Workflow to Trigger an Automated Threat Hunt in SecureX from your CI/CD pipeline using a GitHub Webhook
This workflow can be triggered via a Vulnerability Alert Webhook from GitHub. It will then check whether the found vulnerability was actually exploited in your environment using the Cisco Kenna VI+ and Cisco SecureX APIs. This could happen when a new CVE is discovered and your production code is using that specific library. Obviously, you want to patch the application as soon as possible, but it could be that someone was already exploiting this vulnerability before the disclosure. This is a so-called “zero-day exploit”.
The triggered SecureX Orchestration workflow then checks all of the integrated SecureX modules for a sighting of the malware that can exploit our new vulnerability. If so, it will generate a notification via Webex and create an Incident in ServiceNow. Obviously, it is very easy to change this to whatever tool you might be using. Based on this the security incident response team needs to get in action.
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
Note: Please also see my GitHub action for the Cisco Kenna VI+ API
Required Targets
- CTR_For_Access_Token (default)
- CTR_API (default)
- Webex Teams
- Kenna Security VI+
- ServiceNow
Required Account Keys
- CTR_Credentials (default)
- Webex Teams Token (see Import Workflow instructions)
- Kenna Security VI+ (see Import Workflow instructions)
- ServiceNow (see Import Workflow instructions)
Required Atomic Workflows
- Threat Response - Generate Access Token (System Atomic, no import needed)
- Threat Response - Enrich Observable (System Atomic, no import needed)
- Service Now - Create Incident (System Atomic, no import needed)
- Webex Teams - Post Message to Room (System Atomic, no import needed)
Setup instructions
Set up SecureX Webhook Receiver
Login to SecureX Orchestration
- Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
Creating a Webhook
When you create a webhook, you'll be given an HTTP endpoint you can push events to. You can have a single webhook trigger a single workflow or a single webhook can trigger multiple workflows.
- Under the Events & Webhooks section, click the Webhooks tab.
- Click on the New Webhook button.
- Give the webhook a meaningful Display Name and then validate the Request Content Type:
application/json
- The webhook details will populate after the new webhook is created, so click the Submit button.
- Back on the webhooks page, click on the webhook you just created to view its details.
- Make note of the Webhook URL. This is the URL the source of the webhooks will push events to from GitHub.
Adding a Webhook to a Workflow
Once you've created a webhook using the steps above, you need to do two things:
- Create an event that will be triggered when the webhook receives data.
- Add the event to your workflow as a trigger.
Note: Once the workflow is configured with a trigger, you can use the trigger's output variables in your workflow. This has already been configured.
Set up GitHub Webhook Trigger
- In your GitHub repository select Settings > Webhooks. Copy paste the Webhook URL you created in the previous steps:
-
Make sure the SSL verification is selected and also the Content type is set to JSON
.
-
Next select Let me select individual events.:
- Finally choose the events that you want to trigger on. Currently this workflow works with Dependabot alerts:
Import Workflow
- In the left pane menu, select Workflows. Click on IMPORT to import the workflow:
- Click on Browse and copy paste the content of the github-kenna-securex-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
- Make sure your API keys are all correct in the HTTP targets. We are using the Cisco SecureX (default configured), Cisco Webex, Cisco Kenna Security VI+ API and ServiceNow APIs.
Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
Author(s)
- Christopher van der Made (Cisco)