NOTE: This is sample code and needs to be tested properly before using in production! This takes some time to set up (30-45 min) but will run completely autonomous afterwards.
This is a set of sample workflows to work with the MSSP environment of Cisco Secure Endpoint (formerly known as Advanced Malware Protection for Endpoints (AMP4E)) and Cisco Umbrella. It can obtain events from the various customers and create Securex and ServiceNow incidents based on these security events. When the incident in ServiceNow is closed, this will automatically close the SecureX incident too. Please watch a demo in this Youtube video.
The first workflow (MSSP-Add-AMP+UMB-Creds.json) will be able to obtain user input to add Cisco Secure Endpoint (AMP4E) and Cisco Umbrella API Credentials + customer name and store them base 64 encoded in a table. Please note that the credentials are base 64 encoded, however are stored in the global table variable. SecureX is secured with MFA, but this still needs to be taken into consideration. This workflow only needs to be run initially and every time you add a customer to your MSSP portal.
The second workflow (MSSP-SecureX-and-ServiceNow-Incident.json) will create a SecureX incident, as well as a ServiceNow incident. It will make sure the ServiceNow incidents has information to close the loop back to SecureX by closing the incident. Optionally this workflow is able to isolate the AMP host or move it to a Triage group.
Note: this workflow can be used to create incidents for other security event sources as well. Check out the input variables to see how to use it as child workflow.
HIGH
or CRITICAL
severity (AMP) and Command and Control
or Cryptomining
events (Umbrella). These events indicate that a host is actually compromised, and thus need attention from the Security Operations Center.Note: workflow 5 and 6 are optional, but recommended since it will connect ServiceNow back with SecureX. It does require some extra work to get setup...
The fifth workflow (SET-SERVICENOW-RESPONSE-WF-ID.json) only needs to be run once initially. This workflow sets a global variable containing the ID of the second workflow. This is needed by ServiceNow (using an outbound API call) to run the fourth and final workflow of this solution.
The sixth workflow (SERVICENOW-TO-AMP.json) will be able to close the SecureX incident when the ServiceNow incident is closed. It will also optionally be able to stop the AMP host isolation and move the host back to its original group. The ServiceNow incident ID will be added to the SecureX incident to fully sync the 2 systems. This workflow will be called via an outbound API call from ServiceNow.
SecureX (AMP event) incident in ServiceNow:
SecureX (AMP event) incident in SecureX incident manager (in ribbon):
Closing an incident in ServiceNow:
Results in SecureX orchestration workflow to be run which also closes SecureX incident and adds ServiceNow reference:
Note: Please read my very detailed explanation carefully. Plan around 30-45 minutes for this, incl. testing and coffee break... When getting into errors, it will be around targets in most cases. Please check if those are set correctly. Please import the workflows in the exact order as below, as workflows can be dependent on each other. Also, please import any required atomic workflows first, or you will get import errors.
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow:
Note: Alternatively you can also import this entire repository using Git. Please find instructions here.
CUSTOMER NAME
, AMP API CLIENT ID
, AMP API CLIENT SECRET
, UMBRELLA API KEY
, UMBRELLA API KEY
and UMBRELLA ORG ID
. Run this workflow as many times as needed (as many times as you have customers or when you add a new customer).Note: Please note that the credentials are base 64 encoded, however are stored in the global table variable. SecureX is secured with MFA, but this still needs to be taken into consideration.
Note: all of the above atomic actions can be imported here (if not already done automatically). Make sure that you import these first!
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the MSSP-SecureX-and-ServiceNow-Incident.json file inside of the text window.
Click on IMPORT. You might receive an error that information is missing.
Click on UPDATE and fill in the CTR (SecureX threat response) and ServiceNow information. These are not stored as plain text, as they are stored as "secure strings" in SecureX.
