
drwxrwsr-x 2 root sfremediation 4096 Jul  8 15:33 XDR_Workflow_Block_Source_IP
-r-xr-x--- 1 www  sfremediation 1140 Jul  1 19:09 module.template
-r-xr-x--- 1 www  sfremediation  827 Jul  1 19:32 trigger_workflow.py
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# ls -l XDR_Workflow_Block_Source_IP/
total 4
-rw-r--r-- 1 www sfremediation 503 Jul  8 15:35 instance.conf
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0# cd XDR_Workflow_Block_Source_IP
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP# cat instance.conf
<instance name="XDR_Workflow_Block_Source_IP">
  <config>
             <string name="webhook_url">https://automate.us.security.cisco.com/webhooks/{WEBHOOK_ID}?api_key={WEBHOOK_API_KEY}</string>
  </config>
  <remediation name="XDR_Block_Source_IP" type="block_source">
    <config>
    </config>
  </remediation>
</instance>
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP# ../trigger_workflow.py XDR_Block_Source_IP 10.110.100.11
XDR Automation Webhook accepted data: {'remediation_name': 'XDR_Block_Source_IP', 'src_ip_addr': '10.110.100.11'}
root@LAB-FMC74:/var/sf/remediations/TriggerXDRWorkflow_1.0/XDR_Workflow_Block_Source_IP#

Validating the data received in the XDR workflow

This repository contains a small example workflow. The workflow
parses the input data sent by the remediation module, then triggers the Secure Firewall - Block
Observable
workflow. This blocks the offending source IP in Cisco Secure Firewall
automatically, therefore also blocking any newer attack attempts by that source IP.

Workflow Definition

Review the workflow run that was triggered by the remediation module. Below screenshot shows the JSON
data received in the workflow.

Workflow Run Received Input

Below screenshot shows the parsed observable data that is sent to the Secure Firewall - Block
Observable
workflow.

Workflow Run Observable Input

References

DevNet Sandbox

https://devnetsandbox.cisco.com/DevNet/catalog/firepower-mgmt-center

Caveats

Please note that the module provided in this repository is a sample module.
Although it provides a minimum viable module that provides the functionality as described above,
it is not ready for use in a production network.

Additional development would be required to meet necessary functional and non-functional
requirements for any customer environment before the module can be used in a production network.

Getting help

If you have questions, concerns, bug reports, etc., please create an issue against this repository.

Author(s)

This project was written and is maintained by the following individuals:

  • Chetankumar Phulpagare
  • Mackenzie Myers
View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.