Note: To obtain the threat response API keys, create one here: https://securex.us.security.cisco.com/settings/apiClients. Please change the .us. in the url to .eu. or .apjc. respectively for the European or Asian instances. If you are using the EU or APJC instance, you will also need to change the target of the
CTRGenerateAccessToken
andCTR Create Incident
activities in the workflow. You do this by clicking on the activity and scrolling to thetarget
section. The SecureX Threat Responseclient_id
is the target username, and theclient_secret
is the password. Make sure to do this for all related CTR/Threat Response targets!
Note: In the Service Now - Create Incident activity you will need to make some updates. You will need to create ServiceNow basic auth credentials and fill those in as account keys for the ServiceNow target. Also, you will need to change the target to domain of your ServiceNow instance. Lastly, you need to set the
SERVICE NOW USER ID
. This is theuser_id
of the user that is creating the incidents in ServiceNow (e.g.admin
).
Note: all of the above atomic actions can be imported here (if not already done automatically). Make sure that you import these first!
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the MSSP-AMP-Trigger-5min.json file inside of the text window.
Click on IMPORT. You might receive an error that information is missing.
Click on UPDATE and fill in the AMP Target and Account information
It is important to consider which events are deemed important for your MSSP offering. A recommendation is to use all events which require human investigation from your SOC. You can find all event_types
in the AMP API docs. You will need to change the Get recent High Priority events from AMP action by changing the event types in the RELATIVE URL. Below is an example of all event_types which you might want to include. This is set as default in the current workflow:
&event_type[]=1090519054&event_type[]=2164260880&event_type[]=2164260893&event_type[]=1090524040&event_type[]=1090524041&event_type[]=1090519084&event_type[]=1107296257&event_type[]=1107296258&event_type[]=1107296261&event_type[]=1107296262&event_type[]=1107296263&event_type[]=1107296264&event_type[]=1107296266&event_type[]=1107296267&event_type[]=1107296268&event_type[]=1107296269&event_type[]=1107296270&event_type[]=1107296271&event_type[]=1107296272&event_type[]=1107296273&event_type[]=1107296274&event_type[]=1107296275&event_type[]=1107296276&event_type[]=1091567670&event_type[]=1107296277&event_type[]=1107296278&event_type[]=1107296280&event_type[]=1107296281&event_type[]=1107296282&event_type[]=1107296284&event_type[]=1107296283&event_type[]=2164260931&event_type[]=1090519081&event_type[]=1090519105&event_type[]=1090519102&event_type[]=553648215
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the MSSP-Umbrella-Trigger-5min.json file inside of the text window.
Click on IMPORT. You might receive an error that information is missing.
Click on UPDATE and fill in the missing targets.
Please note that currently only blocked Cryptomining and Command and Control events (verdict=blocked&categories=65,150
) are retrieved. This has been done because these 2 security events indicate compromised hosts. If needed this can be changed here in this atomic: Umbrella - Get Blocked C2C + Cryptomining Activity.
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the SERVICENOW-TO-AMP.json file inside of the text window.
Click on IMPORT. You might receive an error that information is missing.
Click on UPDATE and fill in the CTR (SecureX threat response) keys.
Make sure this workflow has the CATEGORY of response
in the workflow properties pane on the right. This should be configured already.
In the workflow editor window, click on the Close SecureX incident and add SNOW ID action and scroll to the REQUEST BODY section and replace xxx
with you ServiceNow tenant, this makes sure the link works when you update the SecureX incident. This reference URL will allow you to go directly to the ServiceNow incident!
{
"observable_type": "file_path",
"observable_value": {
"servicenow-incident-id": "WILL-CONTAIN-SYS-ID",
"amp-connector-guid": "WILL-CONTAIN-AMP-GUID",
"amp-group-guid": "WILL-CONTAIN-AMP-GROUP-GUID",
"securex-incident-id": "WILL-CONTAIN-SECUREX-ID",
"customer-name": "WILL-CONTAIN-CUSTOMER-NAME"
}
}
Note: The needed relative URL path for this is now put in this second ServiceNow worknote. It is recommended to make this a hidden field, so that no one accidentally touches it. It works fine as is, but you might want to change this in production. That is up to the policies of your organization.
Client ID
and Client Secret
that you obtained from SecureX earlier, or create new API keys (might be better security wise).https://visibility.amp.cisco.com/iroh/oauth2/authorize
(change region if needed)https://visibility.amp.cisco.com/iroh/oauth2/token
(change region if needed)https://<instance>.service-now.com/oauth_redirect.do
(this might be auto-filled)https://visibility.amp.cisco.com/iroh/oauth2/app-grant/
accept
Value: application/json
Content-Type
Value: application/json
${url_to_send}
into a Variable Substitution.State
is
Closed
ANDShort description
ends with
[SecureX]
line 3
, and change line 3
to user the newly created work_note_uri
variable:var work_note_raw = current.work_notes.getJournalEntry(1); var work_note_uri = work_note_raw.split('\n'); r.setStringParameterNoEscape('url_to_send', work_note_uri[1]);
try { var r = new sn_ws.RESTMessageV2('SecureX Response API', 'Trigger Response'); var work_note_raw = current.work_notes.getJournalEntry(1); var work_note_uri = work_note_raw.split('\n'); r.setStringParameterNoEscape('url_to_send', work_note_uri[1]);//override authentication profile //authentication type ='basic'/ 'oauth2' //r.setAuthenticationProfile(authentication type, profile name);
//set a MID server name if one wants to run the message on MID //r.setMIDServer('MY_MID_SERVER');
//if the message is configured to communicate through ECC queue, either //by setting a MID server or calling executeAsync, one needs to set skip_sensor //to true. Otherwise, one may get an intermittent error that the response body is null //r.setEccParameter('skip_sensor', true);
var response = r.execute(); var responseBody = response.getBody(); var httpStatus = response.getStatusCode(); } catch(ex) { var message = ex.message; }
Browse to the Workflows section in the left pane menu.
Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the SET-SERVICENOW-RESPONSE-WF-ID.json file inside of the text window.
Click on IMPORT. You might receive an error that information is missing.
Click on UPDATE and fill in the CTR (SecureX threat response) keys.
After importing this workflow, you can open it and then click RUN in the top right corner. You will not have to use this workflow again after taking this action.
Note: If you are not getting any events, it might be that no high priority events happened in the last 5 minutes. If so, increase the amount of negative seconds in the Calculate time 5 minutes ago activity to something like 1 (86.400 seconds) or a couple of days. Also, so you can remove the
event_type
parameter from the relative URL from the Get recent High Priority events from AMP actvity.
DISABLE TRIGGER
checkbox. This can be found in the workflow properties in the right menu pane.Note: make sure not to select an activity when looking for the global workflow properties.
Which events are high priority? Which should trigger incidents to be created?
Many Managed Security Services Partners (MSSP) strugle in managing their customers' security events as. This use case specifically focusses on Cisco Secure Endpoint (formerly known as AMP), Cisco Umbrella, SecureX and ServiceNow. This sample solution can obviously be extrapolated to other solutions too. This sample solution is a working prototype, built in SecureX Orchestration, and is executed when certain high priority AMP and Umbrella events (like when a computer is compromised) occur. It will automatically create a SecureX incident, as well as a ServiceNow incident. Many MSSP's use ServiceNow or some other ticketing system to manage their customers, so now they can keep using that interface. When the incident is handled and closed, this will also automatically close the SecureX incident for auditing purposes. This results in a single pane of glass for the MSSP: they can use SecureX, Secure Endpoint and Umbrella on the background via ServiceNow!
This entire solution is built inside of SecureX orchestation:
Please see the workflow installation information here.
Please continue your reading in this white paper.
Currently there is no DevNet sandbox yet, however you can find all options to try out SecureX orchestration here!
Please check out related solutions on DevNet Ecosystem Exchange.
Owner
Contributors
Categories
Products
UmbrellaSecure EndpointProgramming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community